Updated on 2024-07-04 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your APM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use APM resources but cannot delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using APM resources.

If your account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

Traces and Agent statistics do not involve your entity resources. To ensure statistics integrity, authorized users can check the trace and Agent statistics of the tenant, including those in other enterprise projects.

APM Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on APM.

APM is a global service. By default, the APM permissions granted to a user take effect in all regions supported by APM. APM resources are isolated by tenant. All users under a tenant share resources. To isolate resources, use enterprise projects.

APM is a global service and can be accessed without specifying a physical region.

Table 1 lists all the system permissions supported by APM.

Table 1 System permissions supported by APM

Role

Description

Category

APM FullAccess

Full permissions for APM

System-defined policy

APM ReadOnlyAccess

Read-only permissions for APM

System-defined policy

Table 2 lists the common operations supported by each system-defined policy or role of APM. Choose policies or roles as required.

Table 2 Common operations supported by each system-defined policy or role of APM

Operation

APM FullAccess

APM ReadOnlyAccess

Querying the alarm list

Querying alarm details

Querying alarm notification details

Obtaining application configuration

Creating application configuration

x

Deleting application configuration

x

Modifying application configuration

x

Querying a tag

Adding a tag

x

Deleting a tag

x

Modifying a tag

x

Querying a resource tag

Adding a resource tag

x

Deleting a resource tag

x

Modifying a resource tag

x

Querying an alarm template

Adding an alarm template

x

Deleting an alarm template

x

Modifying an alarm template

x

Obtaining a notification

Deleting a notification

x

Adding a notification

x

Modifying a notification

x

Obtaining URL tracing configuration

Deleting URL tracing configuration

x

Adding a URL for tracing

x

Modifying URL tracing configuration

x

Querying a URL tracing view

Obtaining the URL tracing list

Obtaining the global topology

Querying a sub-application

Querying environment configuration

Adding environment configuration

x

Deleting environment configuration

x

Modifying environment configuration

x

Obtaining an instance

Deleting an instance

x

Modifying an instance

x

Querying a monitoring item

Modifying a monitoring item

x

Obtaining collection status

Obtaining a custom alarm policy

Deleting a custom alarm policy

x

Modifying a custom alarm policy

x

Creating a custom alarm policy

x

Obtaining the environment topology

Obtaining a metric view

Obtaining the trace list

Obtaining trace details

Obtaining collector information

Obtaining an access key

x

Modifying an access key

x

Deleting an access key

x

Adding an access key

x

Obtaining general configuration

Modifying general configuration

x

Querying Agent statistics