Permissions Management

If you need to assign different permissions to employees in your enterprise to access your FlexusL resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access your resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, you can create IAM users for software developers and assign specific permissions to allow them to use FlexusL instance resources but prevent them from being able to delete resources or perform any high-risk operations.

If your account does not need individual IAM users for permissions management, skip this section.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see What Is IAM?

FlexusL Instance Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they have been added to and can then perform specified operations on cloud services.

FlexusL is a global service. FlexusL permissions are assigned to users in the global project, and users do not need to switch regions when accessing FlexusL.

Table 1 lists the system-defined policies of FlexusL instances.

**Table 1** System-defined policies for FlexusL instances
Policy Name	Description	Policy Content
CORS FullAccess	Administrator permissions. Users granted these permissions can perform all operations allowed on each service in the FlexusL service package, including creating, deleting, querying, and modifying services.	CORS FullAccess Policy Content
CORS ReadOnlyAccess	Common user permissions. Users with these permissions can only perform query operations.	CORS ReadOnlyAccess Policy Content

Table 2 lists the common operations supported by system-defined policies for FlexusL.

**Table 2** Relationships between FlexusL instance operations and system-defined policies
Operation	CORS FullAccess	CORS ReadOnlyAccess
Creation	√	x
Remotely logging in to a FlexusL instance from the console	√	x
Viewing resource cards	√	√
Querying details	√	√
Modification	√	x
Startup	√	x
Shutdown	√	x
Restart	√	x
Unsubscription	√	x
Reinstallation	√	x
Changing an OS	√	x
Changing specifications	√	x

Helpful Links

What Is IAM?

CORS FullAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cors:*:*"
            ]
        }
    ]
}

CORS ReadOnlyAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cors:*:get",
                "cors:*:list"
            ]
        }
    ]
}

Previous topic: Unsubscribing from FlexusL Instances

Next topic: Constraints