Help Center/ Data Ingestion Service/ FAQs/ General Questions/ How Do I Minimize the DIS Agency Permissions?

Updated on 2025-04-07 GMT+08:00

View PDF

How Do I Minimize the DIS Agency Permissions?

Before November 2024, when you create a dump task in DIS for the first time, the system creates dis_admin_agency, which has permissions of Tenant Administrator, Server Administrator, SMN Administrator, MRS Administrator, Tenant Guest, DWS Administrator, DLI Service User, and CloudTable Administrator. During the dump, if dis_admin_agency agency does not have sufficient permissions, dis_admin_agency_op_svc_bigdata agency with the same permissions will be created.

To comply with the principle of least privilege (PoLP) and reduce security risks, you can perform the following operations to modify the permissions of dis_admin_agency and dis_admin_agency_op_svc_bigdata.

After November 2024, dis_admin_agency and dis_admin_agency_op_svc_bigdata created by the system have the least privilege and their permissions do not need to be manually modified.
The operations apply only to OBS dump tasks. If there are other types of dump tasks, delete them before modifying the permissions. Do not delete the permissions required for non-OBS dump tasks because the deletion cannot be undone. If required permissions are deleted, the non-OBS dump tasks cannot run properly.

Assign the least privileges to dis_admin_agency and delete high-risk permissions.

Log in to the old IAM console.

The new IAM version supports identity policy-based authorization and does not display the roles and policies of the old console. However, the roles and policies of the old console are used as the least privilege policies for agencies defined in DIS. Therefore, you need to perform the following operations on the old console.
In the left navigation pane, choose Agencies, search for dis_admin_agency, and click Authorize.

Figure 1 dis_admin_agency
On the displayed page, select DIS Agency OBS Access and DIS Agency SMN Access (the least privilege policies for agencies defined in DIS) and click Next.

Figure 2 Selecting the least privilege policies
Click OK to assign permissions to the agency. Wait for 15 to 30 minutes for the new permissions to take effect.
In the left navigation pane of the IAM console, choose Agencies, search for dis_admin_agency, and click its name to access the details page.

Figure 3 dis_admin_agency
On the details page, click the Permissions tab. Select the following high-risk permissions and click Delete above the list. In the displayed dialog box, click OK.
- Tenant Administrator
- Server Administrator
- SMN Administrator
- MRS Administrator
- Tenant Guest
- DWS Administrator
- DLI Service User
- CloudTable Administrator
Figure 4 Selecting the least privilege policies

Assign the least privileges to dis_admin_agency_op_svc_bigdata and delete high-risk permissions.

In the left navigation pane of the IAM console, choose Agencies and search for dis_admin_agency_op_svc_bigdata.
- If the dis_admin_agency_op_svc_bigdata agency can be found, assign the least privileges to it and delete high-risk permissions by referring to Step 2 to Step 6.
- If the agency cannot be found, no further action is required.

Parent topic: General Questions

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot