How Do I Minimize the DIS Agency Permissions?
Before November 2024, when you create a dump task in DIS for the first time, the system creates dis_admin_agency, which has permissions of Tenant Administrator, Server Administrator, SMN Administrator, MRS Administrator, Tenant Guest, DWS Administrator, DLI Service User, and CloudTable Administrator. During the dump, if dis_admin_agency agency does not have sufficient permissions, dis_admin_agency_op_svc_bigdata agency with the same permissions will be created.
To comply with the principle of least privilege (PoLP) and reduce security risks, you can perform the following operations to modify the permissions of dis_admin_agency and dis_admin_agency_op_svc_bigdata.

- After November 2024, dis_admin_agency and dis_admin_agency_op_svc_bigdata created by the system have the least privilege and their permissions do not need to be manually modified.
- The operations apply only to OBS dump tasks. If there are other types of dump tasks, delete them before modifying the permissions. Do not delete the permissions required for non-OBS dump tasks because the deletion cannot be undone. If required permissions are deleted, the non-OBS dump tasks cannot run properly.
Assign the least privileges to dis_admin_agency and delete high-risk permissions.
- Log in to the old IAM console.
The new IAM version supports identity policy-based authorization and does not display the roles and policies of the old console. However, the roles and policies of the old console are used as the least privilege policies for agencies defined in DIS. Therefore, you need to perform the following operations on the old console.
- In the left navigation pane, choose Agencies, search for dis_admin_agency, and click Authorize.
Figure 1 dis_admin_agency
- On the displayed page, select DIS Agency OBS Access and DIS Agency SMN Access (the least privilege policies for agencies defined in DIS) and click Next.
Figure 2 Selecting the least privilege policies
- Click OK to assign permissions to the agency. Wait for 15 to 30 minutes for the new permissions to take effect.
- In the left navigation pane of the IAM console, choose Agencies, search for dis_admin_agency, and click its name to access the details page.
Figure 3 dis_admin_agency
- On the details page, click the Permissions tab. Select the following high-risk permissions and click Delete above the list. In the displayed dialog box, click OK.
- Tenant Administrator
- Server Administrator
- SMN Administrator
- MRS Administrator
- Tenant Guest
- DWS Administrator
- DLI Service User
- CloudTable Administrator
Figure 4 Selecting the least privilege policies
Assign the least privileges to dis_admin_agency_op_svc_bigdata and delete high-risk permissions.
- In the left navigation pane of the IAM console, choose Agencies and search for dis_admin_agency_op_svc_bigdata.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot