FullAccess敏感权限配置
DBSS的full权限集涉及部分用户的敏感权限,比如订单支付、obs桶创建和文件上传、委托的创建及委托权限设置等。
这部分权限对用户资产影响较大,故不在系统预置权限集中添加,需通过说明文档方式,由用户手动添加。
相关敏感权限说明如表1所示,权限详情如下:
"obs:bucket:CreateBucket", "obs:object:PutObject", "bss:order:pay", "iam:agencies:createAgency", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnEnterpriseProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:grantRoleToAgencyOnProject"
敏感权限项 |
使用场景说明 |
是否为global权限 |
敏感权限规避措施 |
---|---|---|---|
obs:bucket:CreateBucket |
|
是 |
|
obs:object:PutObject |
agent在CCE场景部署时,将实例配置信息上传到obs桶。 |
是 |
|
iam:agencies:createAgency iam:permissions:grantRoleToAgency iam:permissions:grantRoleToAgencyOnEnterpriseProject iam:permissions:grantRoleToAgencyOnDomain iam:permissions:grantRoleToAgencyOnProject |
|
是 |
|
bss:order:pay |
购买审计实例时,进行订单支付。 |
否 |
|