Permissions Management

If you need to assign different permissions to employees in your enterprise to access your DBSS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control.

With IAM, you can create IAM users and assign permissions to control their access to specific resources. For example, some software developers in your enterprise need to use DBSS resources but should not be allowed to delete them or perform any high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using DBSS resources.

If your account does not require individual IAM users for permissions management, you can skip this section.

IAM can be used free of charge. You pay only for the resources in your account.

For details about IAM, see What is IAM?

DBSS Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. After authorization, the user can perform specified operations on BMS based on the permissions.

DBSS is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for ECSs in the selected projects. If you set Scope to All resources, the users have permissions for ECSs in all region-specific projects. When accessing DBSS, the users need to switch to a region where they have been authorized to use cloud services.

You can grant permissions by using roles and policies.

Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage a certain type of ECSs. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For details about the API actions supported by DBSS, see section "Permissions and Supported Actions".

Table 1 describes all the system-defined DBSS roles.

**Table 1** System roles supported by DBSS
Role Name	Description	Dependency
DBSS System Administrator	Users with this set of permissions can perform the following operations on database audit: Purchasing an instance Starting, disabling, and restarting an instance Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the monitoring information Obtaining the operation logs Managing databases Managing agents Configuring email notifications Backup and restoration	To purchase an instance, users must have the VPC Administrator, ECS Administrator, and BSS Administrator roles. VPC Administrator: Users with this set of permissions can perform all execution permission for Virtual Private Cloud (VPC). It is a project-level role, which must be assigned in the same project. ECS Administrator: Users with this set of permissions can perform any operations on an ECS. It is a project-level role, which must be assigned in the same project. BSS Administrator: Users with this set of permissions can perform any operation on menu items on pages My Account, Billing Center, and Resource Center. It is a project-level role, which must be assigned in the same project.
DBSS Audit Administrator	Users with this set of permissions can perform the following operations on database audit: Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the report results Obtaining the rule information Obtaining the statement information Obtaining the session information Obtaining the monitoring information Obtaining the operation logs Obtaining the database list Managing reports	None
DBSS Security Administrator	Users with this set of permissions can perform the following operations on database audit: Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the report results Obtaining the rule information Obtaining the statement information Obtaining the session information Obtaining the monitoring information Obtaining the operation logs Obtaining the database list Configuring audit rules Configuring alarm notifications Managing reports	None

Table 2 lists the common operations supported by each system-defined permission of DBSS. Select the permissions as needed.

**Table 2** Common operations supported by each system-defined permission
Operation	DBSS System Administrator	DBSS Audit Administrator	DBSS Security Administrator
Purchasing an instance	√	×	√
Starting, disabling, and restarting an instance	√	×	×
Obtaining the instance list	√	×	×
Obtaining the basic information of an instance	√	√	√
Obtaining the audit statistics	√	√	√
Obtaining the monitoring information	√	√	√
Obtaining the operation logs	√	√	√
Managing databases	√	×	×
Managing agents	√	×	×
Configuring email notifications	√	×	×
Backup and restoration	√	√	×
Obtaining the report results	√	√	√
Obtaining the rule information	√	√	√
Obtaining the statement information	√	√	√
Obtaining the session information	√	√	√
Obtaining the database list	√	√	√
Managing reports	×	√	×
Configuring audit rules	×	×	√
Configuring alarm notifications	×	×	×