Help Center/ General Reference/ Permissions

Updated on 2025-03-26 GMT+08:00

System-defined Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Scope: The projects for which permissions granted to a user group will be applied.

Global services: Services deployed without specifying physical regions, such as Object Storage Service (OBS) and Content Delivery Network (CDN), are called global services. Permissions for these services must be assigned globally.
Region-specific projects: Services deployed in specific regions, such as Elastic Cloud Server (ECS) and Bare Metal Server (BMS), are called project-level services. Permissions for these services must be assigned in region-specific projects and will be applied only for specific regions.
- All resources: Permissions will be applied for both global services and region-specific projects, including projects created later.
- Region-specific projects: Permissions will be applied for the region-specific projects you select.

Type: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. For details, see Permission.

For services that provide both policies and roles, preferentially use policies to assign permissions.
For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions.

BASE

Service	Scope	Policy/Role Name	Type	Description
BASE	Global services	FullAccess	Policy	Full permissions for all services that support policy-based authorization.
	All resources	Tenant Guest	Role	Read-only permissions for all services except IAM. NOTE: If the permission scope is Global services, they will be applied for global services. If the permission scope is All resources, they will be applied for both global services and all region-specific projects, including projects created later. If the permission scope is Region-specific projects, they will be applied only for specific projects.
	All resources	Tenant Administrator		Full permissions for all services except IAM. NOTE: If the permission scope is Global services, they will be applied for global services. If the permission scope is All resources, they will be applied for both global services and all region-specific projects, including projects created later. If the permission scope is Region-specific projects, they will be applied only for specific projects.
	Global services	Agent Operator		Permissions for switching roles to access resources of delegating accounts.

Compute

Service	Scope	Policy/Role Name	Type	Description
Elastic Cloud Server (ECS) (Project-level service)	Region-specific projects	ECS FullAccess	Policy	Full permissions for ECS.
		ECS ReadOnlyAccess		Read-only permissions for ECS.
		ECS CommonOperations		Permissions for starting, stopping, restarting, and querying ECSs.
		Server Administrator	Role	Full permissions for ECS. This role must be used together with the Tenant Guest role in the same project. If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project. For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the VPC Administrator role.
Bare Metal Server (BMS) (Project-level service)	Region-specific projects	BMS FullAccess	Policy	Full permissions for BMS.
		BMS ReadOnlyAccess		Read-only permissions for BMS.
		BMS CommonOperations		Permissions for starting, stopping, restarting, and querying BMSs.
Auto Scaling (AS) (Project-level service)	Region-specific projects	AutoScaling FullAccess	Policy	Full permissions for the Auto Scaling service.
		AutoScaling ReadOnlyAccess	Policy	Read-only permissions for AS.
		AutoScaling Administrator	Role	Full permissions for all AS resources. This role must be used together with the ELB Administrator, CES Administrator, Server Administrator, and Tenant Administrator roles in the same project.
Image Management Service (IMS) (Project-level service)	Region-specific projects	IMS FullAccess	Policy	Full permissions for IMS.
		IMS ReadOnlyAccess	Policy	Read-only permissions for IMS.
		IMS Administrator	Role	Full permissions for IMS. This role must be used together with the Tenant Administrator role.
		Server Administrator	Role	Permissions for creating, deleting, querying, modifying, and uploading images. This role must be used together with the IMS Administrator role in the same project.
FunctionGraph (Project-level service)	Region-specific projects	FunctionGraph FullAccess	Policy	Full permissions for FunctionGraph.
		FunctionGraph ReadOnlyAccess		Read-only permissions for FunctionGraph.
		FunctionGraph CommonOperations		Common operation permissions for FunctionGraph, including permissions for querying functions and triggers and invoking functions.
		FunctionGraph Administrator	Role	Permissions for managing FunctionGraph functions and triggers. This role must be used together with the Tenant Guest role in the same project.
		FunctionGraph Invoker	Role	Permissions for querying FunctionGraph functions and triggers.
Cloud Phone Host (CPH) (Project-level service)	Region-specific projects	CPH Administrator	Role	Full permissions for CPH.
Cloud Phone Host (CPH) (Project-level service)	Region-specific projects	CPH User	Role	Read-only permissions for CPH.
Dedicated Host (DeH) (Project-level service)	Region-specific projects	DeH FullAccess	Policy	Full permissions for DeH.
		DeH CommonOperations		Basic operation permissions for DeH.
		DeH ReadOnlyAccess		Read-only permissions for DeH. Users with these permissions can only query DeHs.

Storage

Service	Scope	Policy/Role Name	Type	Description
(Global service) Object Storage Service (OBS)	Global services	OBS OperateAccess	Policy	Users with this permission can perform all operations specified by OBS ReadOnlyAccess and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.
		OBS ReadOnlyAccess	Policy	Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects.
		OBS Buckets Viewer	Role	Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.
Elastic Volume Service (EVS) (Project-level service)	Region-specific projects	EVS FullAccess	Policy	Full permissions for EVS. Users granted these permissions can create, mount, uninstall, query, and delete EVS resources, and expand capacity of EVS disks.
		EVS ReadOnlyAccess	Policy	Read-only permissions for EVS. Users granted these permissions can view EVS resource data only.
		Server Administrator	Role	Full permissions for EVS.
Cloud Backup and Recovery (CBR) (Project-level service)	Region-specific projects	CBR FullAccess	Policy	Administrator permissions for using all vaults and policies on CBR.
		CBR BackupsAndVaultsFullAccess		Common user permissions for creating, viewing, and deleting vaults on CBR.
		CBR ReadOnlyAccess		Read-only permissions for viewing data on CBR.
Content Delivery Network (CDN) (Global service)	Global services	CDN DomainReadOnlyAccess	Policy	Read-only permissions for CDN acceleration domain names.
		CDN StatisticsReadOnlyAccess		Read-only permissions for CDN statistics.
		CDN LogsReadOnlyAccess		Read-only permissions for CDN logs.

