Permissions Management
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the users can perform specified operations on GES based on the permissions.
With IAM, you can use your cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use DIS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DIS resources.
If your cloud account does not need individual IAM users for permissions management, you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.
DIS Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the users can perform specified operations on GES based on the permissions.
DIS is a project-level service deployed in specific physical regions. Therefore, DIS permissions are assigned to users in specific regions (such as CN-Hong Kong) and only take effect for these regions. If you want the permissions to take effect for all regions, you need to assign the permissions to users in each region. When accessing DIS, the users need to switch to a region where they have been authorized to use cloud services.
You can grant users permissions by using roles and policies.
Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Table 1 lists all the system permissions supported by DIS. Dependencies are permissions on which a system permission depends to take effect. For example, some DIS permissions are dependent on the permissions of other services. When assigning DIS permissions to users, you need to also assign dependent policies for the DIS permissions to take effect.
|
System-Defined Role |
Description |
Dependencies |
|---|---|---|
|
DIS Administrator |
Administrator permissions for DIS. Users granted these permissions can operate and use all DIS resources. |
N/A |
|
DIS Operator |
Stream management permissions for DIS. Users granted these permissions can manage streams, such as creating or deleting streams, but cannot upload or download data. |
N/A |
|
DIS User |
Stream use permissions for DIS. Users granted these permissions can upload and download data but cannot manage streams. |
N/A |
Table 2 lists the common operations supported by each system permission of DIS. Choose proper system permissions according to this table.
|
Operation |
DIS Administrator |
DIS Operator |
DIS User |
|---|---|---|---|
|
Creating streams |
√ |
√ |
x |
|
Deleting streams |
√ |
√ |
x |
|
Querying the stream list |
√ |
√ |
√ |
|
Querying stream details |
√ |
√ |
√ |
|
Viewing stream monitoring information |
√ |
√ |
√ |
|
Querying partition monitoring information |
√ |
√ |
√ |
|
Obtaining stream consumption information |
√ |
√ |
√ |
|
Changing partition quantity |
√ |
√ |
x |
|
Uploading data |
√ |
x |
√ |
|
Obtaining data cursors |
√ |
x |
√ |
|
Downloading data |
√ |
x |
√ |
|
Creating applications |
√ |
√ |
√ |
|
Querying application details |
√ |
√ |
√ |
|
Querying the application list |
√ |
√ |
√ |
|
Deleting applications |
√ |
√ |
√ |
|
Adding checkpoints |
√ |
x |
√ |
|
Querying checkpoints |
√ |
√ |
√ |
|
Deleting checkpoints |
√ |
x |
√ |
|
Creating dump tasks |
√ |
√ |
√ |
|
Querying dump task details |
√ |
√ |
√ |
|
Querying the dump task list |
√ |
√ |
√ |
|
Deleting dump tasks |
√ |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
