Creating a User and Granting DCS Permissions

Prerequisites

Learn about the permissions (see System-defined roles and policies supported by DCS) supported by DCS and choose policies or roles according to your requirements. For the permissions of other services, see Permissions Policies.

Process Flow

Figure 1 Process of granting DCS permissions

1. Create a user group and assign permissions.

   Create a user group on the IAM console, and assign the DCS ReadOnlyAccess policy to the group.

2. Create an IAM user.

   Create a user on the IAM console and add the user to the group created in 1.

3. Log in and verify permissions.

   Log in to the DCS console using the newly created user, and verify that the user only has read permissions for DCS.

   • Choose Distributed Cache Service in Service List. Then click Buy DCS Instance in the upper right corner of the DCS console. If a DCS instance cannot be purchased, the DCS ReadOnlyAccess policy has already taken effect.
   • Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the DCS ReadOnlyAccess policy has already taken effect.

DCS Custom Policies

You can create custom policies to supplement the system-defined policies of DCS. For the actions that can be added to custom policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following ways:

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following section contains examples of common DCS custom policies.

Due to data caching, a policy involving OBS actions will take effect five minutes after it is attached to a user, user group, or project.

Example Custom Policies

• Example 1: Grant permission to delete and restart DCS instances and clear data of an instance.

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "
                       dcs:instance:delete
                       dcs:instance:modifyStatus
                   "
              ]
          }
      ]
  }

• Example 2: Grant permission to deny DCS deletion.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  Assume that you want to grant the permissions of the DCS FullAccess policy to a user but want to prevent them from deleting DCS instances. You can create a custom policy for denying DCS deletion, and attach this policy together with the DCS FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on DCS instances excepting deleting them. Example policy denying DCS deletion:

  {
          "Version": "1.1",
          "Statement": [
                  {
                          "Effect": "Deny",
                          "Action": [
                                  "dcs:instance:delete"
                          ]
                  }
          ]
  }

DCS Resources

A resource is an object that exists within a service. DCS resources include instance. To select these resources, specify their paths.