Help Center/ Migration Center/ User Guide/ New Edition/ Permissions Management/ Agency Permissions

Updated on 2025-08-19 GMT+08:00

View PDF

Agency Permissions

Overview

To use certain functions of MgC, you must assign MgC the required permissions so it can provide you with complete services. This section describes the scenarios where authorization is required and what custom permission policies will be created.

The system may create a new custom policy or update an existing policy during the authorization.

If there is no available custom policy, the system automatically creates a new one. For details about how to create a custom policy, see Creating a Custom Policy.
If there is an available custom policy but it does not contain required permissions, the system automatically updates the policy.

Cross-AZ Migration

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a cross-AZ migration workflow	MgC	MgC AzMigrationAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) ecs:flavors:get (Querying ECS flavors) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServerQuotas:get (Querying quotas of a tenant) ecs:servers:list (Querying ECSs) ecs:cloudServers:list (Querying details about ECSs) ecs:servers:stop (Stopping an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS) ecs:availabilityZones:list (Listing AZs) ecs:servers:start (Starting an ECS) ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS) ecs:serverInterfaces:get (Querying ECS NICs) ecs:cloudServers:get (Querying details about an ECS) vpc:publicIps:create (Creating an EIP) vpc:publicIps:update (Updating an EIP) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:networks:get (Querying networks) vpc:publicIps:list (Listing EIPs) vpc:publicIps:get (Querying details about an EIP) vpc:ports:get (Querying ports or querying details about a port) vpc:ports:delete (Deleting a port) vpc:ports:update (Updating a port) vpc:ports:create (Creating a port) evs:types:get (Querying EVS disk types) evs:volumes:list (Listing EVS disks) cbr:vaults:get (Querying a specified vault) cbr:vaults:list (Querying vaults) cbr:vaults:create (Creating a vault) cbr:vaults:addResources (Associating resources) cbr:vaults:backup (Creating backups) cbr:backups:list (Querying backups) cbr:tasks:list (Querying tasks) cbr:tasks:get (Querying details about a task) cbr:backups:delete (Deleting a backup) cbr:backups:get (Querying a backup) cbr:vaults:delete (Deleting a vault) ims:wholeImages:create (Creating a full-ECS image) ims:images:list (Listing images) ims:images:delete (Deleting an image) ims:images:get (Querying details about an image) ims:serverImages:create (Creating an image)
Enabling SMN notifications for a cross-AZ migration workflow	MgC	MgC MigrationSmnAgencyPolicy	smn:topic:list (Listing topics) smn:topic:publish (Publishing messages)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a cross-AZ migration workflow

MgC

MgC AzMigrationAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:flavors:get (Querying ECS flavors)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

ecs:servers:list (Querying ECSs)

ecs:cloudServers:list (Querying details about ECSs)

ecs:servers:stop (Stopping an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS)

ecs:availabilityZones:list (Listing AZs)

ecs:servers:start (Starting an ECS)

ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS)

ecs:serverInterfaces:get (Querying ECS NICs)

ecs:cloudServers:get (Querying details about an ECS)

vpc:publicIps:create (Creating an EIP)

vpc:publicIps:update (Updating an EIP)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:networks:get (Querying networks)

vpc:publicIps:list (Listing EIPs)

vpc:publicIps:get (Querying details about an EIP)

vpc:ports:get (Querying ports or querying details about a port)

vpc:ports:delete (Deleting a port)

vpc:ports:update (Updating a port)

vpc:ports:create (Creating a port)

evs:types:get (Querying EVS disk types)

evs:volumes:list (Listing EVS disks)

cbr:vaults:get (Querying a specified vault)

cbr:vaults:list (Querying vaults)

cbr:vaults:create (Creating a vault)

cbr:vaults:addResources (Associating resources)

cbr:vaults:backup (Creating backups)

cbr:backups:list (Querying backups)

cbr:tasks:list (Querying tasks)

cbr:tasks:get (Querying details about a task)

cbr:backups:delete (Deleting a backup)

cbr:backups:get (Querying a backup)

cbr:vaults:delete (Deleting a vault)

ims:wholeImages:create (Creating a full-ECS image)

ims:images:list (Listing images)

ims:images:delete (Deleting an image)

ims:images:get (Querying details about an image)

ims:serverImages:create (Creating an image)

Enabling SMN notifications for a cross-AZ migration workflow

MgC

MgC MigrationSmnAgencyPolicy

smn:topic:list (Listing topics)

smn:topic:publish (Publishing messages)

TCO Analysis

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a migration cost analysis task	MgC	MgC TcoAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) evs:types:get (Querying EVS disk types)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a migration cost analysis task

MgC

MgC TcoAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

evs:types:get (Querying EVS disk types)

Cloud Discovery

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Huawei Cloud discovery	MgC	MgC CloudPlatformCollectionAgencyPolicy	vpc:vpcs:list (Listing VPCs) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule) vpc:publicIps:list (Listing EIPs) ecs:cloudServers:list (Querying details about ECSs) evs:volumes:list (Listing EVS disks) ces:metricData:list (Querying metric data)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Huawei Cloud discovery

MgC

MgC CloudPlatformCollectionAgencyPolicy

vpc:vpcs:list (Listing VPCs)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule)

vpc:publicIps:list (Listing EIPs)

ecs:cloudServers:list (Querying details about ECSs)

evs:volumes:list (Listing EVS disks)

ces:metricData:list (Querying metric data)

Generating Target Recommendations

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Getting target recommendations	MgC	MgC ServerAssessAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ims:images:list (Listing images) evs:types:get (Querying EVS disk types) deh:dedicatedHosts:get (Obtaining details about a DeH) deh:dedicatedHosts:list (Listing DeHs)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Getting target recommendations

MgC

MgC ServerAssessAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ims:images:list (Listing images)

evs:types:get (Querying EVS disk types)

deh:dedicatedHosts:get (Obtaining details about a DeH)

deh:dedicatedHosts:list (Listing DeHs)

Associating a Source Server with an Existing Target Server

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Associating source servers with existing target servers	MgC	MgC ServerBindTargetAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) evs:volumes:list (Listing EVS disks) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ims:images:list (Listing images)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Associating source servers with existing target servers

MgC

MgC ServerBindTargetAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

evs:volumes:list (Listing EVS disks)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ims:images:list (Listing images)

Creating a Server Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a Server Migration Workflow	MgC	MgC ServerMigrationAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) ecs:cloudServers:createServers (Creating an ECS) sms:server:migrationServer (Migrating a source server) sms:server:queryServer (Querying source servers) ecs:cloudServers:list (Querying ECSs) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerQuotas:get (Querying quotas of a tenant) vpc:publicIps:create (Creating an EIP) vpc:privateIps:list (Querying private IP addresses) ecs:cloudServers:get (Querying details about an ECS) ecs:cloudServers:changeVpc (Changing a VPC for an ECS) ecs:cloudServers:attach (Attaching a disk to an ECS) ecs:cloudServers:start (Starting ECSs in batches) ecs:cloudServers:detachVolume (Detaching a disk from a specified ECS) ecs:cloudServers:stop (Stopping ECSs in batches) ecs:servers:unlock (Unlocking an ECS) evs:volumes:delete (Deleting an EVS disk) evs:volumes:use (Attaching and detaching EVS disks) evs:volumes:get (Querying details about an EVS disk) ims:images:get (Querying details about an image)
Enabling the option to retain IP addresses during a server migration workflow	MgC	MgC ServerMigrationIpKeepAgencyPolicy	vpc:subnets:get (Querying subnets or querying details about a subnet) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)
Enabling SMN notifications for a server migration workflow	MgC	MgC MigrationSmnAgencyPolicy	smn:topic:list (Listing topics) smn:topic:publish (Publishing messages)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a Server Migration Workflow

MgC

MgC ServerMigrationAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:cloudServers:createServers (Creating an ECS)

sms:server:migrationServer (Migrating a source server)

sms:server:queryServer (Querying source servers)

ecs:cloudServers:list (Querying ECSs)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

vpc:publicIps:create (Creating an EIP)

vpc:privateIps:list (Querying private IP addresses)

ecs:cloudServers:get (Querying details about an ECS)

ecs:cloudServers:changeVpc (Changing a VPC for an ECS)

ecs:cloudServers:attach (Attaching a disk to an ECS)

ecs:cloudServers:start (Starting ECSs in batches)

ecs:cloudServers:detachVolume (Detaching a disk from a specified ECS)

ecs:cloudServers:stop (Stopping ECSs in batches)

ecs:servers:unlock (Unlocking an ECS)

evs:volumes:delete (Deleting an EVS disk)

evs:volumes:use (Attaching and detaching EVS disks)

evs:volumes:get (Querying details about an EVS disk)

ims:images:get (Querying details about an image)

Enabling the option to retain IP addresses during a server migration workflow

MgC

MgC ServerMigrationIpKeepAgencyPolicy

vpc:subnets:get (Querying subnets or querying details about a subnet)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

Enabling SMN notifications for a server migration workflow

MgC

MgC MigrationSmnAgencyPolicy

smn:topic:list (Listing topics)

smn:topic:publish (Publishing messages)

Purchasing Resources

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Purchasing resources	MgC	MgC PurchaseAgencyPolicy	eps:resources:add (Adding resources to an enterprise project) ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:showServer (Querying details about an ECS) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServers:list (Querying details about ECSs) evs:volumes:list (Listing EVS disks) vpc:publicIps:update (Updating an EIP) vpc:publicIps:create (Creating an EIP) ims:images:list (Listing images)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Purchasing resources

MgC

MgC PurchaseAgencyPolicy

eps:resources:add (Adding resources to an enterprise project)

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServers:list (Querying details about ECSs)

evs:volumes:list (Listing EVS disks)

vpc:publicIps:update (Updating an EIP)

vpc:publicIps:create (Creating an EIP)

ims:images:list (Listing images)

Configuring a Server Purchase Template

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Configuring a server purchase template	MgC	MgC PurchaseTemplateAgencyPolicy	iam:projects:listProjects (Querying projects) eps:enterpriseProjects:list (Listing enterprise projects) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:vpcs:get (Querying VPC details)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Configuring a server purchase template

MgC

MgC PurchaseTemplateAgencyPolicy

iam:projects:listProjects (Querying projects)

eps:enterpriseProjects:list (Listing enterprise projects)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:vpcs:get (Querying VPC details)

Creating Migration Plans

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a server migration plan (importing target server configurations from an OBS bucket)	MgC	MgC ImportTargetConfigurationAgencyPolicy	obs:object:GetObject (Obtaining object content and metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Listing buckets)
Creating a server migration plan (exporting target server configurations)		MgC ExportTargetConfigurationAgencyPolicy	ims:images:list (Listing images) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)
Creating a server migration plan - verifying the server quota		MgC ServerMigrationQuotasAgencyPolicy	ecs:cloudServers:list (Querying details about ECSs) evs:quotas:get (Querying EVS disk quotas) ecs:cloudServerQuotas:get (Querying quotas of a tenant) vpc:quotas:list (Listing resource quotas)
Creating a batch object storage migration plan (configuring target buckets)		MgC ListObsBucketsAgencyPolicy	obs:bucket:ListAllMyBuckets (Listing buckets)

Creating a Migration Cluster

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a migration cluster	OMS	OMS ObsMigrationAgencyPolicy	ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:showServer (Querying details about an ECS) ecs:cloudServers:deleteServers (Deleting ECSs) nat:natGateways:create (Creating a NAT Gateway) nat:natGateways:get (Querying details about a NAT gateway) nat:natGateways:delete (Deleting a NAT gateway) nat:snatRules:create (Creating an SNAT rule) nat:snatRules:get (Querying details about an SNAT rule) nat:dnatRules:list (Querying DNAT rules) nat:snatRules:list (Querying SNAT rules) nat:snatRules:delete (Deleting an SNAT rule) vpc:securityGroups:create (Creating a security group) vpc:securityGroups:delete (Deleting a security group) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:securityGroupRules:create (Creating a security group rule) vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule) vpc:securityGroupRules:delete (Deleting a security group rule) vpcep:epservices:create (Creating a VPC endpoint service) vpcep:epservices:get (Querying details about a VPC endpoint service) vpcep:epservices:delete (Deleting a VPC endpoint service) vpcep:connections:update (Accepting or rejecting a VPC endpoint) vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service) lts:topics:create (Creating a log topic) lts:topics:delete (Deleting a log topic) lts:groups:create (Creating a log group) lts:groups:get (Querying details about a log group) lts:groups:delete (Deleting a log group) ims:images:list (Listing images) apm:icmgr:list (Listing ICAgents) apm:icmgr:get (Obtaining the collection component version)
ECS	ECS ObsMigrationAgencyPolicy	apm:icmgr:* (Full permissions for the APM collection component)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a migration cluster

OMS

OMS ObsMigrationAgencyPolicy

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:cloudServers:deleteServers (Deleting ECSs)

nat:natGateways:create (Creating a NAT Gateway)

nat:natGateways:get (Querying details about a NAT gateway)

nat:natGateways:delete (Deleting a NAT gateway)

nat:snatRules:create (Creating an SNAT rule)

nat:snatRules:get (Querying details about an SNAT rule)

nat:dnatRules:list (Querying DNAT rules)

nat:snatRules:list (Querying SNAT rules)

nat:snatRules:delete (Deleting an SNAT rule)

vpc:securityGroups:create (Creating a security group)

vpc:securityGroups:delete (Deleting a security group)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:securityGroupRules:create (Creating a security group rule)

vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule)

vpc:securityGroupRules:delete (Deleting a security group rule)

vpcep:epservices:create (Creating a VPC endpoint service)

vpcep:epservices:get (Querying details about a VPC endpoint service)

vpcep:epservices:delete (Deleting a VPC endpoint service)

vpcep:connections:update (Accepting or rejecting a VPC endpoint)

vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service)

lts:topics:create (Creating a log topic)

lts:topics:delete (Deleting a log topic)

lts:groups:create (Creating a log group)

lts:groups:get (Querying details about a log group)

lts:groups:delete (Deleting a log group)

ims:images:list (Listing images)

apm:icmgr:list (Listing ICAgents)

apm:icmgr:get (Obtaining the collection component version)

ECS

ECS ObsMigrationAgencyPolicy

apm:icmgr:* (Full permissions for the APM collection component)

Creating a Storage Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a storage migration workflow	MgC	-	OMS AgencyOperator (a system-defined role)

Importing RVTools Data

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Importing RVTools data	MgC	MgC OfflineCollectionAgencyPolicy	obs:object:GetObject (Obtaining object content and metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Listing buckets)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Importing RVTools data

MgC

MgC OfflineCollectionAgencyPolicy

obs:object:GetObject (Obtaining object content and metadata)

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Listing buckets)

Parent Topic: Permissions Management

Previous topic: MgC Custom Policies