Permissions

If you need to grant your enterprise personnel permission to access your FlexusL resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you securely access your cloud resources.

With IAM, you can create IAM users and grant them permissions to access only specific resources. For example, if you want some software developers in your enterprise to be able to use FlexusL resources but do not want them to be able to delete FlexusL or perform any other high-risk operations, you can create IAM users and grant permission to use FlexusL but not permission to delete them.

If your account does not need individual IAM users for permissions management, skip this section.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see What Is IAM?

FlexusL Instance Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

FlexusL is a global service. When you set the authorization scope to Global services, users have permission to access FlexusL resources in all regions.

Table 1 lists the system-defined policies of FlexusL instances.

**Table 1** System-defined policies for FlexusL instances
Policy Name	Description	Policy Content
CORS FullAccess	Administrator permissions. Users with these permissions can perform all operations on resources packaged in FlexusL instances, including creating, deleting, querying, and modifying service resources.	CORS FullAccess Policy Content
CORS ReadOnlyAccess	Common user permissions. Users with these permissions can only perform query operations.	CORS ReadOnlyAccess Policy Content

Table 2 lists the common operations supported by system-defined permissions for FlexusL.

**Table 2** Common operations supported by system-defined permissions
Operation	CORS FullAccess	CORS ReadOnlyAccess
Creation	√	x
Remote login to FlexusL instances on the management console	√	x
Resource card checking	√	√
Details query	√	√
Modification	√	x
Start	√	x
Stop	√	x
Restart	√	x
Unsubscription	√	x
OS reinstallation	√	x
OS change	√	x
Specification modification	√	x

Reference

What Is IAM?
For details about how to create a user group or user and grant FlexusL permissions, see Granting Permissions to Use FlexusL Instances Through IAM.

CORS FullAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cors:*:*"
            ]
        }
    ]
}

CORS ReadOnlyAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cors:*:get",
                "cors:*:list"
            ]
        }
    ]
}

Previous topic: Unsubscribing from FlexusL Instances

Next topic: Constraints