Updated on 2022-06-14 GMT+08:00

Permissions Management

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the users can perform specified operations on GES based on the permissions.

With IAM, you can use your cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use DIS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DIS resources.

If your cloud account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.

DIS Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the users can perform specified operations on GES based on the permissions.

DIS is a project-level service deployed in specific physical regions. Therefore, DIS permissions are assigned to users in specific regions (such as CN-Hong Kong) and only take effect for these regions. If you want the permissions to take effect for all regions, you need to assign the permissions to users in each region. When accessing DIS, the users need to switch to a region where they have been authorized to use cloud services.

You can grant users permissions by using roles and policies.

Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.

Table 1 lists all the system permissions supported by DIS. Dependencies are permissions on which a system permission depends to take effect. For example, some DIS permissions are dependent on the permissions of other services. When assigning DIS permissions to users, you need to also assign dependent policies for the DIS permissions to take effect.

Table 1 DIS system permissions

System-Defined Role

Description

Dependencies

DIS Administrator

Administrator permissions for DIS. Users granted these permissions can operate and use all DIS resources.

N/A

DIS Operator

Stream management permissions for DIS. Users granted these permissions can manage streams, such as creating or deleting streams, but cannot upload or download data.

N/A

DIS User

Stream use permissions for DIS. Users granted these permissions can upload and download data but cannot manage streams.

N/A

Table 2 lists the common operations supported by each system permission of DIS. Choose proper system permissions according to this table.

Table 2 Common operations supported by each system permission

Operation

DIS Administrator

DIS Operator

DIS User

Creating streams

x

Deleting streams

x

Querying the stream list

Querying stream details

Viewing stream monitoring information

Querying partition monitoring information

Obtaining stream consumption information

Changing partition quantity

x

Uploading data

x

Obtaining data cursors

x

Downloading data

x

Creating applications

Querying application details

Querying the application list

Deleting applications

Adding checkpoints

x

Querying checkpoints

Deleting checkpoints

x

Creating dump tasks

Querying dump task details

Querying the dump task list

Deleting dump tasks