		CDN RefreshAndPreheatAccess		Permissions for cache refreshing and preheating.
		CDN Administrator	Role	Full permissions for CDN. This role must be used together with the Tenant Guest role in the same project.
Storage Disaster Recovery Service (SDRS) (Project-level service)	Region-specific projects	SDRS Administrator	Role	Full permissions for SDRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
Scalable File Service (SFS) (Project-level service)	Region-specific projects	SFS FullAccess	Policy	Full permissions for SFS.
		SFS ReadOnlyAccess		Read-only permissions for SFS.
		SFS Turbo FullAccess		Full permissions for SFS Turbo.
		SFS Turbo ReadOnlyAccess		Read-only permissions for SFS Turbo.
		SFS Administrator	Role	Full permissions for SFS. This role must be used together with the Tenant Guest role in the same project.
Cloud Server Backup Service (CSBS) (Project-level service)	Region-specific projects	CSBS Administrator	Role	Full permissions for CSBS. This role must be used together with the Server Administrator role in the same project.
Volume Backup Service (VBS) (Project-level service)	Region-specific projects	VBS Administrator	Role	Full permissions for VBS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Network

Service	Scope	Policy/Role Name	Type	Description
Virtual Private Cloud (VPC) (Project-level service)	Region-specific projects	VPC FullAccess	Policy	Full permissions for VPC.
		VPC ReadOnlyAccess	Policy	Read-only permissions for VPC.
		VPC Administrator	Role	Permissions for VPC, excluding permissions for creating, modifying, deleting, and viewing security groups and security group rules. This role must be used together with the Tenant Guest role in the same project.
		Server Administrator	Role	Permissions for performing operations on EIPs, security groups, and ports. This role must be used together with the Tenant Guest role in the same project.
Elastic Load Balance (ELB) (Project-level service)	Region-specific projects	ELB FullAccess	Policy	Full permissions for ELB.
		ELB ReadOnlyAccess	Policy	Read-only permissions for ELB.
		ELB Administrator	Role	Full permissions for ELB. This role must be used together with the Tenant Guest role in the same project.
NAT Gateway (Project-level service)	Region-specific projects	NAT FullAccess	Policy	Full permissions for NAT Gateway.
		NAT ReadOnlyAccess	Policy	Read-only permissions for NAT Gateway.
		NAT Administrator	Role	Full permissions for NAT Gateway. This role must be used together with the Tenant Guest role in the same project.
Direct Connect (Project-level service)	Region-specific projects	Direct Connect Administrator	Role	Full permissions for Direct Connect. This role must be used together with the Tenant Guest role in the same project.
		DCaaS Partner	Role	Direct Connect partner with permissions for creating hosted and standard connections for other users.
		DCAAS FullAccess	Policy	Full permissions for Direct Connect.
		DCAAS ReadOnlyAccess	Policy	Read-only permissions for Direct Connect.
Virtual Private Network (VPN) (Project-level service)	Region-specific projects	VPN Administrator	Role	Administrator permissions for VPN. This role must be used together with the Tenant Guest and VPC Administrator roles in the same project.
		VPN FullAccess	Policy	Full permissions for VPN.
		VPN ReadOnlyAccess	Policy	Read-only permissions for VPN.
Domain Name Service (DNS) (Project-level service)	Region-specific projects	DNS Administrator	Role	Full permissions for DNS. This role must be used together with the Tenant Guest and VPC Administrator roles in the same project.
		DNS FullAccess	Policy	Full permissions for DNS.
		DNS ReadOnlyAccess	Policy	Read-only permissions for DNS. Users granted these permissions can only view DNS resources.
VPC Endpoint (VPCEP) (Project-level service)	Region-specific projects	VPCEndpoint Administrator	Role	Full permissions for VPCEP. This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project.
Cloud Connect (CC) (Global service)	Global services	Cross Connect Administrator	Role	CC administrator with full permissions. This role must be used together with the Tenant Guest and VPC Administrator roles in the same project.
		CC FullAccess	Policy	Full permissions for CC.
		CC ReadOnlyAccess		Read-only permissions for CC.
		CC Network Depend QueryAccess		Read-only permissions required to access dependency resources when using CC.
Enterprise Router (Project-level service)	Region-specific projects	ER FullAccess	Policy	Full permissions for ER.
Enterprise Router (Project-level service)	Region-specific projects	ER ReadOnlyAccess	Policy	Read-only permissions for ER.

