Permissions
If you need to assign different permissions to employees in your enterprise to control their access to your cloud resources, you can use the Identity and Access Management (IAM) for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control.
On the IAM console, you can create IAM users and assign permissions to control their access to specific resources. For example, you can create IAM users for software developers and assign permissions to allow them to use enterprise router resources but disallow them from performing any high-risk operations such as deleting such resources.
IAM is free of charge.
For more information, see IAM Service Overview.
Enterprise Router Permissions
By default, new IAM users do not have any permissions assigned. You need to add them to one or more groups and attach policies or roles to these groups so that these users can inherit permissions from the groups and perform specified operations on cloud services.
An enterprise router is a project-level service deployed in a specific region. You need to select a project such as ap-southeast-2 for which the permissions will be granted. If you select All projects, the permissions will be granted for all the projects. You need to switch to the authorized region before accessing an enterprise router.
- Role-based authorization: It is a coarse-grained authorization that defines permissions based on user responsibilities. There are only a limited number of roles, and some of them may depend on others. If so, you need to assign both roles to grant permissions. Role-based authorization is not an ideal choice for fine-grained authorization and minimum access control.
- Policy-based authorization: a type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. It is more flexible than role-based authorization and can achieve minimum access control. For example, you can grant IAM users only the permissions to perform specified operations on enterprise routers.
System Policy |
Description |
Type |
Dependency |
---|---|---|---|
ER FullAccess |
Administrator permissions for enterprise routers. Users with such permissions can operate and use all resources on enterprise routers. |
System-defined policy |
None |
ER ReadOnlyAccess |
Read-only permissions for enterprise routers. Users with such permissions can only view data on enterprise routers. |
System-defined policy |
None |
Operation |
Tenant Administrator |
Tenant Guest |
ER FullAccess |
ER ReadOnlyAccess |
---|---|---|---|---|
Creating an enterprise router |
√ |
x |
√ |
x |
Modifying an enterprise router |
√ |
x |
√ |
x |
Viewing an enterprise router |
√ |
√ |
√ |
√ |
Deleting an enterprise router |
√ |
x |
√ |
x |
Adding a Virtual Private Cloud (VPC) to an enterprise router |
√ |
x |
√ |
x |
Deleting a VPC attachment |
√ |
x |
√ |
x |
Viewing attachments of all types |
√ |
√ |
√ |
√ |
Creating a route table |
√ |
x |
√ |
x |
Renaming a route table |
√ |
x |
√ |
x |
Viewing a route table |
√ |
√ |
√ |
√ |
Deleting a route table |
√ |
x |
√ |
x |
Creating an association for an attachment in a route table |
√ |
x |
√ |
x |
Viewing associations in a route table |
√ |
√ |
√ |
√ |
Deleting an association from a route table |
√ |
x |
√ |
x |
Creating a propagation for an attachment in the route table |
√ |
x |
√ |
x |
Viewing a propagation in a route table |
√ |
√ |
√ |
√ |
Deleting a propagation from a route table |
√ |
x |
√ |
x |
Creating a static route |
√ |
x |
√ |
x |
Modifying a static route |
√ |
x |
√ |
x |
Viewing a route |
√ |
√ |
√ |
√ |
Deleting a static route |
√ |
x |
√ |
x |
Creating a flow log |
√ |
x |
√ |
x |
Viewing a VPC flow log |
√ |
√ |
√ |
√ |
Disabling a flow log |
√ |
x |
√ |
x |
Enabling a flow log |
√ |
x |
√ |
x |
Deleting a flow log |
√ |
x |
√ |
x |
Adding a resource tag |
√ |
x |
√ |
x |
Modifying a resource tag |
√ |
x |
√ |
x |
Viewing a resource tag |
√ |
√ |
√ |
√ |
Deleting a resource tag |
√ |
x |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot