Help Center/ Cloud Operations Center/ User Guide/ Change Management/ Configuring Change Control

Updated on 2025-08-08 GMT+08:00

View PDF

Configuring Change Control

Scenarios

You can configure whether to enable privilege escalation using a service ticket based on application scenarios. Currently, privilege escalation using incidents, war rooms, and change tickets are supported.

Prerequisites

To enable change control, you need to apply for the IAM permission. The action IDs are as follows:

Permissions required by policies, system-defined policies, and custom policies:

"iam:roles:listRoles",

"iam:permissions:grantRoleToAgency",

"iam:permissions:grantRoleToAgencyOnDomain",

"iam:roles:createRole",

"iam:groups:listGroups",

"iam:permissions:listRoleAssignments",

"iam:permissions:grantRoleToGroupOnDomain",

"iam:permissions:revokeRoleFromGroupOnDomain",

"iam:roles:deleteRole",

"iam:roles:updateRole"

Permissions required by identity policies, system-defined identity policies, and custom identity policies:

"iam:policies:createV5",

"iam:policies:listV5",

"iam:groups:attachPolicyV5",

"iam:groups:detachPolicyV5",

"iam:policies:deleteV5",

"iam:policies:listVersionsV5",

"iam:policies:createVersionV5",

"iam:policies:deleteVersionV5"

Precautions

By default, the change control policy generated by COC can only be bound to user groups for further permissions granting. Do not use the policy for other purposes.
You can click the editing button of actions on the related COC page to determine whether to control functions corresponding to the actions. Note that all operations must be performed on COC. Do not directly edit the policy.
If you enabled the feature of privilege escalation using service tickets, you need to bind the policy to your account. To disable this policy, you need to unbind the policy from your user group first.
During service ticket privilege escalation, the system needs to verify the region, application, and service ticket status of the resources required. If a resource does not belong to any region or application, the system does not verify the resource but will display all service tickets of the user. Verification requirements on service tickets are as follows.
- Incident ticket status verification:
  1. P1, P2, P3, and P4 incident tickets must be in the accepted state.
  2. The privilege escalation application must be the same as the one in the incident ticket analysis and handling phase.
  3. The privilege escalation operator must be the current owner in the incident analysis and handling phase.
  4. The privilege escalation region must be the same as the region specified in the incident ticket.
- War room status verification:
  1. A war room must be in the started or fault demarcation phase.
  2. The privilege escalation application must be in the list of applications affected by the war room.
  3. The privilege escalation operator must be the fault rectification owner, a fault rectification member, or the administrator of the war room.
- Change ticket status verification:
  1. The region and application for the privilege escalation must be the same as those specified in the change ticket.
  2. The privilege escalation operator must be the implementer of the change ticket.
  3. The current operation time must be within the planned implementation time window of the change ticket. (The current operation time must be later than the planned start time and earlier than the planned end time.)
  4. You must click Change Start for a change ticket.

After service ticket privilege escalation is enabled, the northbound interface becomes unavailable. For example, if a script is executed to enable service ticket privilege escalation, the northbound script interface cannot be used.

Configuring Change Control

Log in to COC.
In the navigation pane, choose Change Ticket Mgmt > Change Control.
Click Enable Service Ticket Authorization.

Service ticket authorization is disabled by default and can be enabled or disabled. After this function is enabled, all actions performed on the COC platform will be displayed in the list.
Locate the action you want to modify and click Modify in the Operation column.

Only actions whose value of the Interconnected column is Yes can be modified.

Set parameters in Modify Service Ticket Type.

**Table 1** Parameters for modifying a service ticket type
Parameter	Description
Enable Service Ticket Authorization	Options: Enable and Disable. Enable indicates that privilege escalation is required. Disable indicates that privilege escalation is not required for all accounts in this scenario.
Ticket Type	The options are Change ticket, Incident ticket, and War room. Multiple options can be selected.
Automatic Ticket Creation	The options are Yes and No.

Click Correlation Policy under Enable Service Ticket Authorization.

Set Correlation Policy.

**Table 2** Parameters for adding a policy
Parameter	Description
Add to User Group	Select a user group. Multiple options can be selected. Add the automatic COC policies to the user group of the account.

Click OK.

The change control configuration is complete.

Parent Topic: Change Management

Previous topic: Managing Change Review Tickets

Next topic: Viewing the Change Calendar

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot