Help Center/ Migration Center/ User Guide/ Permissions Management/ Agency Permissions

Updated on 2024-09-05 GMT+08:00

View PDF

Agency Permissions

Overview

To use some functions of MgC, you must delegate MgC required permissions so that we can provide you with complete services. This section describes the scenarios where authorization is required and what custom permission policies will be created.

The system may create a new custom policy or update an existing policy during the authorization.

If there is no available custom policy, the system automatically creates a new one.
If there is an available custom policy but it does not contain required permissions, the system automatically updates the policy.

Creating a Cross-AZ Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Creating a cross-AZ migration workflow	MgC	MgC AzMigrationAgencyPolicy	ecs:cloudServers:showServer (Query details about an ECS) ecs:flavors:get (Querying ECS Flavors) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServerQuotas:get (Querying quotas of a tenant) ecs:servers:list (Querying ECSs) ecs:cloudServers:list (Querying details about ECSs) ecs:servers:stop (Stopping an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS) ecs:availabilityZones:list (Listing AZs) ecs:servers:start (Starting an ECS) ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS) ecs:serverInterfaces:get (Querying ECS NICs) ecs:cloudServers:get (Query details about an ECS) vpc:publicIps:create (Creating an EIP) vpc:publicIps:update (Updating an EIP) vpc:subnets:get (Querying subnets) vpc:networks:get (Querying networks) vpc:publicIps:list (Querying EIPs) vpc:publicIps:list (Querying details about an EIP) vpc:ports:get (Querying ports or querying details about a port) vpc:ports:delete (Deleting a port) vpc:ports:update (Updating a port) vpc:ports:create (Creating a port) evs:types:get (Querying EVS disk types) evs:volumes:list (Querying EVS disks) cbr:vaults:get (Querying a specified vault) cbr:vaults:list (Querying vaults) cbr:vaults:create (Creating a vault) cbr:vaults:addResources (Associating resources) cbr:vaults:backup (Creating a restore point) cbr:backups:list (Querying backups) cbr:tasks:list (Querying tasks) cbr:tasks:get (Querying details about a task) cbr:backups:delete (Deleting a backup) cbr:backups:get (Querying a backup) cbr:vaults:delete (Deleting a vault) ims:wholeImages:create (Creating a full-ECS image) ims:images:list (Querying images) ims:images:delete (Deleting an image) ims:images:get (Querying details about an image) ims:serverImages:create (Creating an image)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Creating a cross-AZ migration workflow

MgC

MgC AzMigrationAgencyPolicy

ecs:cloudServers:showServer (Query details about an ECS)

ecs:flavors:get (Querying ECS Flavors)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

ecs:servers:list (Querying ECSs)

ecs:cloudServers:list (Querying details about ECSs)

ecs:servers:stop (Stopping an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS)

ecs:availabilityZones:list (Listing AZs)

ecs:servers:start (Starting an ECS)

ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS)

ecs:serverInterfaces:get (Querying ECS NICs)

ecs:cloudServers:get (Query details about an ECS)

vpc:publicIps:create (Creating an EIP)

vpc:publicIps:update (Updating an EIP)

vpc:subnets:get (Querying subnets)

vpc:networks:get (Querying networks)

vpc:publicIps:list (Querying EIPs)

vpc:publicIps:list (Querying details about an EIP)

vpc:ports:get (Querying ports or querying details about a port)

vpc:ports:delete (Deleting a port)

vpc:ports:update (Updating a port)

vpc:ports:create (Creating a port)

evs:types:get (Querying EVS disk types)

evs:volumes:list (Querying EVS disks)

cbr:vaults:get (Querying a specified vault)

cbr:vaults:list (Querying vaults)

cbr:vaults:create (Creating a vault)

cbr:vaults:addResources (Associating resources)

cbr:vaults:backup (Creating a restore point)

cbr:backups:list (Querying backups)

cbr:tasks:list (Querying tasks)

cbr:tasks:get (Querying details about a task)

cbr:backups:delete (Deleting a backup)

cbr:backups:get (Querying a backup)

cbr:vaults:delete (Deleting a vault)

ims:wholeImages:create (Creating a full-ECS image)

ims:images:list (Querying images)

ims:images:delete (Deleting an image)

ims:images:get (Querying details about an image)

ims:serverImages:create (Creating an image)

Migration Cost Analysis

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Creating a migration cost analysis task	MgC	MgC TcoAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) evs:types:get (Querying EVS disk types) ims::get (Querying details about an image) ims::list (Querying images)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Creating a migration cost analysis task

MgC

MgC TcoAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

evs:types:get (Querying EVS disk types)

ims:*:get* (Querying details about an image)

ims:*:list* (Querying images)

Getting Target Recommendations

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Getting target recommendations	MgC	MgC ServerAssessAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ims:images:list (Querying images) evs:types:get (Querying EVS disk types)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Getting target recommendations

MgC

MgC ServerAssessAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ims:images:list (Querying images)

evs:types:get (Querying EVS disk types)

Binding a Source Server to an Existing Target Server

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Binding a source server to an existing target server	MgC	MgC ServerBindTargetAgencyPolicy	ecs:cloudServers:showServer (Query details about an ECS) evs:volumes:list (Querying EVS disks) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Binding a source server to an existing target server

MgC

MgC ServerBindTargetAgencyPolicy

ecs:cloudServers:showServer (Query details about an ECS)

evs:volumes:list (Querying EVS disks)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Creating a Server Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Creating a Server Migration Workflow	MgC	MgC ServerMigrationAgencyPolicy	ecs:cloudServers:showServer (Query details about an ECS) ecs:cloudServers:createServers (Creating an ECS) sms:server:migrationServer (Migrating a source server) sms:server:queryServer (Querying source servers) ecs:cloudServers:list (Querying ECSs) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerQuotas:get (Querying quotas of a tenant) vpc:publicIps:create (Creating an EIP) ecs:cloudServers:get (Query details about an ECS)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Creating a Server Migration Workflow

MgC

MgC ServerMigrationAgencyPolicy

ecs:cloudServers:showServer (Query details about an ECS)

ecs:cloudServers:createServers (Creating an ECS)

sms:server:migrationServer (Migrating a source server)

sms:server:queryServer (Querying source servers)

ecs:cloudServers:list (Querying ECSs)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

vpc:publicIps:create (Creating an EIP)

ecs:cloudServers:get (Query details about an ECS)

Purchasing Resources

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Purchasing resources	MgC	MgC PurchaseAgencyPolicy	eps:resources:add (Adding resources to an enterprise project) ecs:cloudServers:createServers (Creating an ECS) evs:volumes:list (Querying EVS disks) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServers:list (Querying details about ECSs) ecs:cloudServers:createServers (Creating an ECS) vpc:publicIps:update (Updating an EIP) vpc:publicIps:create (Creating an EIP)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Purchasing resources

MgC

MgC PurchaseAgencyPolicy

eps:resources:add (Adding resources to an enterprise project)

ecs:cloudServers:createServers (Creating an ECS)

evs:volumes:list (Querying EVS disks)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServers:list (Querying details about ECSs)

ecs:cloudServers:createServers (Creating an ECS)

vpc:publicIps:update (Updating an EIP)

vpc:publicIps:create (Creating an EIP)

Configuring a Server Purchase Template

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Configuring a server purchase template	MgC	MgC PurchaseTemplateAgencyPolicy	iam:projects:listProjects (Querying projects) eps:enterpriseProjects:list (Listing enterprise projects) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:vpcs:get (Querying VPC details)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Configuring a server purchase template

MgC

MgC PurchaseTemplateAgencyPolicy

iam:projects:listProjects (Querying projects)

eps:enterpriseProjects:list (Listing enterprise projects)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:vpcs:get (Querying VPC details)

Creating a Migration Cluster

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Creating a migration cluster	OMS	OMS ObsMigrationAgencyPolicy	ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:showServer (Query details about an ECS) ecs:cloudServers:deleteServers (Deleting ECSs) ecs:cloudServers:list (Querying details about ECSs) nat:natGateways:create (Creating a NAT Gateway) nat:natGateways:get (Querying details about a NAT gateway) nat:natGateways:delete (Deleting a NAT gateway) nat:snatRules:create (Creating an SNAT rule) nat:snatRules:get (Querying details about an SNAT rule) nat:dnatRules:list (Querying DNAT rules) nat:dnatRules:list (Querying DNAT rules) nat:snatRules:delete (Deleting an SNAT rule) nat:natGateways:list (Querying NAT gateways) vpc:securityGroups:create (Creating a security group) vpc:securityGroups:delete (Deleting a security group) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:securityGroupRules:create (Creating a security group rule) vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule) vpc:securityGroupRules:delete (Deleting a security group rule) vpcep:epservices:create (Creating a VPC endpoint service) vpcep:epservices:get (Querying details about a VPC endpoint service) vpcep:permissions:list (Querying whitelist records of a VPC endpoint service) vpcep:connections:list (Querying connections of a VPC endpoint service) vpcep:epservices:list (Querying VPC endpoint services) vpcep:epservices:delete (Deleting a VPC endpoint service) vpcep:endpoints:create (Creating a VPC endpoint) vpcep:endpoints:list (Querying VPC endpoints) vpcep:endpoints:get (Querying details about a VPC endpoint) vpcep:endpoints:delete (Deleting a VPC endpoint) vpcep:connections:update (Accepting or rejecting a VPC endpoint) vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service) lts:topics:get (Querying a log topic) lts:topics:create (Creating a log topic) lts:topics:list (Querying log topics) lts:topics:delete (Deleting a log topic) lts:: (Performing all operations on host groups) lts:groups:create (Creating a log group) lts:groups:get (Querying details about a log group) lts:groups:delete (Deleting a log group) aom:: (Full permissions for AOM) apm:icmgr:* (Full permissions for the APM collection component)
ECS	ECS ObsMigrationAgencyPolicy	apm:icmgr:* (Full permissions for the APM collection component)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Creating a migration cluster

OMS

OMS ObsMigrationAgencyPolicy

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:showServer (Query details about an ECS)

ecs:cloudServers:deleteServers (Deleting ECSs)

ecs:cloudServers:list (Querying details about ECSs)

nat:natGateways:create (Creating a NAT Gateway)

nat:natGateways:get (Querying details about a NAT gateway)

nat:natGateways:delete (Deleting a NAT gateway)

nat:snatRules:create (Creating an SNAT rule)

nat:snatRules:get (Querying details about an SNAT rule)

nat:dnatRules:list (Querying DNAT rules)

nat:snatRules:delete (Deleting an SNAT rule)

nat:natGateways:list (Querying NAT gateways)

vpc:securityGroups:create (Creating a security group)

vpc:securityGroups:delete (Deleting a security group)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:securityGroupRules:create (Creating a security group rule)

vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule)

vpc:securityGroupRules:delete (Deleting a security group rule)

vpcep:epservices:create (Creating a VPC endpoint service)

vpcep:epservices:get (Querying details about a VPC endpoint service)

vpcep:permissions:list (Querying whitelist records of a VPC endpoint service)

vpcep:connections:list (Querying connections of a VPC endpoint service)

vpcep:epservices:list (Querying VPC endpoint services)

vpcep:epservices:delete (Deleting a VPC endpoint service)

vpcep:endpoints:create (Creating a VPC endpoint)

vpcep:endpoints:list (Querying VPC endpoints)

vpcep:endpoints:get (Querying details about a VPC endpoint)

vpcep:endpoints:delete (Deleting a VPC endpoint)

vpcep:connections:update (Accepting or rejecting a VPC endpoint)

vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service)

lts:topics:get (Querying a log topic)

lts:topics:create (Creating a log topic)

lts:topics:list (Querying log topics)

lts:topics:delete (Deleting a log topic)

lts:*:* (Performing all operations on host groups)

lts:groups:create (Creating a log group)

lts:groups:get (Querying details about a log group)

lts:groups:delete (Deleting a log group)

aom:*:* (Full permissions for AOM)

apm:icmgr:* (Full permissions for the APM collection component)

ECS

ECS ObsMigrationAgencyPolicy

apm:icmgr:* (Full permissions for the APM collection component)

Creating a Storage Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Creating a storage migration workflow	MgC	-	OMS Administrator (system-defined role, the administrator role of the OMS)

Importing RVTools Data

Scenario	Delegated Object	Custom Policy	Minimum Permissions
Importing RVTools data	MgC	MgC OfflineCollectionAgencyPolicy	obs:object:GetObject (Obtaining object content and metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Querying buckets)

Scenario

Delegated Object

Custom Policy

Minimum Permissions

Importing RVTools data

MgC

MgC OfflineCollectionAgencyPolicy

obs:object:GetObject (Obtaining object content and metadata)

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Querying buckets)

Parent topic: Permissions Management

Previous topic: MgC Custom Policies

Next topic: IAM User Permissions

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot