Help Center > > System Permissions

System Permissions

Updated at: Apr 07, 2020 GMT+08:00

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Region: A geographic area for which permissions take effect. Select proper regions when you assign permissions.
  • Global service project: Services deployed without specifying physical regions are called global services. Permissions for these services must be assigned in the Global region.
  • Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for accessing these services need to be assigned in specific regions and take effect only for these regions. To make the permissions take effect in all regions, assign the permissions in each of these regions.

Type: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

  • For services that provide both policies and roles, preferentially use policies to assign permissions.
  • For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions.

System-Defined Policies

Service

Region

Role/Policy Name

Type

Description

BASE

Global

FullAccess

Policy

Full permissions for cloud services supporting policy-based authorization

Global

IAM ReadOnlyAccess

Policy

Read-only permissions for Identity and Access Management. Users granted these permissions can view only users, user groups, policies, roles, agencies, and account security settings. They cannot view projects or identity providers.

All regions

Tenant Administrator

Role

Full permissions for all services except IAM

All regions

Tenant Guest

Role

Read-only permissions for all services except IAM

Global

Security Administrator

Role

Full permissions for IAM

Global

Agent Operator

Role

Permissions for switching roles to access resources of delegating accounts

Object Storage Service (OBS)

Global

OBS OperateAccess

Policy

Basic object operation permissions, such as viewing buckets, uploading, obtaining, and deleting objects, and obtaining object ACLs

OBS ReadOnlyAccess

Permissions for listing buckets, obtaining bucket metadata, listing objects in a bucket, and querying bucket locations

OBS Buckets Viewer

Role

Permissions for listing buckets, obtaining bucket information, and obtaining bucket metadata

Content Delivery Network (CDN)

(Global service)

Global

CDN DomainReadOnlyAccess

Policy

Read-only permissions for CDN acceleration domain names

CDN StatisticsReadOnlyAccess

Read-only permissions for CDN statistics

CDN LogsReadOnlyAccess

Read-only permissions for CDN logs

CDN Domain

Configuration

Operator

Permissions for configuring CDN acceleration domain names

CDN RefreshAndPreheatAccess

Permissions for cache refreshing and preheating

CDN Administrator

Role

Full permissions for CDN

This role must be used together with the Tenant Guest role in the same project.

SSL Certificate Manager (SCM)

(Global service)

Global

SCM Administrator

Role

Full permissions for SCM

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

SCM FullAccess

Policy

Full permissions for SCM

SCM ReadOnlyAccess

Read-only permissions for SCM. Users with these permissions can only query certificates but cannot add, delete, or modify certificates.

Business Support System (BSS)

(Project-level service)

Specific regions

NOTICE:

These are the regions where permissions of the policies supported by this service can be assigned.

BSS Administrator

Role

Full permissions for Billing Center, Resource Center, and My Account

BSS Operator

Query permissions for Billing Center and management permissions for Resource Center and My Account

BSS Finance

  • Topping up accounts, withdrawing money, and setting balance alerts
  • Viewing, paying, and exporting orders, and renewing resources
  • Viewing and exporting the expenditure summary, expenditure details, and income and expense details, and analyzing bills
  • Viewing and activating coupons, issuing invoices, applying for online contracts, and viewing commercial discounts

EnterpriseProject BSS FullAccess

Policy

Permissions for accounting management of enterprise projects

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

(Project-level service)

Specific regions

Server Administrator

Role

  • Full permissions for ECS. This role must be used together with the Tenant Guest role in the same project.

    If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project.

    For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the VPC Administrator role.

  • Full permissions for EVS.
  • Permissions for performing operations on EIPs, security groups, and ports. This role must be used together with the Tenant Guest role in the same project.
  • Permissions for creating, deleting, querying, modifying, and uploading images. This role must be used together with the IMS Administrator role in the same project.

Elastic Cloud Server (ECS)

(Project-level service)

Specific regions

ECS FullAccess

Policy

Full permissions for ECS

ECS ReadOnlyAccess

Read-only permissions for ECS

ECS CommonOperations

Permissions for starting, stopping, restarting, and querying ECSs

Auto Scaling (AS)

(Project-level service)

Specific regions

AutoScaling FullAccess

Policy

Full permissions for all AS resources

AutoScaling ReadOnlyAccess

Read-only permissions for all AS resources

AutoScaling Administrator

Role

Full permissions for all AS resources

This role must be used together with the ELB Administrator and CES Administrator roles in the same project.

Image Management Service (IMS)

(Project-level service)

Specific regions

IMS FullAccess

Policy

Full permissions for IMS

IMS ReadOnlyAccess

Read-only permissions for IMS

IMS Administrator

Role

Full permissions for IMS

This role must be used together with the Tenant Administrator role in the global service project.

Elastic Volume Service (EVS)

(Project-level service)

Specific regions

EVS FullAccess

Policy

Full permissions for EVS

EVS ReadOnlyAccess

Read-only permissions for EVS

Cloud Server Backup Service (CSBS)

(Project-level service)

Specific regions

CSBS Administrator

Role

Full permissions for CSBS

This role must be used together with the Server Administrator role in the same project.

Volume Backup Service (VBS)

(Project-level service)

Specific regions

VBS Administrator

Role

Full permissions for VBS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Dedicated Distributed Storage Service (DSS)

(Project-level service)

Specific regions

DSS FullAccess

Policy

Full permissions for DSS

DSS ReadOnlyAccess

Read-only permissions for DSS

Virtual Private Cloud (VPC)

(Project-level service)

Specific regions

VPC FullAccess

Policy

Full permissions for VPC

VPC ReadOnlyAccess

Read-only permissions for VPC

VPC Administrator

Role

Full permissions for VPC

This role must be used together with the Tenant Guest role in the same project.

Cloud Container Engine (CCE)

(Project-level service)

Specific regions

CCE FullAccess

Policy

Full permissions for CCE

CCE ReadOnlyAccess

Read-only permissions for CCE and all operations on Kubernetes resources

CCE Administrator

Role

Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.

This role depends on the following permissions:

Global service: OBS Buckets Viewer

Regional services (select in the same project): Tenant Guest, Server Administrator, ELB Administrator, OBS Administrator, SFS Administrator, SWR Admin, and APM FullAccess

NOTE:

Users also granted permissions with NAT Gateway Administrator can use NAT Gateway functions for clusters.

CloudTable Service (CloudTable)

(Project-level service)

Specific regions

CloudTable

Administrator

Role

Full permissions for CloudTable

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Domain Name Service (DNS)

(Project-level service)

Specific regions

DNS Administrator

Role

Full permissions for DNS

DNS FullAccess

Policy

Administrator permissions for DNS. Users granted with these permissions can perform all operations on DNS, including creating, deleting, querying, and modifying DNS resources

DNS ReadOnlyAccess

Read-only permission for DNS. Users granted these permissions can only view DNS resources

Cloud Trace Service (CTS)

(Project-level service)

Specific regions

CTS Administrator

Role

Full permissions for CTS

This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.

Simple Message Notification (SMN)

(Project-level service)

Specific regions

SMN Administrator

Role

Full permissions for SMN

Relational Database Service (RDS)

(Project-level service)

Specific regions

RDS FullAccess

Policy

Full permissions for RDS

RDS ReadOnlyAccess

Read-only permissions for RDS

RDS ManageAccess

Database administrator permissions for all operations except deleting RDS resources

RDS Administrator

Role

Full permissions for RDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Distributed Message Service (DMS)

(Project-level service)

Specific regions

DMS Administrator

Role

Full permissions for DMS

DMS

(DMS Kafka and DMS RabbitMQ)

(Project-level service)

Specific regions

DMS UseAccess

Policy

Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping.

DMS ReadOnlyAccess

Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data.

DMS FullAccess

Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS.

Document Database Service (DDS)

(Project-level service)

Specific regions

DDS FullAccess

Policy

Full permissions for DDS

DDS ReadOnlyAccess

Read-only permissions for DDS

DDS ManageAccess

Database administrator permissions for all operations except deleting DDS resources

DDS Administrator

Role

Full permissions for DDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

If a DDS enterprise project is configured, you need to assign the DAS Admin role to users in the same project so that the users can log in to DAS from the DDS console.

Data Replication Service (DRS)

(Project-level service)

Specific regions

DRS Administrator

Role

Full permissions for DRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Admin Service (DAS)

(Project-level service)

Specific regions

DAS Administrator

Role

Full permissions for DAS

This role must be used together with the Tenant Guest role in the same project.

Application Operations Management (AOM)

(Project-level service)

Specific regions

AOM FullAccess

Policy

Full permissions for AOM

AOM ReadOnlyAccess

Read-only permissions for AOM

Application Performance Management (APM)

(Project-level service)

Specific regions

APM FullAccess

Policy

Full permissions for APM

APM ReadOnlyAccess

Read-only permissions for APM

Software Repository for Container (SWR)

(Project-level service)

Specific regions

SWR Admin

Role

Full permissions for SWR

Cloud Eye

(Project-level service)

Specific regions

CES Administrator

Role

Full permissions for Cloud Eye

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Specific regions

CES FullAccess

Policy

Administrator permissions for performing all operations on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.

Specific regions

CES ReadOnlyAccess

Read-only permissions for viewing data on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.

Web Application Firewall (WAF)

(Project-level service)

Specific regions

WAF Administrator

Role

Full permissions for WAF

Host Security Service (HSS)

(Project-level service)

Specific regions

HSS Administrator

Role

Full permissions for HSS

Vulnerability Scan Service (VSS)

(Project-level service)

Specific regions

VSS Administrator

Role

Full permissions for VSS

Security Expert Service (SES)

(Project-level service)

Specific regions

SES Administrator

Role

Full permissions for SES

Database Security Service (DBSS)

(Project-level service)

Specific regions

DBSS System Administrator

Role

Full permissions for DBSS

DBSS Audit Administrator

Security auditing permissions for DBSS

DBSS Security Administrator

Security protection permissions for DBSS

Data Encryption Workshop (DEW)

(Project-level service)

Specific regions

KMS Administrator

Role

Full permissions for DEW

Anti-DDoS

(Project-level service)

Specific regions

Anti-DDoS Administrator

Role

Full permissions for Anti-DDoS

This role must be used together with the Tenant Guest role in the same project.

Scalable File Service (SFS)

(Project-level service)

Specific regions

SFS FullAccess

Policy

Full permissions for SFS

SFS ReadOnlyAccess

Read-only permissions for SFS

SFS Administrator

Role

Full permissions for SFS

This role must be used together with the Tenant Guest role in the same project.

Distributed Cache Service (DCS)

(Project-level service)

Specific regions

DCS FullAccess

Policy

Full permissions for DCS

DCS UseAccess

Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances

DCS ReadOnlyAccess

Read-only permissions for DCS

DCS Administrator

Role

Full permissions for DCS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

MapReduce Service (MRS)

(Project-level service)

Specific regions

MRS FullAccess

Policy

Full permissions for MRS

MRS CommonOperations

Common user permissions for MRS operations except creating and deleting resources

MRS ReadOnlyAccess

Read-only permissions for MRS

MRS Administrator

Role

Full permissions for MRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

ServiceStage

Cloud Performance Test Service (CPTS)

(Project-level service)

Specific regions

SvcStg Admin

Role

  • Full permissions for ServiceStage, including service, application, node, stack, and pipeline management.
  • Permissions for performing operations on test resources of all users in CPTS, such as adding, deleting, modifying, and querying test resources

SvcStg Developer

  • Common user permissions for ServiceStage except node management
  • Permissions for performing operations only on a user's own test resources, such as adding, deleting, modifying, and querying test resources

SvcStg Operator

  • Read-only permissions for ServiceStage
  • Read-only permissions only for a user's own test resources

Elastic Load Balance (ELB)

(Project-level service)

Specific regions

ELB FullAccess

Policy

Full permissions for ELB

ELB ReadOnlyAccess

Read-only permissions for ELB

ELB Administrator

Role

Full permissions for ELB

This role must be used together with the Tenant Guest role in the same project.

NAT Gateway

(Project-level service)

Specific regions

NAT FullAccess

Policy

Full permissions for NAT Gateway

NAT ReadOnlyAccess

Read-only permission for NAT Gateway

NAT Gateway Administrator

Role

Full permissions for NAT Gateway

This role must be used together with the Tenant Guest role in the same project.

Direct Connect

(Project-level service)

Specific regions

Direct Connect Administrator

Role

Full permissions for Direct Connect

This role must be used together with the Tenant Guest role in the same project.

Cloud Backup and Recovery (CBR)

(Project-level service)

Specific regions

CBR FullAccess

Policy

Administrator permissions for using all vaults and policies on CBR

CBR BackupsAndVaultsFullAccess

Policy

Common user permissions for creating, viewing, and deleting vaults on CBR

CBR ReadOnlyAccess

Policy

Read-only permissions for viewing data on CBR

Graph Engine Service (GES)

(Project-level service)

Specific regions

GES Administrator

Role

Full permissions for GES

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

GES Manager

Advanced user of GES with permissions for performing any operations on GES resources except creating and deleting graphs.

This role must be used together with the Tenant Guest role in the same project.

GES Operator

Permissions for viewing and accessing graphs

This role must be used together with the Tenant Guest role in the same project.

Specific regions

GES FullAccess

Policy

Administrator permissions for performing all operations (including creation, deletion, access, and upgrade operations) on GES

GES Development

Operator permissions for all operations except creating and deleting graphs

GES ReadOnlyAccess

Read-only permissions for viewing resources, such as graphs, metadata, and backup data

Data Lake Factory (DLF)

(Project-level service)

Specific regions

DLF Administrator

Role

Full permissions for DLF

This role must be used together with the Tenant Administrator role in the same project.

DLF FullAccess

Policy

Full permissions for DLF

DLF Development

Developer permissions for DLF. Users granted these permissions can use DLF to develop scripts and orchestrate jobs, but cannot create, delete, or modify workspaces.

DLF OperationAndMaintenanceAccess

O&M permissions for DLF. Users granted these permissions can maintain scripts, jobs, and other resources, but cannot create, delete, or modify any resources.

DLF ReadOnlyAccess

Read-only permissions for DLF. Users granted these permissions can only view DLF resources.

ModelArts

(Project-level service)

Specific regions

ModelArts FullAccess

Policy

Administrator permissions for performing all operations on ModelArts

ModelArts CommonOperations

Permissions for performing all operations except managing dedicated resource pools on ModelArts

Data Warehouse Service (DWS)

(Project-level service)

Specific regions

DWS FullAccess

Policy

Full permissions for DWS

DWS ReadOnlyAccess

Read-only permissions for DWS

DWS Administrator

Role

Full permissions for DWS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

DWS Database Access

Permissions for accessing DWS. Users granted these permissions can generate temporary tokens for connecting to DWS cluster databases.

Cloud Stream Service (CS)

(Project-level service)

Specific regions

CS FullAccess

Policy

Full permissions for CS

CS CommonOperations

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS ReadOnlyAccess

Read-only permissions for CS. Users granted these permissions can only view CS jobs, templates, and exclusive clusters.

CS Tenant User

Role

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS Tenant Admin

Administrator permissions for all operations on CS, including:

  • Creating, deleting, and modifying CS jobs, templates, and exclusive clusters
  • Allocating available clusters and quotas to users with permissions of the CS CommonOperations policy
  • Viewing all user jobs in exclusive clusters

Data Lake Insight (DLI)

(Project-level service)

Specific regions

DLI Service Admin

Role

Full permissions for DLI

DLI Service User

Permissions for using DLI, but not for creating resources

Data Ingestion Service (DIS)

(Project-level service)

Specific regions

DIS Administrator

Role

Full permissions for DIS

DIS Operator

Permissions for managing streams, such as creating and deleting streams, but not for uploading and downloading data

DIS User

Permissions for uploading and downloading data, but not for managing streams

Conversational Bot Service

(Project-level service)

Specific regions

CBS Administrator

Role

Full permissions for CBS

CBS Guest

Read-only permissions for CBS

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel