Permissions Management

If you need to assign different permissions to employees in your enterprise to access your KooPhone resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your cloud resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you want operation personnel to have the permission to use KooPhone but do not want them to have the permission to delete KooPhone, you can create IAM users for operation personnel and grant them only the permission to use KooPhone, however, the KooPhone permission policy cannot be deleted to control the usage scope of KooPhone resources.

If your account does not need individual IAM users for permissions management, skip this section.

IAM is a free service. You pay only for the resources in your account. For more information about IAM, see What Is IAM?

KooPhone Rights

New IAM users do not come with default permissions, so add them to one or more groups and then attach policies or roles to these groups to grant specific operation permissions on cloud services.

VIAS is a project-level service deployed and accessed in specific physical regions. When granting permissions, set Scope to Regional-level projects and set permissions in the cn-north-4 project corresponding to the specified region (for example, CN North-Beijing4). The permissions take effect only for this project. If you set permissions for All projects, the permissions will take effect for all region-specific projects. When accessing KooPhone, the users need to switch to the authorized region.

You can grant permissions to a role or by creating a policy.

Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Available service-level roles are limited. When using roles to grant permissions, you need to also assign other roles which the permissions depend on to take effect. Roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism enables more flexible authorization and meets secure access control requirements. For example, for KooPhone, the administrator can control IAM users to perform specified operations only on a certain module.

Table 1 lists all the system roles supported by KooPhone.

**Table 1** KooPhone system permission
Role/Policy Name	Description	Type	Role Content
KooPhone Administrator	Role that has all KooPhone operation rights. Users with this permission can have all rights supported by KooPhone.	Role	Content of the KooPhone Administrator Role
KooPhone ReadOnlyUser	User who has the read-only permission on KooPhone.	System-defined roles	Content of the KooPhone ReadOnlyUser Role

Table 2 lists the common operations supported by system-defined permissions for KooPhone.

**Table 2** Common operations supported by system-defined permissions
Operation	KooPhone Administrator	KooPhone ReadOnlyUser
Buy a cloud phone	√	×
View organizations and users details	√	√
Create an organization	√	×
Add a department	√	×
Add a member	√	×
Query cloud phone instances (cloud phone status and name)	√	√
Parameters in the customized instance list	√	×
Restart a cloud phone instance	√	×
Power on a cloud phone instance	√	×
Power off a cloud phone instance	√	×
Renewals	√	×
Unsubscribe the service	√	×
Uninstall an app	√	×
Delete a cloud phone instance	√	×
Bind/Unbind a user	√	×
Query details about a deployment	√	√
Upload an app	√	×
Uninstall an app	√	×
Install an app	√	×
Query security control details	√	√
Enable anti-screen capture	√	×
Disable anti-screen capture	√	×
Enable video watermark	√	×
Disable video watermark	√	×
Batch deletion (app blacklist and whitelist)	√	×
Create a list (app blacklist and whitelist)	√	×
Enable (app blacklist and whitelist)	√	×
Disable (app blacklist and whitelist)	√	×
Modify blacklist/whitelist	√	×
Delete (app blacklist and whitelist)	√	×
Enable encrypted transmission	√	×
Disable encrypted transmission	√	×

References

Identity and Access Management (IAM) Service Overview
For details about how to create a user group and user and grant KooPhone permissions, see "Permissions Management" in the User Guide.

Content of the KooPhone Administrator Role

{ 
        "Version": "1.1",
        "Statement": [ { 
            "Effect": "Allow",
             "Action": [ 
                 "Koophone:*:*" 
             ] 
         }] 
      }
   }
}

Content of the KooPhone ReadOnlyUser Role

{ 
        "Version": "1.1",
        "Statement": [ 
            {  
                 "Action": [ 
                     "Koophone:*get*",
                     "Koophone:*list*"
                 ], 
                 "Effect": "Allow",
             } 
          ] 
       }
    }
}

Previous topic: Device Simulation

Next topic: Constraints