MgC Permissions

If you need to assign different permissions to employees in your enterprise to access your MgC resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control. It makes it easier to secure access to your resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, you can create IAM users for software developers and grant them the permissions required for using MgC resources but not the permissions needed for performing any other operations.

If your account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

MgC Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they have been added to and can then perform specified operations on cloud services.

You can grant permissions using roles and policies.

Roles: A coarse-grained authorization method where you assign permissions based on user responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you must also assign other roles that the permissions may depend on. Roles are not ideal for fine-grained authorization and access control.
Policies: A fine-grained authorization tool that defines permissions for operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for maintaining the principle of least privilege.

Table 1 lists all the system-defined policies supported by MgC.

**Table 1** System-defined policies supported by MgC
Policy Name	Description	Policy Type	Policy Content
MgC FullAccess	Administrator permissions for MgC. Users with these permissions can perform all operations on MgC.	System-defined policies	MgC FullAccess Policy Content
MgC ReadOnlyAccess	Read-only permissions for MgC. Users with these permissions can only view MgC resources.	System-defined policies	MgC ReadOnlyAccess Policy Content
MgC DiscoveryAccess	Permissions for resource discovery with MgC. Users with these permissions can use the resource discovery function of MgC and view MgC resources.	System-defined policies	MgC DiscoveryAccess Policy Content
MgC AssessAccess	Permissions for application assessment with MgC. Users with these permissions can use the resource discovery and application assessment functions of MgC and view MgC resources.	System-defined policies	MgC AssessAccess Policy Content
MgC MigrateAccess	Permissions for application migration with MgC. Users with these permissions can use the resource discovery, application assessment, and application migration functions of MgC and view MgC resources.	System-defined policies	MgC MigrateAccess Policy Content
MgC AppDiscoveryAccess	Permissions for resource discovery with MgC. Users with these permissions can use the resource discovery and data collection functions of MgC and view MgC resources.	System-defined policies	MgC AppDiscoveryAccess Policy Content
MgC MrrAccess	Permissions for service verification with MgC. Users with these permissions can use the service verification function of MgC and view MgC resources.	System-defined policies	MgC MrrAccess Policy Content
MgC AZ MigrateAccess	Permissions for cross-AZ migration with MgC	System-defined policies	MgC AZ MigrateAccess Policy Content

Table 2 lists the common operations supported by each system-defined policy of MgC. Select the policies as required. For details, see Creating a User and Granting Permissions.

**Table 2** Common operations supported by each MgC system-defined policy
Operation	MgC FullAccess	MgC ReadOnlyAccess	MgC DiscoveryAccess	MgC AssessAccesss	MgC MigrateAccess	MgC AppDiscoveryAccess
Performing operations on MgC resources	√	x	x	x	x	x
Viewing MgC resources	√	√	√	√	√	√
Discovering resources using MgC	√	x	√	√	√	√
Designing migration plans on MgC	√	x	x	√	√	x
Performing operations on migration workflows	√	x	x	x	√	x
Collecting resource details using MgC	√	x	x	x	x	√

MgC FullAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:*",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC ReadOnlyAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC DiscoveryAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "mgc:*:discovery",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC AssessAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "mgc:*:discovery",
                "mgc:*:assess",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC MigrateAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "mgc:*:discovery",
                "mgc:*:assess",
                "mgc:*:migrate",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC AppDiscoveryAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "mgc:*:discovery",
                "mgc:*:appdiscovery",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC MrrAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "mgc:*:query*",
                "mgc:mrr:query",
                "mgc:mrr:update",
                "mgc:mrr:export",
                "mgc:mrr:import",
                "mgc:mrr:upgrade",
                "mgc:mrr:delete",
                "mgc:mrr:check",
                "iam:agencies:listAgencies",
                "iam:roles:listRoles",
                "iam:quotas:listQuotas",
                "iam:permissions:listRolesForAgency"
            ],
            "Effect": "Allow"
        }
    ]
}

MgC AZ MigrateAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:cloudServers:createServers",
                "ecs:servers:create",
                "ecs:servers:stop",
                "ecs:servers:start",
                "ecs:availabilityZones:list",
                "ecs:*:get*",
                "ecs:*:list*",
                "evs:*:get*",
                "evs:*:list*",
                "vpc:*:get",
                "vpc:*:list",
                "vpc:securityGroups:*",
                "vpc:securityGroupRules:*",
                "vpc:floatingIps:*",
                "vpc:publicIps:*",
                "ims:images:create",
                "ims:images:delete",
                "ims:images:get",
                "ims:images:list",
                "ims:images:update",
                "ims:images:upload",
                "ims:wholeImages:create",
                "ims:*:list*",
                "ims:*:get*",
                "cbr:*:get*",
                "cbr:*:list*",
                "cbr:vaults:update",
                "cbr:vaults:delete",
                "cbr:vaults:create",
                "cbr:vaults:addResources",
                "cbr:vaults:backup",
                "cbr:backups:delete"
            ]
        }
    ]
}

Previous topic: Shared Responsibilities

Next topic: Notes and Constraints