Permission Management

If you need to assign different permissions to employees in your enterprise to access your cloud resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud services.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific cloud service resources. For example, you need to allow website maintenance personnel in your enterprise to use VPCEP resources but do not want them to delete other cloud resources or perform any high-risk operations. To achieve this result, you can create IAM users for the maintenance personnel and grant them only the permissions required for using VPCEP resources.

If you do not need to create IAM users in your account for permissions management, you may skip over this section.

IAM is free of charge. You pay only for the resources in your account.

For more information, see IAM Service Overview.

VPCEP Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

VPCEP is a project-level service deployed and accessed in specific physical regions. To assign SMN permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing the VPCEP service, users need to switch to a region where they have been authorized to use VPCEP resources.

Table 1 lists all system-defined roles supported by VPCEP.

**Table 1** System-defined roles supported by VPCEP
System-defined Role	Description	Category	Dependency
VPCEndpoint Administrator	Full permissions for VPCEP	System-defined role	This role depends on Server Administrator, VPC Administrator, and DNS Administrator roles in the same project.

Table 2 lists the common operations for each system-defined policy or role of VPCEP. Select policies or roles as needed.

**Table 2** Common operations supported by the VPCEP system policies
Operation	VPCEndpoint Administrator
Creating a VPC endpoint	Yes
Deleting a VPC endpoint	Yes
Querying a VPC endpoint	Yes
Modifying a VPC endpoint	Yes
Creating a VPC endpoint service	Yes
Deleting a VPC endpoint service	Yes
Querying a VPC endpoint service	Yes
Modifying a VPC endpoint service	Yes