Permissions Management

If you need to assign different permissions to access the purchased KooPhone resources to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your cloud resources. This permission setting applies only to the KooPhone service, but not to the KooPhone client.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you want operations personnel to have the permissions to use KooPhone but do not want them to have the permissions to delete KooPhone, you can create IAM users for the personnel and grant them only the permissions to use KooPhone. However, the KooPhone permission policy cannot be deleted to control the usage scope of KooPhone resources.

If your account does not need individual IAM users for permissions management, you can skip this section and use other KooPhone functions normally.

IAM is a free service. You pay only for the resources in your account. For more information about IAM, see What Is IAM?

KooPhone Permissions

New IAM users do not come with default permissions, so add them to one or more groups and then attach policies or roles to these groups to grant specific operation permissions on cloud services.

KooPhone is a project-level service deployed and accessed in specific physical regions. When granting permissions, set Scope to Regional-level projects and set permissions in the project (for example, cn-north-4) corresponding to the specified region (for example, CN North-Beijing4). The permissions take effect only for this project. If you set permissions for All projects, the permissions will take effect for all region-specific projects. When accessing KooPhone, you need to switch to the authorized region.

You can grant permissions to a role or by creating a policy.

Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on job responsibilities. Available service-level roles are limited. When using roles to grant permissions, you need to also assign other roles which the permissions depend on to take effect. Roles are not ideal for fine-grained authorization and least permission access.
Policies: A fine-grained authorization tool, provided by IAM, that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least permission access. For example, for KooPhone, the administrator can control IAM users to perform specified operations only on a certain module.

Table 1 lists all the system roles supported by KooPhone. This permission setting applies only to the KooPhone service, but not to the KooPhone client.

**Table 1** KooPhone system permissions
Role/Policy Name	Description	Type	Role Content
KooPhone Administrator	Role that has all KooPhone operation rights. Users of this role can have all permissions supported by KooPhone.	System-defined role	Content of the KooPhone Administrator Role
KooPhone ReadOnlyUser	User who has the read-only permission on KooPhone.	System-defined role	Content of the KooPhone ReadOnlyUser Role

Table 2 lists the common operations supported by system-defined permissions for KooPhone. You can choose proper permissions according to this table.

**Table 2** Common operations supported by system-defined permissions for KooPhone
Operation	KooPhone Administrator	KooPhone ReadOnlyUser
Purchase cloud phones	√	×
View organizations and users details	√	√
Create an organization	√	×
Add a department	√	×
Add a member	√	×
Query cloud phone instances (name and specifications)	√	√
Set parameters in the instance list	√	×
Restart cloud phone instances	√	×
Power on cloud phone instances	√	×
Power off cloud phone instances	√	×
Renew the service	√	×
Unsubscribe from the service	√	×
Uninstall an app	√	×
Delete cloud phone instances	√	×
Bind/Unbind a user	√	×
Query details about a deployment	√	√
Upload an app	√	×
Uninstall an app	√	×
Install an app	√	×
Query security control details	√	√
Enable anti-screen capture	√	×
Disable anti-screen capture	√	×
Enable video watermark	√	×
Disable video watermark	√	×
Delete app blacklists/whitelists in batches	√	×
Create an app blacklist/whitelist	√	×
Enable the app blacklist/whitelist	√	×
Disable the app blacklist/whitelist	√	×
Modify an app blacklist/whitelist	√	×
Delete an app blacklist/whitelist	√	×
Enable encrypted transmission	√	×
Disable encrypted transmission	√	×

References

What Is IAM?
For details about how to create a user group or user and grant KooPhone permissions, see "Creating a User and Granting KooPhone Permissions" in User Guide.

Content of the KooPhone Administrator Role

{ 
        "Version": "1.1",
        "Statement": [ { 
            "Effect": "Allow",
             "Action": [ 
                 "Koophone:*:*" 
             ] 
         }] 
      }
   }
}

Content of the KooPhone ReadOnlyUser Role

{ 
        "Version": "1.1",
        "Statement": [ 
            {  
                 "Action": [ 
                     "Koophone:*get*",
                     "Koophone:*list*"
                 ], 
                 "Effect": "Allow",
             } 
          ] 
       }
    }
}

Previous topic: Principles

Next topic: Constraints