Minimizing Agency Permissions
Scenario and Objectives
In earlier versions, the dlg_agency automatically created by DataArts Studio has the administrator permissions of the following services by default: GaussDB(DWS), MRS, RDS, OBS, SMN, and KMS. To prevent risks caused by excessive permissions, the dlg_agency automatically created in some regions only has the minimum operation permissions for related cloud services. In addition, one-click permission minimization is supported for existing agencies.
During one-click optimization of DataArts Studio agency permissions, the system first grants the minimum permissions to the dlg_agency and then deletes excessive permissions. However, it may take up to 10 minutes for the permissions granted to dlg_agency to take effect. During this period, an error may occur due to insufficient permissions. In this case, you are advised to manually optimize the agency permissions. If agency permission minimization is not supported in your region, you also need to manually minimize agency permissions.
Notes and Constraints
- DataArts Security requires more permissions of cloud services, which are not included in the default permissions of the dlg_agency. Before using DataArts Security, you need to grant required permissions to the dlg_agency by referring to Authorizing dlg_agency.
-
It may take up to 10 minutes for the permissions granted to the dlg_agency to take effect. After performing the operations in Configuring Minimum Permissions, wait for about 10 minutes before performing the operations in Deleting Excessive Preset Permissions.
Configuring Minimum Permissions
- Log in to the IAM console using the a Huawei account.
- Choose Agencies in the navigation pane on the left and locate the default dlg_agency created by the system.
Figure 1 dlg_agency
- Click Authorize in the Operation column. On the displayed Authorize Agency page, enter DataArts Agency in the search box above the policy list, select all the 11 preset policies for minimum agency permissions, and click Next.
Figure 2 Selecting the preset policies for minimum agency permissions
- On the displayed Select Scope page, select the scope (All resources by default), and click OK to grant the minimum permissions to dlg_agency.
Deleting Excessive Preset Permissions
It may take up to 10 minutes for the permissions granted to the dlg_agency to take effect. After performing the operations in Configuring Minimum Permissions, wait for about 10 minutes before performing the operations in Deleting Excessive Preset Permissions.
- After granting the minimum permissions to dlg_agency, go back to the Agencies page and locate dlg_agency.
- Click the dlg_agency name. On the displayed page, click the Permissions tab, select all the permissions except those starting with DataArts Agency, and click Delete above the list.
Figure 3 Deleting excessive permissions
- After the excessive permissions are deleted, minimum permissions have been configured for the default dlg_agency.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot