Help Center> Server Migration Service> Best Practices> Migrating a Server into an Enterprise Project> Authorizing the User Group to Manage the Enterprise Project
Updated on 2024-01-25 GMT+08:00
View PDF

Authorizing the User Group to Manage the Enterprise Project

You can assign user group Test_EPS the permissions required to manage enterprise project Test_EPS_Project. Only the IAM users in the user group then are allowed to manage the resources in the enterprise project. This can prevent unauthorized users from accessing the resources in the enterprise project.

You need to create two separate custom policies by enterprise project and IAM project and attach them to the user group.

Assigning Permissions to the User Group by Enterprise Project

  1. Create custom policy SMS Custom Policy For EPS. For details, see section "Creating a Custom Policy in JSON View" in Creating a Custom Policy.

    Copy the following information to the policy content: 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "vpc:securityGroups:create",
                "vpc:securityGroups:delete",
                "vpc:vpcs:create",
                "vpc:vpcs:delete",
                "vpc:publicIps:create",
                "vpc:publicIps:delete",
                "vpc:subnets:create",
                "vpc:subnets:delete",
                "ecs:cloudServers:create",
                "ecs:cloudServers:attach",
                "ecs:cloudServers:detachVolume",
                "ecs:cloudServers:start",
                "ecs:cloudServers:stop",
                "ecs:cloudServers:delete",
                "ecs:cloudServers:reboot",
                "ecs:cloudServers:updateMetadata",
                "ecs:cloudServers:vnc",
                "ecs:serverPasswords:manage",
                "ecs:serverKeypairs:delete",
                "ecs:diskConfigs:use",
                "ecs:CloudServers:create",
                "ecs:servers:setMetadata",
                "ecs:serverVolumes:use",
                "ecs:serverKeypairs:create",
                "ecs:serverInterfaces:use",
                "ecs:serverGroups:manage",
                "ecs:securityGroups:use",
                "ecs:servers:unlock",
                "ecs:servers:rebuild",
                "ecs:servers:lock",
                "evs:volumes:use",
                "evs:volumes:create",
                "evs:volumes:update",
                "evs:volumes:delete",
                "evs:snapshots:create",
                "evs:snapshots:delete",
                "evs:snapshots:rollback",
                "ecs:*:get*",
                "ecs:*:list*",
                "evs:*:get*",
                "evs:*:list*",
                "vpc:*:list*",
                "vpc:*:get*",
                "ims:*:get*",
                "ims:*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}

  2. On the IAM console, choose User Groups in the navigation pane.
  3. Click user group Test_EPS.
  4. Click Authorize, select the SMS FullAccess role and the SMS Custom Policy For EPS policy, and click Next.
  5. Select Enterprise projects for Scope, select the enterprise project created in Enabling EPS and Creating an Enterprise Project, and click OK.

Assigning Permissions to the User Group by IAM Project

  1. Create custom policy SMS Custom Policy For EPS At IAM. For details, see section "Creating a Custom Policy in JSON View" in Creating a Custom Policy.

    Copy the following information to the policy content: 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "ecs:availabilityZones:list",
                "ecs:servers:list",
                "ecs:servers:unlock",
                "ecs:servers:lock",
                "ecs:servers:reboot",
                "ecs:serverPasswords:manage",
                "ecs:diskConfigs:use",
                "ecs:servers:setMetadata",
                "ecs:serverVolumes:use",
                "ecs:serverKeypairs:create",
                "ecs:serverKeypairs:get",
                "ecs:serverKeypairs:delete",
                "ecs:serverInterfaces:use",
                "ecs:serverGroups:manage",
                "ecs:securityGroups:use",
                "vpc:securityGroupRules:create",
                "vpc:securityGroupRules:delete",
                "vpc:securityGroupRules:get",
                "vpc:securityGroupRules:update",
                "vpc:networks:get",
                "vpc:ports:get",
                "vpc:vpcTags:get",
                "vpc:subnetTags:get",
                "vpc:routers:get",
                "vpc:securityGroups:get",
                "evs:volumes:list",
                "evs:types:get"
            ],
            "Effect": "Allow"
        }
    ]
}

  2. On the IAM console, choose User Groups in the navigation pane.
  3. Click user group Test_EPS.
  4. Click Authorize, select the SMS Custom Policy For EPS At IAM policy, and click Next.
  5. Select All resources for Scope and click OK.

Assigning Global Permissions to the User Group

  1. Create a custom policy by referring to section "Creating a Custom Policy in JSON View" in Creating a Custom Policy.

    Copy the following information to the policy content:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                 "sms:server:registerServer",
                 "sms:server:migrationServer",
                 "sms:server:queryServer"
            ]
        }
    ]
}

  2. On the IAM console, choose User Groups in the navigation pane.
  3. Click user group Test_EPS.
  4. Click Authorize, select the created SMS custom policy with global permissions, and click Next.
  5. Select All resources for Scope and click OK.