Updated on 2025-06-06 GMT+08:00

Permissions Management

If you need to grant your enterprise personnel permission to access your CodeArts Governance resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your cloud resources.

With IAM, you can create IAM users and grant them permissions to access only specific resources. For example, some software developers in your enterprise need to use CodeArts Governance resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using CodeArts Governance resources.

If your cloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account. For details, see IAM Service Overview.

CodeArts Governance Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. After that, users can perform operations on cloud services.

CodeArts Governance is a project-level service deployed and accessed in specific physical regions. To assign CodeArts Governance permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When users access CodeArts Governance, they need to switch to a region where they have been authorized to use this service.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism first provided by IAM to define permissions related to user responsibilities. Only a limited number of service-level roles are available for authorization. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A type of fine-grained authorization mechanism lately provided by IAM to define permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible authorization. Policies allow you to meet requirements for more secure access control. For example, you can grant ECS users only the permissions for managing a certain type of ECSs. Most policies define permissions based on APIs.

Table 1 lists all the system-defined permissions for CodeArts Governance.

Table 1 System-defined permissions

Role/Policy

Description

Type

Dependency

CodeArtsInspector Administrator

Full permissions for CodeArts Governance

System-defined role

None.

Tenant Administrator

Full permissions for CodeArts Governance

System-defined role

None.