Configuring FullAccess Sensitive Permissions

Updated on 2024-04-17 GMT+08:00

View PDF

The full permission set of DBSS involves sensitive permissions of some users, such as order payment, OBS bucket creation, file upload, agent creation, and agent permission setting.

These permissions have great impact on user assets. Therefore, they are not added to the preset permission set of the system but need to be manually added by users through description documents.

For details about sensitive permissions, see Table 1. The permission details are as follows:

"obs:bucket:CreateBucket",
"obs:object:PutObject",
"bss:order:pay",
"iam:agencies:createAgency",
"iam:permissions:grantRoleToAgency",
"iam:permissions:grantRoleToAgencyOnEnterpriseProject",
"iam:permissions:grantRoleToAgencyOnDomain",
"iam:permissions:grantRoleToAgencyOnProject"

**Table 1** Description of sensitive permissions
Sensitive Permission Item	Application Scenario	Global Permission or Not	Workaround
obs:bucket:CreateBucket	When the agent is deployed in the CCE scenario, if the OBS bucket where the data is to be uploaded does not exist, this API is called to create an OBS bucket. The name of the OBS bucket to which the data is uploaded is *dbss-audit-agent-{project_id}. project_id* indicates the ID of the project where the current instance is located. In the backup and risk export scenarios, if the selected bucket does not exist, an OBS bucket will be created.	Yes	If no permission application scenarios are involved, you do not need to configure this permission. If permission application scenarios are involved, you can use an authorized account to create an OBS bucket in advance.
obs:object:PutObject	When the agent is deployed in the CCE scenario, the instance configuration information is uploaded to the OBS bucket.	Yes	If no permission application scenarios are involved, you do not need to configure this permission. If you need to use this permission, configure this permission to export instance information.
iam:agencies:createAgency iam:permissions:grantRoleToAgency iam:permissions:grantRoleToAgencyOnEnterpriseProject iam:permissions:grantRoleToAgencyOnDomain iam:permissions:grantRoleToAgencyOnProject	In the backup and risk export scenarios, create an agent named dbss_depend_obs_trust and grant OBS operation permissions to the agent. In the agent-free DWS scenarios, DWS creates an agent named DWSAccessLTS and grants it the permission to access LTS for uploading audit logs to the tenant's LTS. DBSS creates an agent named dbss_dws_lts_trust and grants the LTS access permission to the agent for downloading audit logs from LTS.	Yes	If no permission application scenarios are involved, you do not need to configure this permission. You can use an authorized account to enable this function.
bss:order:pay	Pay for the order when purchasing an audit instance.	No	If no permission application scenarios are involved, you do not need to configure this permission. You can use an authorized account to purchase instances in advance.

Parent topic: Permission Control

Previous topic: DBSS Permissions and Supported Actions

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot