Permissions Management
If you need to assign different permissions to employees in your enterprise to access your MgC resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control. It makes it easier to secure access to your resources.
With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, you can create IAM users for software developers and grant them the permissions required for using MgC resources but not the permissions needed for performing any other operations.
If your account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
MgC Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they have been added to and can then perform specified operations on cloud services.
- Roles: A coarse-grained authorization method where you assign permissions based on user responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you must also assign other roles that the permissions may depend on. Roles are not ideal for fine-grained authorization and access control.
- Policies: A fine-grained authorization tool that defines permissions for operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for maintaining the principle of least privilege.
Policy Name |
Description |
Policy Type |
Policy Content |
|---|---|---|---|
MgC FullAccess |
Administrator permissions of MgC. Users with these permissions can perform all operations on MgC data. |
System-defined policy |
|
MgC ReadOnlyAccess |
Read-only permissions for MgC. Users with permissions can only view MgC data. |
System-defined policy |
|
MgC DiscoveryAccess |
Permissions for resource discovery of MgC. Users with these permissions can use the resource discovery function of MgC and view MgC data. |
System-defined policy |
|
MgC AssessAccess |
Permissions for application assessment of MgC. Users with these permissions can use the resource discovery and application assessment functions of MgC and view MgC data. |
System-defined policy |
|
MgC MigrateAccess |
Permissions for application migration of MgC. Users with these permissions can use the resource discovery, application assessment, and application migration functions of MgC and view MgC data. |
System-defined policy |
|
MgC AppDiscoveryAccess |
Permissions for application discovery of MgC. Users with these permissions can use the application discovery and resource discovery functions of MgC and view MgC data. |
System-defined policy |
|
MgC MrrAccess |
Permissions for service verification of MgC. Users with these permissions can use the service verification function of MgC and view MgC data. |
System-defined policy |
Operation |
MgC FullAccess |
MgC ReadOnlyAccess |
MgC DiscoveryAccess |
MgC AssessAccesss |
MgC MigrateAccess |
MgC AppDiscoveryAccess |
|---|---|---|---|---|---|---|
Performing operations on MgC resources |
√ |
x |
x |
x |
x |
x |
Viewing MgC resources |
√ |
√ |
√ |
√ |
√ |
√ |
Discovering resources |
√ |
x |
√ |
√ |
√ |
√ |
Assessing applications |
√ |
x |
x |
√ |
√ |
x |
Migrating applications |
√ |
x |
x |
x |
√ |
x |
Discovering applications |
√ |
x |
x |
x |
x |
√ |
MgC FullAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Action": [
"mgc:*:*",
"iam:agencies:listAgencies",
"iam:agencies:createAgency",
"iam:permissions:grantRoleToAgency"
],
"Effect": "Allow"
}
]
}
MgC ReadOnlyAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mgc:*:query*"
]
}
]
}
MgC DiscoveryAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mgc:*:query*",
"mgc:*:discovery"
]
}
]
}
MgC AssessAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Action": [
"mgc:*:query*",
"mgc:*:discovery",
"mgc:*:assess",
"iam:agencies:listAgencies",
"iam:agencies:createAgency",
"iam:permissions:grantRoleToAgency"
],
"Effect": "Allow"
}
]
}
MgC MigrateAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Action": [
"mgc:*:query*",
"mgc:*:discovery",
"mgc:*:assess",
"mgc:*:migrate",
"iam:agencies:listAgencies",
"iam:agencies:createAgency",
"iam:permissions:grantRoleToAgency"
],
"Effect": "Allow"
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