Containers

Service	Scope	Policy/Role Name	Type	Description
Cloud Container Engine (CCE) (Project-level service)	Region-specific projects	CCE FullAccess	Policy	Full permissions for CCE.
		CCE ReadOnlyAccess	Policy	Permissions to view CCE cluster resources, excluding namespace-level permissions for clusters that have Kubernetes RBAC enabled.
		CCE Administrator	Role	Read and write permissions for CCE clusters and all resources (including workloads and services) in the clusters. This role depends on the following permissions: Global services: OBS Buckets Viewer. Region-specific projects (same projects): Tenant Guest, Server Administrator, ELB Administrator, SFS Administrator, SWR Admin, and APM FullAccess. NOTE: Users also granted permissions with the NAT Gateway Administrator role can use NAT Gateway functions for clusters.
Cloud Container Instance (CCI) (Project-level service)	Region-specific projects	CCI FullAccess	Policy	Full permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.
		CCI ReadOnlyAccess		Read-only permissions for CCI. Users granted these permissions can only view CCI resources.
		CCI CommonOperations		Common user permissions for CCI. Users granted these permissions can perform all operations except creating, deleting, and modifying role-based access control (RBAC) policies, networks, and namespaced resources.
		CCI Administrator	Role	Administrator permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.
Software Repository for Container (SWR) (Project-level service)	Region-specific projects	SWR Admin	Role	Full permissions for SWR.
		SWR FullAccess	Policy	Full permissions for SWR enterprise edition.
		SWR ReadOnlyAccess		Read-only permissions for SWR enterprise edition. Users with these permissions can query artifact repositories and charts, create temporary credentials, and download artifacts.
		SWR OperateAccess		Operation permissions for SWR enterprise edition. Users with these permissions can query enterprise edition instances, perform operations on artifact repositories and organizations, create temporary credentials, and upload and download artifacts.
Gene Container Service (GCS) (Project-level service)	Region-specific projects	GCS Administrator	Role	GCS administrator.
		GCS FullAccess	Policy	Full permissions for GCS.
		GCS ReadOnlyAccess		Read-only permissions for GCS.
		GCS CommonOperations		Common operation permissions for GCS.
Application Orchestration Service (AOS) (Project-level service)	Region-specific projects	CDE Admin	Role	AOS administrator with full permissions.
		CDE Developer	Role	AOS developer.
		RF FullAccess	Policy	Full permissions for RF.
		RF ReadOnlyAccess		Read-only permissions for RF.
		RF DeployByExecutionPlanOperations		Create, execute, and read permissions for execution plans and read permissions for stacks.
Ubiquitous Cloud Native Service (UCS) (Global service)	Global services	UCS FullAccess	Policy	UCS administrator permissions, including creating permissions policies and security policies.
		UCS CommonOperations		Common UCS user permissions for creating workloads, distributing traffic, and other operations.
		UCS CIAOperations		UCS Container Intelligent Analysis (CIA) administrator with full permissions.
		UCS ReadOnlyAccess		Read-only permissions (excluding CIA) for UCS.

Security & Compliance

Service	Scope	Policy/Role Name	Type	Description
Anti-DDoS (Project-level service)	Region-specific projects	Anti-DDoS Administrator	Role	Full permissions for Anti-DDoS. This role must be used together with the Tenant Guest role in the same project.
Advanced Anti-DDoS (AAD) (Project-level service)	Region-specific projects	CAD Administrator	Role	AAD administrator with full permissions.
Cloud Native Anti-DDoS (CNAD) (Global service)	Global services	CNAD FullAccess	Policy	Full permissions for Cloud Native Anti-DDoS (CNAD).
Cloud Native Anti-DDoS (CNAD) (Global service)	Global services	CNAD ReadOnlyAccess	Policy	Read-only permissions for CNAD.
Vulnerability Scan Service (VSS) (Project-level service)	Region-specific projects	VSS ReadOnlyAccess	Role	Read-only permissions for VSS.
Host Security Service (HSS) (Project-level service)	Region-specific projects	HSS Administrator	Role	Full permissions for HSS.
		HSS FullAccess	Policy	Full permissions for HSS.
		HSS ReadOnlyAccess	Policy	Read-only permissions for HSS.
Database Security Service (DBSS) (Project-level service)	Region-specific projects	DBSS System Administrator	Role	Full permissions for DBSS.
		DBSS Audit Administrator		Security auditing permissions for DBSS.
		DBSS Security Administrator		Security protection permissions for DBSS.
		DBSS FullAccess	Policy	Full permissions for DBSS.
		DBSS ReadOnlyAccess	Policy	Read-only permissions for DBSS. Users granted these permissions can only view this service and cannot configure resources in it.
Data Encryption Workshop (DEW) (Project-level service)	Region-specific projects	KMS Administrator	Role	DEW administrator with full permissions.
		KMS CMKFullAccess	Policy	Full permissions for encryption keys in DEW.
		DEW KeypairFullAccess		Full permissions for key pairs in DEW.
		DEW KeypairReadOnlyAccess		Permissions for viewing key pairs in DEW.
		CSMS FullAccess		Full permissions for Cloud Secret Management Service (CSMS).
		CSMS ReadOnlyAccess		Read-only permissions for CSMS.
Web Application Firewall (WAF) (Project-level service)	Region-specific projects	WAF Administrator	Role	Full permissions for WAF. This role must be used together with the Tenant Guest role in the global service project and with the Server Administrator role in the same project.
		WAF FullAccess	Policy	Full permissions for WAF.
		WAF ReadOnlyAccess	Policy	Read-only permissions for WAF.
Cloud Firewall (CFW) (Project-level service)	Region-specific projects	CFW FullAccess	Policy	Full permissions for CFW.
Cloud Firewall (CFW) (Project-level service)	Region-specific projects	CFW ReadOnlyAccess	Policy	Read-only permissions for CFW.
SSL Certificate Manager (SCM) (Global service) (SCM has been integrated into CCM.)	Global services	SCM Administrator	Role	Full permissions for SCM. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
		SCM FullAccess	Policy	Full permissions for SCM.
		SCM ReadOnlyAccess	Policy	Read-only permissions for SCM. Users with these permissions can only query certificates but cannot add, delete, or modify certificates.
Cloud Bastion Host (CBH) (Project-level service)	Region-specific projects	CBH FullAccess	Policy	Full permissions for CBH instances.
Cloud Bastion Host (CBH) (Project-level service)	Region-specific projects	CBH ReadOnlyAccess	Policy	Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but cannot configure or perform operations on services.
Data Security Center (DSC) (Project-level service)	Region-specific projects	DSC FullAccess	Policy	Full permissions for DSC.
		DSC ReadOnlyAccess		Read-only permissions for DSC.
		DSC DashboardReadOnlyAccess		Read-only permissions for the overview page of DSC.
Database and Application Migration (UGO) (Project-level service)	Region-specific projects	UGO FullAccess	Policy	Full permissions for UGO.
		UGO ReadOnlyAccess		Read-only permissions for UGO.
		UGO CommonOperations		SQL statement conversion permission for UGO.

Management & Governance

Service	Scope	Policy/Role Name	Type	Description
Identity and Access Management (IAM) (Global service)	Global services	IAM ReadOnlyAccess	Policy	Read-only permissions for IAM.
Identity and Access Management (IAM) (Global service)	Global services	Security Administrator	Role	All permissions (excluding switching roles) for IAM.
Cloud Eye (Project-level service)	Region-specific projects	CES Administrator	Role	Full permissions for Cloud Eye. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
	Region-specific projects	CES FullAccess	Policy	Administrator permissions for performing all operations on Cloud Eye. The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.
	Region-specific projects	CES ReadOnlyAccess	Policy	Read-only permissions for viewing data on Cloud Eye. The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.
Application Operations Management (AOM) (Project-level service)	Region-specific projects	AOM FullAccess	Policy	Full permissions for AOM.
	Region-specific projects	AOM ReadOnlyAccess	Policy	Read-only permissions for AOM.
Application Performance Management (APM) (Project-level service)	Region-specific projects	APM FullAccess	Policy	Full permissions for APM.
		APM ReadOnlyAccess	Policy	Read-only permissions for APM.
		APM Administrator	Role	Full permissions for APM.
Cloud Trace Service (CTS) (Project-level service)	Region-specific projects	CTS FullAccess	Policy	Full permissions for CTS. NOTE: To enable CTS, a user must be granted permissions using the CTS FullAccess policy and the Security Administrator role.
		CTS ReadOnlyAccess	Policy	Read-only permissions for CTS.
		CTS Administrator	Role	Full permissions for CTS. This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.
Log Tank Service (LTS) (Project-level service)	Region-specific projects	LTS FullAccess	Policy	Full permissions for LTS.
		LTS ReadOnlyAccess	Policy	Read-only permissions for LTS.
		LTS Administrator	Role	Full permissions for LTS. This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.
Tag Management Service (TMS) (Global service)	Global services	TMS FullAccess	Policy	Full permissions for TMS.
		TMS ReadOnlyAccess	Policy	Read-only permissions for TMS.
		TMS Administrator	Role	Administrator permissions for TMS. The permissions depend on the following policies: Tenant Guest: a global or project-level policy, which must be assigned in the same project as TMS Administrator. Server Administrator: a project-level policy, which must be assigned in the same project as TMS Administrator. Tenant Guest: a global policy. Select Global services for Scope. Tenant Administrator: a global policy. Select Global services for Scope. IMS Administrator: a project-level policy, which must be assigned in the same project as TMS Administrator. AutoScaling Administrator: a project-level policy, which must be assigned in the same project as TMS Administrator. VPC Administrator: a project-level policy, which must be assigned in the same project as TMS Administrator. VBS Administrator: a project-level policy, which must be assigned in the same project as TMS Administrator.
Resource Template Service (RTS) (Project-level service)	Region-specific projects	RTS Administrator	Role	Full permissions for RTS. This role must be used together with the Server Administrator, ELB Administrator, and CES Administrator roles in the same project.
OneAccess (Global service)	Global services	OneAccess FullAccess	Policy	Full permissions for OneAccess, including permissions for creating a custom domain name and modifying the domain name certificate. IAM users cannot purchase or use OneAccess instances.
OneAccess (Global service)	Global services	OneAccess ReadOnlyAccess	Policy	Read-only permissions for OneAccess. Users granted these permissions can only view this service and cannot configure resources in it.
Config (Global service)	Global services	Config ConsoleFullAccess	Policy	Permissions for all operations on the Config console.
		Config FullAccess		Full permissions for Config.
		Config ReadOnlyAccess		Read-only permissions for Config.
Resource Access Manager (RAM) (Global service)	Global services	RAM FullAccess	Policy	Full permissions for RAM.
		RAM ReadOnlyAccess		Read-only permissions for RAM.
		RAM ResourceShareParticipantAccess		Permissions for accepting or reject a resource sharing invitation.
Organizations (Global service)	Global services	Organizations FullAccess	Policy	Full permissions for Organizations.
Organizations (Global service)	Global services	Organizations ReadOnlyAccess	Policy	Read-only permissions for Organizations.

Application

Service	Scope	Policy/Role Name	Type	Description
ServiceStage (Project-level service)	Region-specific projects	ServiceStage Administrator	Role	ServiceStage administrator, who has full permissions for this service.
		ServiceStage Developer		ServiceStage developer, who has full permissions for this service but does not have the permission for creating infrastructure.
		ServiceStage Operator		ServiceStage operator, who has the read-only permission for this service.
		ServiceStage FullAccess	Policy	Full permissions for ServiceStage.
		ServiceStage ReadOnlyAccess		Read-only permissions for ServiceStage.
		ServiceStage Development		Developer permissions for ServiceStage, including permissions for performing operations on applications, components, and environments, but excluding approval permissions and permissions for creating infrastructure.
Cloud Service Engine (CSE)	Region-specific projects	CSE FullAccess	Policy	Full permissions for CSE.
Cloud Service Engine (CSE)	Region-specific projects	CSE ReadOnlyAccess	Policy	Read-only permissions for CSE.
Distributed Cache Service (DCS) (Project-level service)	Region-specific projects	DCS FullAccess	Policy	Full permissions for DCS.
		DCS UserAccess		Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances.
		DCS ReadOnlyAccess		Read-only permissions for DCS.
		DCS Administrator	Role	Full permissions for DCS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
Distributed Message Service (DMS for Kafka and DMS for RabbitMQ) (Project-level service)	Region-specific projects	DMS UserAccess	Policy	Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping.
		DMS ReadOnlyAccess		Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data.
		DMS FullAccess		Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS.
Simple Message Notification (SMN) (Project-level service)	Region-specific projects	SMN Administrator	Role	Full permissions for SMN. This role must be used together with the Tenant Guest role in the same project.
		SMN FullAccess	Policy	Full permissions for SMN.
		SMN ReadOnlyAccess	Policy	Read-only permissions for SMN.
API Gateway (Project-level service)	Region-specific projects	APIG Administrator	Role	Administrator permissions for API Gateway. Users granted these permissions can use all functions of the shared and dedicated gateways. To use VPC channels, the user must also be assigned the VPC Administrator role. To use custom authentication, the user must also be assigned the FunctionGraph Administrator role.
		APIG FullAccess	Policy	Full permissions for API Gateway. Users granted these permissions can use all functions of dedicated API gateways.
		APIG ReadOnlyAccess	Policy	Read-only permissions for API Gateway. Users granted these permissions can only view dedicated API gateways.
Multi-Site High Availability Service (MAS) (Project-level service)	Region-specific projects	MAS FullAccess	Policy	Full permissions for MAS.
		MAS ReadOnlyAccess		Read-only permissions for MAS.
		MAS CommonOperations		Basic operation permissions for MAS, including the permissions to operate applications, components, and monitors, but excluding the permissions to create or delete instances.
Blockchain Service (BCS) (Project-level service)	Region-specific projects	BCS Administrator	Role	Administrator permissions for BCS.

DeC

Service	Scope	Policy/Role Name	Type	Description
Dedicated Distributed Storage Service (DSS) (Project-level service)	Region-specific projects	DSS FullAccess	Role	Full permissions for DSS.
DSS ReadOnlyAccess	Read-only permissions for DSS.

Service

Scope

Policy/Role Name

Type

Description

Dedicated Distributed Storage Service (DSS)

(Project-level service)

Region-specific projects

DSS FullAccess

Role

Full permissions for DSS.

DSS ReadOnlyAccess

Read-only permissions for DSS.

Database

Service	Scope	Policy/Role Name	Type	Description
Relational Database Service (RDS) (Project-level service)	Region-specific projects	RDS FullAccess	Policy	Full permissions for RDS.
		RDS ReadOnlyAccess		Read-only permissions for RDS.
		RDS ManageAccess		Database administrator permissions for all operations except deleting RDS resources.
		RDS Administrator	Role	Full permissions for RDS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
Document Database Service (DDS) (Project-level service)	Region-specific projects	DDS FullAccess	Policy	Full permissions for DDS.
		DDS ReadOnlyAccess		Read-only permissions for DDS.
		DDS ManageAccess		Database administrator permissions for all operations except deleting DDS resources.
		DDS Administrator	Role	Full permissions for DDS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. If a DDS enterprise project is configured, you need to assign the DAS Admin role to users in the same project so that the users can log in to DAS from the DDS console.
Data Replication Service (DRS) (Project-level service)	Region-specific projects	DRS Administrator	Role	Full permissions for DRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
		DRS FullAccess	Policy	Full permissions for DRS.
		DRS ReadOnlyAccess	Policy	Read-only permissions for DRS.
Data Admin Service (DAS) (Project-level service)	Region-specific projects	DAS Administrator	Role	DAS administrator with full permissions. This role must be used together with the Tenant Guest role in the same project.
Data Admin Service (DAS) (Project-level service)	Region-specific projects	DAS FullAccess	Policy	Full permissions for DAS.
Distributed Database Middleware (DDM) (Project-level service)	Region-specific projects	DDM FullAccess	Policy	Full permissions for DDM.
		DDM CommonOperations		Common permissions for DDM. Users with common permissions cannot perform the following operations: Buying DDM instances Deleting DDM instances Scaling up instances Rolling back instances or clearing data when scale-up fails
		DDM ReadOnlyAccess		Read-only permissions for DDM.
GeminiDB (Project-level service)	Region-specific projects	GeminiDB FullAccess	Policy	Full permissions for multi-model NoSQL databases.
GeminiDB (Project-level service)	Region-specific projects	GeminiDB ReadOnlyAccess	Policy	Read-only permissions for multi-model NoSQL databases.
GaussDB (Project-level service)	Region-specific projects	GaussDB FullAccess	Policy	Full permissions for GaussDB.
GaussDB (Project-level service)	Region-specific projects	GaussDB ReadOnlyAccess	Policy	Read-only permissions for GaussDB.

Migration

Service	Scope	Policy/Role Name	Type	Description
Cloud Data Migration (CDM) (Project-level service)	Region-specific projects	CDM Administrator	Role	Full permissions for CDM. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
		CDM FullAccess	Policy	Administrator permissions for performing all operations on CDM.
		CDMFullAccessExceptUpdateEIP		Permissions for performing all operations except binding and unbinding EIPs on CDM.
		CDM CommonOperations		Permissions for performing operations on CDM jobs and links.
		CDM ReadOnlyAccess		Read-only permissions for CDM. Users granted these permissions can only view CDM clusters, links, and jobs.
Server Migration Service (SMS) (Global service)	Global services	SMS FullAccess	Policy	Full permissions for SMS.
Server Migration Service (SMS) (Global service)	Global services	SMS ReadOnlyAccess	Policy	Read-only permissions for SMS.
Object Storage Migration Service (OMS) (Project-level service)	Region-specific projects	OMS Administrator	Role	Full permissions for OMS. To use OMS, an IAM user must also be assigned the OBS OperateAccess policy.

Intelligent Edge

Service	Scope	Policy/Role Name	Type	Description
CloudLake (IEC) (Global service)	Global services	IEC FullAccess	Policy	Full permissions for IEC. Users with these permissions can perform any operations on IEC resources.
IEC ReadOnlyAccess	Read-only permissions for IEC. Users with these permissions can only view IEC data, for example, viewing the usage of IEC resources.

Service

Scope

Policy/Role Name

Type

Description

CloudLake (IEC)

(Global service)

Global services

IEC FullAccess

Policy

Full permissions for IEC. Users with these permissions can perform any operations on IEC resources.

IEC ReadOnlyAccess

Read-only permissions for IEC. Users with these permissions can only view IEC data, for example, viewing the usage of IEC resources.

Enterprise Intelligence

Service	Scope	Policy/Role Name	Type	Description
ModelArts (Project-level service)	Region-specific projects	ModelArts FullAccess	Policy	Administrator permissions for performing all operations on ModelArts.
ModelArts (Project-level service)	Region-specific projects	ModelArts CommonOperations	Policy	Permissions for performing all operations except managing dedicated resource pools on ModelArts.
DataArts Studio (Project-level service)	Region-specific projects	DAYU Administrator	Role	Full permissions for DataArts Studio. Users with the DAYU Administrator role have all permissions for workspaces. Only DAYU Administrator has the permission to configure default items of DataArts Factory (including the periodic scheduling, multi-IF policy, hard and soft lock policy, and format of script variables). DAYU User does not have this permission.
DataArts Studio (Project-level service)	Region-specific projects	DAYU User	Role	Common DataArts Studio user. Users with the DAYU User role have the permissions of the role assigned to them in a workspace.
MapReduce Service (MRS) (Project-level service)	Region-specific projects	MRS FullAccess	Policy	Full permissions for MRS.
		MRS CommonOperations		Common user permissions for MRS operations except creating and deleting resources.
		MRS ReadOnlyAccess		Read-only permissions for MRS.
		MRS Administrator	Role	Full permissions for MRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
GaussDB(DWS)	Region-specific projects	DWS FullAccess	Policy	Full permissions for DWS.
		DWS ReadOnlyAccess	Policy	Read-only permissions for DWS.
		DWS Administrator	Role	Full permissions for DWS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
		DWS Database Access	Role	Permissions for accessing DWS. Users granted these permissions can generate temporary tokens for connecting to DWS cluster databases.
Data Lake Insight (DLI) (Project-level service)	Region-specific projects	DLI Service Admin	Role	Full permissions for DLI.
		DLI FullAccess	Policy	Full permissions for DLI. Users granted these permissions can perform all operations on DLI.
		DLI ReadOnlyAccess	Policy	Users granted these permissions can only view the queue list, job list, job details, database list, table list, table creation statements, table fields, and job metadata such as job creation, update, and deletion.
Graph Engine Service (GES) (Project-level service)	Region-specific projects	GES Administrator	Role	Full permissions for GES. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
		GES Manager		Advanced user of GES with permissions for performing any operations on GES resources except creating and deleting graphs. This role must be used together with the Tenant Guest role in the same project.
		GES Operator		Permissions for viewing and accessing graphs. This role must be used together with the Tenant Guest role in the same project.
		GES FullAccess	Policy	Administrator permissions for performing all operations (including creation, deletion, access, and upgrade operations) on GES.
		GES Development		Operator permissions for all operations except creating and deleting graphs.
		GES ReadOnlyAccess		Read-only permissions for viewing resources, such as graphs, metadata, and backup data.
Cloud Search Service (CSS) (Project-level service)	Region-specific projects	CSS Administrator	Role	Full permissions for CSS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
Data Ingestion Service (DIS) (Project-level service)	Region-specific projects	DIS Administrator	Role	Full permissions for DIS.
		DIS Operator		Permissions for managing streams, such as creating and deleting streams, but not for uploading and downloading data.
		DIS User		Permissions for uploading and downloading data, but not for managing streams.
CloudTable Service (CloudTable) (Project-level service)	Region-specific projects	CloudTable Administrator	Role	Full permissions for CloudTable. This role must be used together with the Tenant Guest and Server Administrator roles in the same project.
Recommender System (RES) (Project-level service)	Region-specific projects	RES FullAccess	Policy	Full permissions for RES.
Recommender System (RES) (Project-level service)	Region-specific projects	RES ReadOnlyAccess	Policy	Read-only permissions for RES.
Conversational Bot Service (CBS) (Project-level service)	Region-specific projects	CBS Administrator	Role	Full permissions for CBS.
Conversational Bot Service (CBS) (Project-level service)	Region-specific projects	CBS Guest	Role	Read-only permissions for CBS.
Huawei HiLens (Project-level service)	Region-specific projects	HiLens FullAccess	Policy	Administrator permissions for Huawei HiLens. Users granted these permissions can operate and use all Huawei HiLens resources. If you want to grant permission to participate in OBT, receive alarms, and set skill messages, assign the SMN Administrator role in the same project.
		HiLens CommonOperations		Operation permissions for Huawei HiLens. Users granted these permissions can perform operations on Huawei HiLens, except deregistering devices and suspending skills.
		HiLens ReadOnlyAccess		Read-only permissions for Huawei HiLens. Users granted these permissions can only view Huawei HiLens data. If you want to grant permission to participate in OBT, receive alarms, and set skill messages, assign the SMN Administrator role in the same project.
Trusted Intelligent Computing Service (TICS) (Project-level service)	Region-specific projects	TICS FullAccess	Policy	Full permissions for TICS.
		TICS ReadOnlyAccess		Read-only permissions for TICS.
		TICS CommonOperations		Permissions for managing alliances, jobs, agents, notifications, and datasets in TICS.
LakeFormation	Global services	LakeFormation FullAccess	Policy	Administrator permissions for LakeFormation. Users with these permissions can perform all operations on LakeFormation.
		LakeFormation ReadOnlyAccess		Read-only permissions for LakeFormation. Users with these permissions can only view LakeFormation data.
		LakeFormation CommonAccess		Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS.

Enterprise Application

Service	Scope	Policy/Role Name	Type	Description
Workspace (Project-level service)	Region-specific projects	Workspace FullAccess	Policy	Full permissions for Workspace.
		Workspace DesktopsManager		Desktop administrator permissions for Workspace.
		Workspace UserManager		User administrator permissions for Workspace.
		Workspace SecurityManager		Security administrator permissions for Workspace.
		Workspace TenantManager		Tenant administrator permissions for Workspace.
		Workspace ReadOnlyAccess		Read-only permissions for Workspace.
ROMA Connect (Project-level service)	Region-specific projects	ROMA Administrator	Role	Administrator permissions for ROMA Connect. Users with these permissions can perform all operations on ROMA Connect. This role must be used together with the following dependence roles in the same project: To use VPC channels, the user must also be assigned the VPC Administrator role. To use FunctionGraph as the backend service of APIs, the user must also be assigned the FunctionGraph Administrator role. To use a rule engine to forward data to DIS, the user must also be assigned the DIS Administrator role.
		ROMA FullAccess	Policy	All permissions for ROMA Connect. Users granted these permissions can use all ROMA Connect instances.
		ROMA CommonOperations		Common user permissions for ROMA Connect. This policy does not include permissions for creating, modifying, and deleting instances.
		ROMA ReadOnlyAccess		Read-only permissions for ROMA Connect. Users granted these permissions can only view ROMA Connect data.
ROMA Exchange (Global/project-level service)	All resources	ROMAExchange FullAccess	Policy	Full permissions for ROMA Exchange.

Cloud Communications

Service	Scope	Policy/Role Name	Type	Description
Voice Call (Project-level service)	Region-specific projects	RTC Administrator	Role	Full permissions for Voice Call, Message & SMS, and Private Number.
Message & SMS (Project-level service)	Region-specific projects	RTC Administrator	Role	Full permissions for Voice Call, Message & SMS, and Private Number.
		MSGSMS FullAccess	Policy	Common user permissions for Message & SMS. Users granted these permissions can perform all operations supported by Message & SMS, including creation, deletion, and viewing, and modifying specifications.
		MSGSMS ReadOnlyAccess	Policy	Read-only permissions for Message & SMS. Users granted these permissions can only view Message & SMS statistics.
Private Number (Project-level service)	Region-specific projects	RTC Administrator	Role	Full permissions for Voice Call, Message & SMS, and Private Number.
		PrivateNumber FullAccess	Policy	Full permissions for Private Number.
		PrivateNumber ReadOnlyAccess	Policy	Read-only permissions for Private Number.

Video

Service	Scope	Policy/Role Name	Type	Description
Media Processing Center (MPC) (Project-level service)	Region-specific projects	MPC Administrator	Role	Full permissions for MPC.
Video on Demand (VOD) (Project-level service)	Region-specific projects	VOD Administrator	Role	Full permissions for operations on all media files.
		VOD Group Administrator		Permissions for operations (except global configuration and domain name management) on media files created by users in the current group.
		VOD Group Operator		Permissions for operations (except media review, media deletion, global configuration, and domain name management) on media files created by users in the current group.
		VOD Group Guest		Permissions for querying media files created by users in the current group.
		VOD Operator		Permissions for operations (except media review, global configuration, and domain name management) on video files created by users in the current group.
		VOD Guest		Read-only permissions for VOD.
		VOD FullAccess	Policy	Full permissions for VOD.
		VOD ReadOnlyAccess		Read-only permissions for VOD.
		VOD CommonOperations		Basic operation permissions for VOD, excluding permissions for global configuration, domain name management, permissions management, settings review, and audio and video hosting.
Live (Project-level service)	Region-specific projects	Live FullAccess	Policy	Full permissions for Live.
Live (Project-level service)	Region-specific projects	Live ReadOnlyAccess	Policy	Read-only permissions for Live.
Real-Time Communication (RTC) (Global service)	Global services	RTC FullAccess	Policy	Full permissions for RTC.
Real-Time Communication (RTC) (Global service)	Global services	RTC ReadOnlyAccess	Policy	Read-only permissions for RTC.

Development and O&M

Service	Scope	Policy/Role Name	Type	Description
CodeArts (Project-level service)	Region-specific projects	DevCloud Console FullAccess	Policy	Full permissions for the DevCloud console.
CodeArts (Project-level service)	Region-specific projects	DevCloud Console ReadOnlyAccess	Policy	Read-only permissions for the DevCloud console.
CodeArts Req (Project-level service)	Region-specific projects	ProjectMan ConfigOperations	Policy	Full permissions for ProjectMan.
CodeArts IDE Online (Project-level service)	Region-specific projects	CloudIDE FullAccess	Policy	Full permissions for CodeArts IDE Online.
		CloudIDE ReadOnlyAccess		Read-only permissions for CodeArts IDE Online.
		CloudIDE Development		Development permissions for CodeArts IDE Online, including the permissions for viewing, starting, stopping, and accessing instances.
		CloudIDE InstanceManagement		Instance management permissions for CodeArts IDE Online. Users with these permissions can manage their own instances and access the instances allocated to them.

Industrial Software

Service	Scope	Policy/Role Name	Type	Description
Industrial Digital Model Engine (iDME)	Region-specific projects	DME AppOperationAccess	Policy	Application management permissions for iDME, including the permissions to create and modify applications.
		DME EnvOperationAccess		Operating environment management permissions for iDME, including the permissions to deploy and uninstall applications.
		DME FullAccess		Full permissions for iDME.
		DME ReadOnlyAccess		Read-only permissions for iDME. Users with those permissions can read the application list and the running service list.
Industrial Data Exchange Engine Service (iDEE)	Region-specific projects	iDEE FullAccess	Policy	Full permissions for iDEE.
Industrial Data Exchange Engine Service (iDEE)	Region-specific projects	iDEE ReadOnlyAccess	Policy	Read-only permissions for iDEE.

User Support

Service	Scope	Policy/Role Name	Type	Description
Business Support System (BSS) (Project-level service) NOTICE: These are the projects where permissions for this service can be assigned.	Region-specific projects	BSS Administrator	Role	Full permissions for Billing Center, Resource Center, and My Account.
		BSS ReadonlyAccess	Policy	Read-only permissions for Billing Center, Cost Center, and Message Center.
		BSS FinanceAccess		Financial administrator of BSS in Billing Center, who has full permissions for financial operations.
		Enterprise Project BSS FullAccess		All operations permissions supported by Enterprise Project.
Enterprise Project Management Service (EPS) (Global service)	Global services	EPS FullAccess	Policy	Full permissions for EPS.
	Global services	EPS ReadOnlyAccess	Policy	Read-only permissions for EPS.
Service Ticket (Global service)	Global services	Ticket Administrator	Role	Full permissions for Service Ticket.
Service Ticket (Global service)	Global services	Ticket Group Operator	Role	Permissions for processing service tickets of other users in the same group.
Professional Services (Global/project-level service)	All resources	PSDMFullAccess	Policy	Full permissions for the Professional Service Delivery Management (PSDM) platform.
Professional Services (Global/project-level service)	All resources	PSDMReadOnlyAccess	Policy	Read-only permissions for the PSDM platform.
ICP License Service (Global service)	Global services	Beian Administrator	Role	ICP License Service administrator with full permissions.

Other

Service	Scope	Policy/Role Name	Type	Description
Message Center (Global service)	Global services	MessageCenter FullAccess	Policy	Full permissions for Message Center.
MessageCenter ReadOnlyAccess	Read-only permissions for Message Center.
MessageCenter RecipientManagement	Message receiving management permissions for Message Center, including permissions for configuring SMS messages, emails, and voice messages, viewing and modifying recipients.

Service

Scope

Policy/Role Name

Type

Description

Message Center

(Global service)

Global services

MessageCenter FullAccess

Policy

Full permissions for Message Center.

MessageCenter ReadOnlyAccess

Read-only permissions for Message Center.

MessageCenter RecipientManagement

Message receiving management permissions for Message Center, including permissions for configuring SMS messages, emails, and voice messages, viewing and modifying recipients.

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot