Help Center/ Database Security Service/ User Guide/ Permission Control/ Configuring FullAccess Sensitive Permissions
Updated on 2024-04-17 GMT+08:00
View PDF
Share

Configuring FullAccess Sensitive Permissions

The full permission set of DBSS involves sensitive permissions of some users, such as order payment, OBS bucket creation, file upload, agent creation, and agent permission setting.

These permissions have great impact on user assets. Therefore, they are not added to the preset permission set of the system but need to be manually added by users through description documents.

For details about sensitive permissions, see Table 1. The permission details are as follows:

"obs:bucket:CreateBucket",
"obs:object:PutObject",
"bss:order:pay",
"iam:agencies:createAgency",
"iam:permissions:grantRoleToAgency",
"iam:permissions:grantRoleToAgencyOnEnterpriseProject",
"iam:permissions:grantRoleToAgencyOnDomain",
"iam:permissions:grantRoleToAgencyOnProject"
Table 1 Description of sensitive permissions

Sensitive Permission Item

Application Scenario

Global Permission or Not

Workaround

obs:bucket:CreateBucket
  • When the agent is deployed in the CCE scenario, if the OBS bucket where the data is to be uploaded does not exist, this API is called to create an OBS bucket. The name of the OBS bucket to which the data is uploaded is dbss-audit-agent-{project_id}. project_id indicates the ID of the project where the current instance is located.
  • In the backup and risk export scenarios, if the selected bucket does not exist, an OBS bucket will be created.

Yes
  • If no permission application scenarios are involved, you do not need to configure this permission.
  • If permission application scenarios are involved, you can use an authorized account to create an OBS bucket in advance.

obs:object:PutObject

When the agent is deployed in the CCE scenario, the instance configuration information is uploaded to the OBS bucket.

Yes
  • If no permission application scenarios are involved, you do not need to configure this permission.
  • If you need to use this permission, configure this permission to export instance information.

iam:agencies:createAgency

iam:permissions:grantRoleToAgency

iam:permissions:grantRoleToAgencyOnEnterpriseProject

iam:permissions:grantRoleToAgencyOnDomain

iam:permissions:grantRoleToAgencyOnProject
  • In the backup and risk export scenarios, create an agent named dbss_depend_obs_trust and grant OBS operation permissions to the agent.
  • In the agent-free DWS scenarios, DWS creates an agent named DWSAccessLTS and grants it the permission to access LTS for uploading audit logs to the tenant's LTS. DBSS creates an agent named dbss_dws_lts_trust and grants the LTS access permission to the agent for downloading audit logs from LTS.

Yes
  • If no permission application scenarios are involved, you do not need to configure this permission.
  • You can use an authorized account to enable this function.

bss:order:pay

Pay for the order when purchasing an audit instance.

No
  • If no permission application scenarios are involved, you do not need to configure this permission.
  • You can use an authorized account to purchase instances in advance.
Parent topic: Permission Control