Permissions Management
If your account does not need individual IAM users for permissions management, you may skip over this section.
If you need to assign different permissions to employees in your enterprise to access your DDM resources, IAM is a good choice for fine-grained permissions management. IAM provides functions like identity authentication, permissions management, and access control, helping you secure access to your cloud resources.
You can create IAM users for your employees, and assign permissions to these users to control their access to specific types of resources. For example, you can create IAM users for software developers and assign specific permissions to allow them to use DDM resources but disallow them to delete the resources or perform any high-risk operations.
IAM is a free service. You pay only for the resources in your account.
DDM Permissions
By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups.
DDM is a project-level service deployed in specific physical regions. When you assign DDM permissions to a user group, you need to specify region-specific projects where the permissions will take effect. If you select All projects, the permissions will be granted for all region-specific projects. To access DDM, you need to switch to the region where you are authorized.
- Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign other dependent roles. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and more secure access control. For example, you can grant IAM users only the permissions for managing a certain type of DDM resources.
Table 1 System-defined policies Policy Name
Description
Type
Dependency
DDM FullAccess
Full permissions for Distributed Database Middleware
System-defined policy
None
DDM CommonOperations
Common permissions for Distributed Database Middleware, excluding the permissions to create, delete, and add nodes, configure shards, and roll back shard configuration tasks
System-defined policy
None
DDM ReadOnlyAccess
Read-only permissions for Distributed Database Middleware
System-defined policy
None
- DDM FullAccess
{ "Version": "1.1", "Statement": [{ "Action": ["ddm:*:*", "rds:instance:list", "rds:instance:modify", "rds:instance:modifyParameter", "vpc:*:*", "ecs:*:get*", "ecs:*:list*", "ecs:cloudServerNics:update", "ecs:serverInterfaces:use"], "Effect": "Allow" }] } - DDM CommonOperations
{ "Version": "1.1", "Statement": [{ "Action": [ "vpc:*:*list*", "vpc:*:*get*", "vpc:ports:update", "ecs:*:get*", "ecs:*:list*", "rds:instance:list", "rds:instance:modify", "rds:instance:modifyParameter" ], "Effect": "Allow" }, { "Condition": { "StringEqualsIgnoreCase": { "g:ServiceName": [ "ddm" ] } }, "NotAction": [ "ddm:instance:create", "ddm:instance:delete", "ddm:database:migrate*", "ddm:instance:resize", "ddm:instance:extendNode" ], "Effect": "Allow" }] } - DDM ReadOnlyAccess
{ "Version": "1.1", "Statement": [{ "Action": [ "rds:instance:list", "vpc:*:*list*", "vpc:*:*get*", "ecs:*:get*", "ecs:*:list*", "ddm:*:list", "ddm:*:get", "ddm:instance:listParameter", "ddm:instance:listRwInfo", "ddm:instance:listSlowSqlInfo", "ddm:rds:connectivity" ], "Effect": "Allow" }] }
|
Operation |
DDM FullAccess |
DDM CommonOperations |
DDM ReadOnlyAccess |
|---|---|---|---|
|
Querying DDM instances |
Supported |
Supported |
Supported |
|
Querying details of a DDM instance |
Supported |
Supported |
Supported |
|
Modifying instance information, including the name and security group |
Supported |
Supported |
Not supported |
|
Restarting a DDM instance |
Supported |
Supported |
Not supported |
|
Creating a DDM instance |
Supported |
Not supported |
Not supported |
|
Deleting a DDM Instance |
Supported |
Not supported |
Not supported |
|
Changing node class |
Supported |
Not supported |
Not supported |
|
Scaling out a DDM instance |
Supported |
Not supported |
Not supported |
|
Creating a schema |
Supported |
Supported |
Not supported |
|
Querying schemas |
Supported |
Supported |
Supported |
|
Querying details of a schema |
Supported |
Supported |
Supported |
|
Performing a rollback if configuring shards fails Deleting source data if configuring shards fails Retrying if configuring shards fails |
Supported |
Not supported |
Not supported |
|
Deleting a schema |
Supported |
Supported |
Not supported |
|
Querying accounts |
Supported |
Supported |
Supported |
|
Creating an account |
Supported |
Supported |
Not supported |
|
Modifying an account |
Supported |
Supported |
Not supported |
|
Resetting a password |
Supported |
Supported |
Not supported |
|
Deleting an account |
Supported |
Supported |
Not supported |
|
Synchronizing data node information |
Supported |
Supported |
Not supported |
|
Querying data nodes |
Supported |
Supported |
Supported |
|
Querying details of a data node |
Supported |
Supported |
Supported |
|
Modifying the read policy of a data node |
Supported |
Supported |
Not supported |
|
Viewing products |
Supported |
Supported |
Supported |
|
Creating a parameter template |
Supported |
Supported |
Not supported |
|
Deleting a parameter template |
Supported |
Supported |
Not supported |
|
Applying a parameter template |
Supported |
Supported |
Not supported |
|
Modifying a parameter template |
Supported |
Supported |
Not supported |
|
Replicating a parameter template |
Supported |
Supported |
Not supported |
|
Comparing two parameter templates |
Supported |
Supported |
Supported |
|
Querying parameter templates |
Supported |
Supported |
Supported |
|
Viewing all tags |
Supported |
Supported |
Supported |
|
Adding, modifying, or deleting a tag |
Supported |
Supported |
Not supported |
|
Querying a session |
Supported |
Supported |
Supported |
|
Killing a session |
Supported |
Supported |
Not supported |
|
Operation Category |
Operation |
Action |
|---|---|---|
|
DDM routine operations |
Buying a pay-per-use DDM instance Buying a yearly/monthly DDM instance |
ddm:instance:create Before you buy a DDM instance, obtain the following dependent permissions:
|
|
Querying DDM instances |
ddm:instance:list |
|
|
Querying details of a DDM instance |
ddm:instance:get To view details of a DDM instance, you need to configure the following permissions:
|
|
|
Modifying instance information, including modifying the name, changing the security group, or adding, modifying, or deleting a tag of a DDM instance |
ddm:instance:modify
To modify a security group, you need to configure the following permissions:
|
|
|
Restarting a DDM instance |
ddm:instance:reboot |
|
|
Deleting a DDM instance |
ddm:instance:delete vpc:ports:delete |
|
|
Changing node class |
ddm:instance:resize |
|
|
Scaling out a DDM instance |
ddm:instance:extendNode |
|
|
Monitoring the read/write ratio |
ddm:instance:listRwInfo |
|
|
Querying slow query logs |
ddm:instance:listSlowSqlInfo |
|
|
DDM routine operations |
Auto-renew (for yearly/monthly instances) |
Configure policies BSS Finance and BSS Operator as follows:
|
|
DDM routine operations |
Changing to yearly/monthly billing |
Configure policies BSS Finance and BSS Operator. The procedure is the same as that for renewing an instance. |
|
Schema operations |
Creating a schema |
ddm:database:create |
|
Querying schemas |
ddm:database:list |
|
|
Querying details of a schema |
ddm:database:get |
|
|
Performing a rollback if configuring shards fails Deleting source data if configuring shards fails Retrying if configuring shards fails |
ddm:database:migrateRollback |
|
|
Deleting a schema |
ddm:database:delete |
|
|
DDM account operations |
Querying accounts |
ddm:user:list |
|
Creating an account |
ddm:user:create |
|
|
Modifying an account |
ddm:user:modify |
|
|
Resetting a password |
ddm:user:modify |
|
|
Deleting an account |
ddm:user:delete |
|
|
Data node management (using an RDS for MySQL instance as an example) |
Synchronizing data node information |
ddm:rds:synchro To synchronize data node information, you need to configure the following permissions:
|
|
Querying data nodes |
ddm:rds:list |
|
|
Querying details of a data node |
ddm:rds:get |
|
|
Modifying the read policy of a data node |
ddm:rds:modifyReadPolicy |
|
|
DDM product operations |
Viewing products |
ddm:product:list |
|
Parameter template operations |
Creating a parameter template |
ddm:param:create |
|
Deleting a parameter template |
ddm:param:delete |
|
|
Applying a parameter template |
ddm:param:apply |
|
|
Modifying a parameter template |
ddm:param:update |
|
|
Replicating a parameter template |
ddm:param:create |
|
|
Comparing two parameter templates |
ddm:param:list |
|
|
Querying parameter templates |
ddm:param:list |
|
|
Tag operations |
Querying the tag list |
ddm:tag:list |
|
Adding, modifying, or deleting a tag |
ddm:tag:modify |
|
|
Session operations |
Querying a session |
ddm:instance:queryProcessList |
|
Killing a session |
ddm:instance:killProcessList |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
