Updated on 2024-11-04 GMT+08:00

System-Defined Policies

Table 1 GES system-defined policies

Policy Name

Description

GES FullAccess

Permissions for all operations on GES, including creating, deleting, accessing, and updating graphs.

NOTE:
  • Users with the permissions of this policy also need the following policy permissions granted: Tenant Guest, Server Administrator, and VPC Administrator.
  • To bind or unbind an EIP, you need the Security Administrator permission to create agencies. The Security Administrator role has extensive permissions and can be replaced with the following custom policies: iam:permissions:listRolesForAgencyOnD, iam:permissions:listRolesForAgency, iam:roles:listRoles, iam:permissions:listRolesForAgencyOnProject, iam:agencies:listAgencies, iam:roles:createRole, iam:permissions:grantRoleToAgencyOnDomain, iam:agencies:getAgency, iam:agencies:createAgency, iam:roles:updateRole, iam:permissions:grantRoleToAgency, and iam:permissions:grantRoleToAgencyOnProject.
  • To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.
  • When granting GES FullAccess to an enterprise project, you need to configure the following permissions policies in IAM:

GES Development

Operator permissions for all operations except creating, deleting, resizing, and expanding graphs.

NOTE:
  • To bind or unbind an EIP, you also need to have the Security Administrator role to create agencies. The Security Administrator role has extensive permissions and can be replaced with the following custom policies: iam:permissions:listRolesForAgencyOnD, iam:permissions:listRolesForAgency, iam:roles:listRoles, iam:permissions:listRolesForAgencyOnProject, iam:agencies:listAgencies, iam:roles:createRole, iam:permissions:grantRoleToAgencyOnDomain, iam:agencies:getAgency, iam:agencies:createAgency, iam:roles:updateRole, iam:permissions:grantRoleToAgency, and iam:permissions:grantRoleToAgencyOnProject.
  • To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.

GES ReadOnlyAccess

Read-only permissions for viewing resources, such as graphs, metadata, and backup data.

NOTE:

To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.

It takes about 13 minutes for an OBS role to take effect after being applied to a user or group. A policy takes about 5 minutes.

Table 2 Common operations supported by each system-defined policy

Operation

GES FullAccess

GES Development

GES ReadOnlyAccess

Resource

Querying the graph list

Yes

Yes

Yes

-

Querying graph details

Yes

Yes

Yes

graphName

Creating graphs

Yes

No

No

graphName

Accessing graphs

Yes

Yes

No

graphName

Stopping graphs

Yes

Yes

No

graphName

Starting graphs

Yes

Yes

No

graphName

Deleting graphs

Yes

No

No

graphName

Importing Incremental data to graphs

Yes

Yes

No

graphName

Exporting graphs

Yes

Yes

No

graphName

Clearing graphs

Yes

Yes

No

graphName

Upgrading graphs

Yes

Yes

No

graphName

Resizing a graph

No

No

graphName

Expanding a Graph

No

No

graphName

Restarting a Graph

Yes

No

graphName

Binding EIPs

Yes

Yes

No

graphName

Unbinding an EIP

Yes

Yes

No

graphName

Querying backups of all graphs

Yes

Yes

Yes

-

Querying backups of a graph

Yes

Yes

Yes

-

Adding backups

Yes

Yes

No

backupName

Deleting a graph backup

Yes

Yes

No

backupName

Querying the metadata list

Yes

Yes

Yes

-

Querying metadata

Yes

Yes

Yes

metadataName

Verifying metadata

Yes

Yes

No

-

Adding metadata

Yes

Yes

No

metadataName

Deleting metadata

Yes

Yes

No

metadataName

Querying task statuses

Yes

Yes

Yes

-

Querying the task list

Yes

Yes

Yes

-

Configuring fine-grained permissions

Yes

No

-

Configuring user groups

Yes

No

-

Importing IAM users

Yes

No

-

Viewing user details

Yes

Yes

-