Configuring Change Control
Scenarios
You can configure whether to enable privilege escalation using a service ticket based on application scenarios. Currently, privilege escalation using incidents, war rooms, and change tickets are supported.
Prerequisites
To enable change control, you need to apply for the IAM permission. The action IDs are as follows:
Permissions required by policies, system-defined policies, and custom policies:
"iam:roles:listRoles",
"iam:permissions:grantRoleToAgency",
"iam:permissions:grantRoleToAgencyOnDomain",
"iam:roles:createRole",
"iam:groups:listGroups",
"iam:permissions:listRoleAssignments",
"iam:permissions:grantRoleToGroupOnDomain",
"iam:permissions:revokeRoleFromGroupOnDomain",
"iam:permissions:revokeRoleFromGroupOnDomain",
"iam:roles:deleteRole",
"iam:roles:updateRole"
Permissions required by identity policies, system-defined identity policies, and custom identity policies:
"iam:policies:createV5",
"iam:policies:listV5",
"iam:groups:attachPolicyV5",
"iam:groups:detachPolicyV5",
"iam:policies:deleteV5",
"iam:policies:listVersionsV5",
"iam:policies:createVersionV5",
"iam:policies:deleteVersionV5"
Precautions
- By default, the change control policy generated by COC can only be bound to user groups for further permissions granting. Do not use the policy for other purposes.
- You can click the editing button of actions on the related COC page to determine whether to control functions corresponding to the actions. Note that all operations must be performed on COC. Do not directly edit the policy.
- If you enabled the feature of privilege escalation using service tickets, you need to bind the policy to your account. To disable this policy, you need to unbind the policy from your user group first.
- During service ticket privilege escalation, the system needs to verify the region, application, and service ticket status of the resources required. If a resource does not belong to any region or application, the system does not verify the resource but will display all service tickets of the user. Verification requirements on service tickets are as follows.
- Incident ticket status verification:
- P1, P2, P3, and P4 incident tickets must be in the accepted state.
- The privilege escalation application must be the same as the one in the incident ticket analysis and handling phase.
- The privilege escalation operator must be the current owner in the incident analysis and handling phase.
- The privilege escalation region must be the same as the region specified in the incident ticket.
- War room status verification:
- A war room must be in the started or fault demarcation phase.
- The privilege escalation application must be in the list of applications affected by the war room.
- The privilege escalation operator must be the fault rectification owner, a fault rectification member, or the administrator of the war room.
- Change ticket status verification:
- The region and application for the privilege escalation must be the same as those specified in the change ticket.
- The privilege escalation operator must be the implementer of the change ticket.
- The current operation time must be within the planned implementation time window of the change ticket. (The current operation time must be later than the planned start time and earlier than the planned end time.)
- You must click Change Start for a change ticket.
- Incident ticket status verification:

After service ticket privilege escalation is enabled, the northbound interface becomes unavailable. For example, if a script is executed to enable service ticket privilege escalation, the northbound script interface cannot be used.
Configuring Change Control
- Log in to COC.
- In the navigation pane, choose Change Ticket Mgmt > Change Control.
- Click Enable Service Ticket Authorization.
Service ticket authorization is disabled by default and can be enabled or disabled. After this function is enabled, all actions performed on the COC platform will be displayed in the list.
- Locate the action you want to modify and click Modify in the Operation column.
Only actions whose value of the Interconnected column is Yes can be modified.
- Set parameters in Modify Service Ticket Type.
Table 1 Parameters for modifying a service ticket type Parameter
Description
Enable Service Ticket Authorization
Options: Enable and Disable.
Enable indicates that privilege escalation is required. Disable indicates that privilege escalation is not required for all accounts in this scenario.
Ticket Type
The options are Change ticket, Incident ticket, and War room. Multiple options can be selected.
Automatic Ticket Creation
The options are Yes and No.
- Click Correlation Policy under Enable Service Ticket Authorization.
- Set Correlation Policy.
Table 2 Parameters for adding a policy Parameter
Description
Add to User Group
Select a user group. Multiple options can be selected.
Add the automatic COC policies to the user group of the account.
- Click OK.
The change control configuration is complete.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot