Help Center > > System Permissions

System Permissions

Updated at:Oct 19, 2020 GMT+08:00

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Scope: The scope where permissions will take effect.
  • Global service project: Services deployed without specifying physical regions are called global services. Permissions for these services must be assigned in the global service project.
  • Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. To make the permissions take effect in all regions, assign the permissions in each of these regions.

Type: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

  • For services that provide both policies and roles, preferentially use policies to assign permissions.
  • For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions.

System-Defined Policies

Service

Region

Role/Policy Name

Type

Description

BASE

Global service project

FullAccess

Policy

Full permissions for cloud services supporting policy-based authorization

Global service project

IAM ReadOnlyAccess

Read-only permissions for IAM

All projects

Tenant Administrator

Role

Full permissions for all services except IAM

All projects

Tenant Guest

Read-only permissions for all services except IAM

Global service project

Security Administrator

Full permissions for IAM

Global service project

Agent Operator

Permissions for switching roles to access resources of delegating accounts

Object Storage Service (OBS)

Global service project

OBS OperateAccess

Policy

Users with this permission can perform all operations specified by OBS ReadOnlyAccess and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

OBS ReadOnlyAccess

Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects.

OBS Buckets Viewer

Role

Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.

Content Delivery Network (CDN)

(Global service)

Global service project

CDN DomainReadOnlyAccess

Policy

Read-only permissions for CDN acceleration domain names

CDN StatisticsReadOnlyAccess

Read-only permissions for CDN statistics

CDN LogsReadOnlyAccess

Read-only permissions for CDN logs

CDN Domain

Configuration

Operator

Permissions for configuring CDN acceleration domain names

CDN RefreshAndPreheatAccess

Permissions for cache refreshing and preheating

CDN Administrator

Role

Full permissions for CDN

This role must be used together with the Tenant Guest role in the same project.

SSL Certificate Manager (SCM)

(Global service)

Global service project

SCM Administrator

Role

Full permissions for SCM

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

SCM FullAccess

Policy

Full permissions for SCM

SCM ReadOnlyAccess

Read-only permissions for SCM. Users with these permissions can only query certificates but cannot add, delete, or modify certificates.

Situation Awareness (SA)

Global services

Global service project

SA FullAccess

Policy

Full permissions for SA

SA ReadOnlyAccess

Read-only permissions for SA. Users with the read-only permission can only query SA information but cannot perform configuration in SA.

Cloud Bastion Host (CBH)

(Project-level service)

Region-specific projects

CBH FullAccess

Policy

Full permissions for CBH instances

CBH ReadOnlyAccess

Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but cannot configure or perform operations on services.

Business Support System (BSS)

(Project-level service)

Region-specific projects

NOTICE:

These are the projects where permissions for this service can be assigned.

BSS Administrator

Role

Full permissions for Billing Center, Resource Center, and My Account

BSS Operator

Query permissions for Billing Center and management permissions for Resource Center and My Account

BSS Finance

Permissions for financial operations, including payment, consumption, and invoicing. This role does not have permissions for modifying cloud services.

EnterpriseProject BSS FullAccess

Policy

Permissions for accounting management of enterprise projects

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

(Project-level service)

Region-specific projects

Server Administrator

Role

  • Full permissions for ECS. This role must be used together with the Tenant Guest role in the same project.

    If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project.

    For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the VPC Administrator role.

  • Full permissions for EVS.
  • Permissions for performing operations on EIPs, security groups, and ports. This role must be used together with the Tenant Guest role in the same project.
  • Permissions for creating, deleting, querying, modifying, and uploading images. This role must be used together with the IMS Administrator role in the same project.

Cloud Container Instance (CCI)

(Project-level service)

Region-specific projects

CCI FullAccess

Policy

Full permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.

CCI ReadOnlyAccess

Read-only permissions for CCI. Users granted these permissions can only view CCI resources.

CCI CommonOperations

Common user permissions for CCI. Users granted these permissions can perform all operations except creating, deleting, and modifying role-based access control (RBAC) policies, networks, and namespaced resources.

CCI Administrator

Role

Administrator permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.

Elastic Cloud Server (ECS)

(Project-level service)

Region-specific projects

ECS FullAccess

Policy

Full permissions for ECS

ECS ReadOnlyAccess

Read-only permissions for ECS

ECS CommonOperations

Permissions for starting, stopping, restarting, and querying ECSs

Auto Scaling (AS)

(Project-level service)

Region-specific projects

AutoScaling FullAccess

Policy

Full permissions for all AS resources

AutoScaling ReadOnlyAccess

Read-only permissions for all AS resources

AutoScaling Administrator

Role

Full permissions for all AS resources

This role must be used together with the ELB Administrator and CES Administrator roles in the same project.

Image Management Service (IMS)

(Project-level service)

Region-specific projects

IMS FullAccess

Policy

Full permissions for IMS

IMS ReadOnlyAccess

Read-only permissions for IMS

IMS Administrator

Role

Full permissions for IMS

This role must be used together with the Tenant Administrator role in the global service project.

Elastic Volume Service (EVS)

(Project-level service)

Region-specific projects

EVS FullAccess

Policy

Full permissions for EVS. Users granted these permissions can create, mount, uninstall, query, and delete EVS resources, and expand capacity of EVS disks.

EVS ReadOnlyAccess

Read-only permissions for EVS. Users granted these permissions can view EVS resource data only.

Cloud Server Backup Service (CSBS)

(Project-level service)

Region-specific projects

CSBS Administrator

Role

Full permissions for CSBS

This role must be used together with the Server Administrator role in the same project.

Volume Backup Service (VBS)

(Project-level service)

Region-specific projects

VBS Administrator

Role

Full permissions for VBS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Dedicated Distributed Storage Service (DSS)

(Project-level service)

Region-specific projects

DSS FullAccess

Policy

Full permissions for DSS

DSS ReadOnlyAccess

Read-only permissions for DSS

Virtual Private Cloud (VPC)

(Project-level service)

Region-specific projects

VPC FullAccess

Policy

Full permissions for VPC

VPC ReadOnlyAccess

Read-only permissions for VPC

VPC Administrator

Role

Full permissions for VPC

This role must be used together with the Tenant Guest role in the same project.

Cloud Container Engine (CCE)

(Project-level service)

Region-specific projects

CCE FullAccess

Policy

Full permissions for CCE

CCE ReadOnlyAccess

Read-only permissions for CCE and all operations on Kubernetes resources

CCE Administrator

Role

Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.

This role depends on the following permissions:

Global service project: OBS Buckets Viewer

Region-specific projects (same projects): Tenant Guest, Server Administrator, ELB Administrator, SFS Administrator, SWR Admin, and APM FullAccess

NOTE:

Users also granted permissions with NAT Gateway Administrator can use NAT Gateway functions for clusters.

CloudTable Service (CloudTable)

(Project-level service)

Region-specific projects

CloudTable

Administrator

Role

Full permissions for CloudTable

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Domain Name Service (DNS)

(Project-level service)

Region-specific projects

DNS Administrator

Role

Full permissions for DNS

This role must be used together with the Tenant Guest and VPC Administrator roles in the same project.

DNS FullAccess

Policy

Full permissions for DNS

DNS ReadOnlyAccess

Read-only permissions for DNS. Users granted these permissions can only view DNS resources

VPC Endpoint (VPCEP)

(Project-level service)

Region-specific projects

VPCEndpoint Administrator

Role

Full permissions for VPCEP

This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project.

Cloud Trace Service (CTS)

(Project-level service)

Region-specific projects

CTS Administrator

Role

Full permissions for CTS

This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.

Simple Message Notification (SMN)

(Project-level service)

Region-specific projects

SMN Administrator

Role

Full permissions for SMN

Relational Database Service (RDS)

(Project-level service)

Region-specific projects

RDS FullAccess

Policy

Full permissions for RDS

RDS ReadOnlyAccess

Read-only permissions for RDS

RDS UserAccess

Database administrator permissions for all operations except deleting RDS resources

RDS Administrator

Role

Full permissions for RDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Distributed Message Service (DMS)

(Project-level service)

Region-specific projects

DMS Administrator

Role

Full permissions for DMS

DMS

(DMS Kafka and DMS RabbitMQ)

(Project-level service)

Region-specific projects

DMS UseAccess

Policy

Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping.

DMS ReadOnlyAccess

Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data.

DMS FullAccess

Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS.

Document Database Service (DDS)

(Project-level service)

Region-specific projects

DDS FullAccess

Policy

Full permissions for DDS

DDS ReadOnlyAccess

Read-only permissions for DDS

DDS ManageAccess

Database administrator permissions for all operations except deleting DDS resources

DDS Administrator

Role

Full permissions for DDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

If a DDS enterprise project is configured, you need to assign the DAS Admin role to users in the same project so that the users can log in to DAS from the DDS console.

Data Replication Service (DRS)

(Project-level service)

Region-specific projects

DRS Administrator

Role

Full permissions for DRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Admin Service (DAS)

(Project-level service)

Region-specific projects

DAS Administrator

Role

Full permissions for DAS

This role must be used together with the Tenant Guest role in the same project.

Application Operations Management (AOM)

(Project-level service)

Region-specific projects

AOM FullAccess

Policy

Full permissions for AOM

AOM ReadOnlyAccess

Read-only permissions for AOM

Application Performance Management (APM)

(Project-level service)

Region-specific projects

APM FullAccess

Policy

Full permissions for APM

APM ReadOnlyAccess

Read-only permissions for APM

APM Administrator

Role

Full permissions for APM

Software Repository for Container (SWR)

(Project-level service)

Region-specific projects

SWR Admin

Role

Full permissions for SWR

Blockchain Service (BCS)

(Project-level service)

Region-specific projects

BCS Administrator

Role

Full permissions for BCS.

Gene Container Service (GCS)

(Project-level service)

Region-specific projects

GCS Administrator

Role

GCS administrator

GCS FullAccess

Policy

Full permissions for GCS

GCS ReadOnlyAccess

Read-only permissions for GCS

GCS CommonOperations

Common operation permissions for GCS

Cloud Eye

(Project-level service)

Region-specific projects

CES Administrator

Role

Full permissions for Cloud Eye

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Region-specific projects

CES FullAccess

Policy

Administrator permissions for performing all operations on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.

Region-specific projects

CES ReadOnlyAccess

Read-only permissions for viewing data on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization.

Web Application Firewall (WAF)

(Project-level service)

Region-specific projects

WAF Administrator

Role

Full permissions for WAF

WAF FullAccess

Policy

Full permissions for WAF

WAF ReadOnlyAccess

Read-only permissions for WAF

Host Security Service (HSS)

(Project-level service)

Region-specific projects

HSS Administrator

Role

Full permissions for HSS

HSS FullAccess

Policy

Full permissions for HSS.

HSS ReadOnlyAccess

Read-only permissions for HSS.

Vulnerability Scan Service (VSS)

(Project-level service)

Region-specific projects

VSS Administrator

Role

Full permissions for VSS

Managed Detection and Response (MDR)

(Project-level service)

Region-specific projects

SES Administrator

Role

MDR administrator with full permissions

This role must be used together with the BSS Administrator role in the same project.

Database Security Service (DBSS)

(Project-level service)

Region-specific projects

DBSS System Administrator

Role

Full permissions for DBSS

DBSS Audit Administrator

Security auditing permissions for DBSS

DBSS Security Administrator

Security protection permissions for DBSS

Data Encryption Workshop (DEW)

(Project-level service)

Region-specific projects

KMS Administrator

Role

DEW administrator with full permissions

KMS CMKFullAccess

Policy

Full permissions for encryption keys in DEW

DEW KeypairFullAccess

Full permissions for key pairs in DEW

DEW KeypairReadOnlyAccess

Permissions for viewing key pairs in DEW

Anti-DDoS

(Project-level service)

Region-specific projects

Anti-DDoS Administrator

Role

Full permissions for Anti-DDoS

This role must be used together with the Tenant Guest role in the same project.

Scalable File Service (SFS)

(Project-level service)

Region-specific projects

SFS FullAccess

Policy

Full permissions for SFS

SFS ReadOnlyAccess

Read-only permissions for SFS

SFS Administrator

Role

Full permissions for SFS

This role must be used together with the Tenant Guest role in the same project.

Distributed Cache Service (DCS)

(Project-level service)

Region-specific projects

DCS FullAccess

Policy

Full permissions for DCS

DCS UseAccess

Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances

DCS ReadOnlyAccess

Read-only permissions for DCS

DCS Administrator

Role

Full permissions for DCS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

MapReduce Service (MRS)

(Project-level service)

Region-specific projects

MRS FullAccess

Policy

Full permissions for MRS

MRS CommonOperations

Common user permissions for MRS operations except creating and deleting resources

MRS ReadOnlyAccess

Read-only permissions for MRS

MRS Administrator

Role

Full permissions for MRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

ServiceStage

Cloud Performance Test Service (CPTS)

(Project-level service)

Region-specific projects

SvcStg Admin

Role

  • Full permissions for ServiceStage, including service, application, node, stack, and pipeline management.
  • Permissions for performing operations on test resources of all users in CPTS, such as adding, deleting, modifying, and querying test resources

SvcStg Developer

  • Common user permissions for ServiceStage except node management
  • Permissions for performing operations only on a user's own test resources, such as adding, deleting, modifying, and querying test resources

SvcStg Operator

  • Read-only permissions for ServiceStage
  • Read-only permissions only for a user's own test resources

Elastic Load Balance (ELB)

(Project-level service)

Region-specific projects

ELB FullAccess

Policy

Full permissions for ELB

ELB ReadOnlyAccess

Read-only permissions for ELB

ELB Administrator

Role

Full permissions for ELB

This role must be used together with the Tenant Guest role in the same project.

NAT Gateway

(Project-level service)

Region-specific projects

NAT FullAccess

Policy

Full permissions for NAT Gateway

NAT ReadOnlyAccess

Read-only permissions for NAT Gateway

NAT Gateway Administrator

Role

Full permissions for NAT Gateway

This role must be used together with the Tenant Guest role in the same project.

Direct Connect

(Project-level service)

Region-specific projects

Direct Connect Administrator

Role

Full permissions for Direct Connect

This role must be used together with the Tenant Guest role in the same project.

Cloud Backup and Recovery (CBR)

(Project-level service)

Region-specific projects

CBR FullAccess

Policy

Administrator permissions for using all vaults and policies on CBR

CBR BackupsAndVaultsFullAccess

Policy

Common user permissions for creating, viewing, and deleting vaults on CBR

CBR ReadOnlyAccess

Policy

Read-only permissions for viewing data on CBR

Graph Engine Service (GES)

(Project-level service)

Region-specific projects

GES Administrator

Role

Full permissions for GES

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

GES Manager

Advanced user of GES with permissions for performing any operations on GES resources except creating and deleting graphs.

This role must be used together with the Tenant Guest role in the same project.

GES Operator

Permissions for viewing and accessing graphs

This role must be used together with the Tenant Guest role in the same project.

Region-specific projects

GES FullAccess

Policy

Administrator permissions for performing all operations (including creation, deletion, access, and upgrade operations) on GES

GES Development

Operator permissions for all operations except creating and deleting graphs

GES ReadOnlyAccess

Read-only permissions for viewing resources, such as graphs, metadata, and backup data

Data Lake Factory (DLF)

(Project-level service)

Region-specific projects

DLF Administrator

Role

Full permissions for DLF

This role must be used together with the Tenant Administrator role in the same project.

DLF FullAccess

Policy

Full permissions for DLF

DLF Development

Developer permissions for DLF. Users granted these permissions can use DLF to develop scripts and orchestrate jobs, but cannot create, delete, or modify workspaces.

DLF OperationAndMaintenanceAccess

O&M permissions for DLF. Users granted these permissions can maintain scripts, jobs, and other resources, but cannot create, delete, or modify any resources.

DLF ReadOnlyAccess

Read-only permissions for DLF. Users granted these permissions can only view DLF resources.

ModelArts

(Project-level service)

Region-specific projects

ModelArts FullAccess

Policy

Administrator permissions for performing all operations on ModelArts

ModelArts CommonOperations

Permissions for performing all operations except managing dedicated resource pools on ModelArts

Data Warehouse Service (DWS)

(Project-level service)

Region-specific projects

DWS FullAccess

Policy

Full permissions for DWS

DWS ReadOnlyAccess

Read-only permissions for DWS

DWS Administrator

Role

Full permissions for DWS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

DWS Database Access

Permissions for accessing DWS. Users granted these permissions can generate temporary tokens for connecting to DWS cluster databases.

Cloud Stream Service (CS)

(Project-level service)

Region-specific projects

CS FullAccess

Policy

Full permissions for CS

CS CommonOperations

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS ReadOnlyAccess

Read-only permissions for CS. Users granted these permissions can only view CS jobs, templates, and exclusive clusters.

CS Tenant User

Role

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS Tenant Admin

Administrator permissions for all operations on CS, including:

  • Creating, deleting, and modifying CS jobs, templates, and exclusive clusters
  • Allocating available clusters and quotas to users with permissions of the CS CommonOperations policy
  • Viewing all user jobs in exclusive clusters

Data Lake Insight (DLI)

(Project-level service)

Region-specific projects

DLI Service Admin

Role

Full permissions for DLI

DLI Service User

Permissions for using DLI, but not for creating resources

Data Ingestion Service (DIS)

(Project-level service)

Region-specific projects

DIS Administrator

Role

Full permissions for DIS

DIS Operator

Permissions for managing streams, such as creating and deleting streams, but not for uploading and downloading data

DIS User

Permissions for uploading and downloading data, but not for managing streams

Conversational Bot Service (CBS)

(Project-level service)

Region-specific projects

CBS Administrator

Role

Full permissions for CBS

CBS Guest

Read-only permissions for CBS

Workspace

(Project-level service)

Region-specific projects

Workspace Administrator

Role

Full permissions for Workspace.

This role must be used together with the Tenant Guest, Server Administrator, and VPC Administrator roles in the same project.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel