Permissions Management

If you need to assign different permissions to employees in your enterprise to access your APM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use APM resources but cannot delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using APM resources.

If your account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

Traces and Agent statistics do not involve your entity resources. To ensure statistics integrity, authorized users can check the trace and Agent statistics of the tenant, including those in other enterprise projects.

APM Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on APM.

APM is a global service. By default, the APM permissions granted to a user take effect in all regions supported by APM. APM resources are isolated by tenant. All users under a tenant share resources. To isolate resources, use enterprise projects.

APM is a global service and can be accessed without specifying a physical region.

Table 1 lists all the system permissions supported by APM.

**Table 1** System permissions supported by APM
Role	Description	Category
APM FullAccess	Full permissions for APM	System-defined policy
APM ReadOnlyAccess	Read-only permissions for APM	System-defined policy

Table 2 lists the common operations supported by each system-defined policy or role of APM. Choose policies or roles as required.

**Table 2** Common operations supported by each system-defined policy or role of APM
Operation	APM FullAccess	APM ReadOnlyAccess
Querying the alarm list	√	√
Querying alarm details	√	√
Querying alarm notification details	√	√
Obtaining application configuration	√	√
Creating application configuration	√	x
Deleting application configuration	√	x
Modifying application configuration	√	x
Querying a tag	√	√
Adding a tag	√	x
Deleting a tag	√	x
Modifying a tag	√	x
Querying a resource tag	√	√
Adding a resource tag	√	x
Deleting a resource tag	√	x
Modifying a resource tag	√	x
Querying an alarm template	√	√
Adding an alarm template	√	x
Deleting an alarm template	√	x
Modifying an alarm template	√	x
Obtaining a notification	√	√
Deleting a notification	√	x
Adding a notification	√	x
Modifying a notification	√	x
Obtaining URL tracing configuration	√	√
Deleting URL tracing configuration	√	x
Adding a URL for tracing	√	x
Modifying URL tracing configuration	√	x
Querying a URL tracing view	√	√
Obtaining the URL tracing list	√	√
Obtaining the global topology	√	√
Querying a sub-application	√	√
Querying environment configuration	√	√
Adding environment configuration	√	x
Deleting environment configuration	√	x
Modifying environment configuration	√	x
Obtaining an instance	√	√
Deleting an instance	√	x
Modifying an instance	√	x
Querying a monitoring item	√	√
Modifying a monitoring item	√	x
Obtaining collection status	√	√
Obtaining a custom alarm policy	√	√
Deleting a custom alarm policy	√	x
Modifying a custom alarm policy	√	x
Creating a custom alarm policy	√	x
Obtaining the environment topology	√	√
Obtaining a metric view	√	√
Obtaining the trace list	√	√
Obtaining trace details	√	√
Obtaining collector information	√	√
Obtaining an access key	√	x
Modifying an access key	√	x
Deleting an access key	√	x
Adding an access key	√	x
Obtaining general configuration	√	√
Modifying general configuration	√	x
Querying Agent statistics	√	√

Parent topic: Service Overview

Previous topic: Edition Differences

Next topic: Metric Overview

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot