Enterprise Project Permissions

Administrator: The administrator can perform any operations on the Enterprise Project Management page.

IAM user: An IAM user's permissions are granted by the administrator. After an IAM user logs in to the Enterprise Project Management page, the IAM user sees only the enterprise projects assigned by the administrator, and can only manage the resources allocated by the administrator. If the administrator assigns a permissions policy for an IAM user, the IAM user has all the permissions included in the policy.

The administrator can use the system-defined policies or custom policies to assign permissions to users. Policies related to enterprise projects include EPS FullAccess and EPS ReadOnlyAccess. You can use Identity and Access Management (IAM) to manage enterprise project permissions for IAM users. For details, see Identity and Access Management User Guide.

The permissions set in IAM are different from those in Enterprise Management. The administrator can select either IAM or Enterprise Management to manage resource permissions based on enterprise requirements.

**Table 1** Enterprise Management permissions
Service Name	Policy Name	Description	Typically Associated Personnel
Enterprise Management	EPS FullAccess	The Enterprise Management administrator policy, including all the permissions related to enterprise project management and personnel management. The policy allows users to create enterprises, migrate resources, add users to user groups, remove users from user groups, and set policies for user groups. The administrator can set the policy in the Global service in IAM. The administrator policy of a single enterprise project. The policy has only the permissions of the specific enterprise projects, including modifying, enabling, disabling, and viewing the specified enterprise projects. The administrator or the users granted the EPS FullAccess policy on IAM can set the policy in Enterprise Management.	Enterprise asset administrators
Enterprise Management	EPS ReadOnlyAccess	Read-only permissions for a specific or all enterprise projects Read-only permissions on Enterprise Management to view the information of all enterprise projects and users. The administrator can set the policy in the Global service in IAM. The administrator or the user to whom the EPS FullAccess policy is attached can set the permission in Enterprise Management.	Enterprise asset query personnel

**Table 2** Common operations and required permissions
Operation	EPS FullAccess
Viewing resources in an enterprise project	√	√
Creating an enterprise project	√	×
Modifying an enterprise project	√	×
Enabling an enterprise project	√	×
Disabling an enterprise project	√	×
Adding a resource to an enterprise project	√	×
Removing a resource from an enterprise project	√	×