Updated on 2024-01-10 GMT+08:00

Enterprise Project Permissions

Administrator: The administrator can perform any operations on the Enterprise Project Management page.

IAM user: An IAM user's permissions are granted by the administrator. After an IAM user logs in to the Enterprise Project Management page, the IAM user sees only the enterprise projects assigned by the administrator, and can only manage the resources allocated by the administrator. If the administrator assigns a policy for an IAM user, the IAM user has all the permissions included in the policy.

The administrator can grant permissions specified in the default policies or custom policies to users. Policies related to enterprise projects include EPS FullAccess, EPS ReadOnlyAccess and Enterprise Project BSS FullAccess. You can configure enterprise project permissions for users in IAM. For details, see the Identity and Access Management User Guide.

The enterprise project permission management feature has been integrated into IAM. You can grant enterprise project permissions to users and user groups on the IAM console. For details, see Assigning Permissions to an IAM User and Creating a User Group and Assigning Permissions.

Table 1 Enterprise Management permissions

Service Name

Permission Name

Permission Description

Typically Associated Personnel

Enterprise Management

EPS FullAccess

  • Administrator permissions for Enterprise Management, including enterprise project and personnel management. For example, creating organizations, migrating resources, adding/removing user groups, and attaching policies to user groups. These permissions can be assigned by the administrator in the Global region on the IAM console.
  • Administrator permissions for a specific enterprise project, including modifying, enabling, disabling, and viewing the enterprise project. These permissions can be assigned by the administrator or an IAM user with EPS FullAccess permissions on the Enterprise Management console.

Enterprise asset administrators

EPS ReadOnlyAccess

Read-only permissions for a specific or all enterprise projects

  • Read-only permissions for viewing all enterprise projects and user information. These permissions can be assigned by the administrator in the Global region on the IAM console.
  • Read-only permissions for viewing a specific enterprise project. These permissions can be assigned by the administrator or an IAM user with EPS FullAccess permissions on the Enterprise Management console.

Enterprise asset query personnel

Enterprise Project BSS FullAccess

Permissions for operations management of enterprise projects. The detailed permissions are as follows:

  • Viewing fund quota settings of enterprise projects
  • Viewing and exporting cost breakdowns of enterprise projects
  • Viewing fund quota adjustment records of enterprise projects
  • Viewing renewals of enterprise projects
  • Enabling or disabling auto-renewal and manual renewal, changing billing mode from pay-per-use to yearly/monthly, and releasing resources
  • Viewing yearly/monthly orders
  • Placing yearly/monthly orders
  • Unsubscribing from resources and viewing unsubscription records
  • Viewing the expenditure summary of enterprise projects
  • Exporting the expenditure summary of enterprise projects
  • Viewing expenditure details of enterprise projects
  • Exporting expenditure details of enterprise projects
NOTE:

The order payment permissions of yearly/monthly products are at the account level, and the Enterprise Project BSS FullAccess permissions are specific to IAM users. Therefore, the Enterprise Project BSS FullAccess permissions do not include the order payment permissions of yearly/monthly products.

Enterprise asset administrators

Table 2 Common operations and required permissions

Operation

EPS FullAccess

EPS ReadOnlyAccess

Enterprise Project BSS FullAccess

Viewing resources in an enterprise project

×

Creating an enterprise project

×

×

Modifying an enterprise project

×

×

Enabling an enterprise project

×

×

Disabling an enterprise project

×

×

Adding a resource to an enterprise project

×

×

Removing a resource from an enterprise project

×

×

Viewing fund quota settings of an enterprise project

×

×

Viewing fund quota adjustment records of an enterprise project

×

×

Viewing renewal details of an enterprise project

×

×

Enabling or disabling auto-renewal and manual renewal for a resource, changing billing mode from pay-per-use to yearly/monthly for a resource, and releasing a resource

×

×

Viewing a yearly/monthly order

×

×

Placing a yearly/monthly order

×

×

Unsubscribing from resources and viewing unsubscription records

×

×

Viewing the expenditure summary of an enterprise project

×

×

Exporting the expenditure summary of an enterprise project

×

×

Viewing expenditure details of an enterprise project

×

×

Exporting expenditure details of an enterprise project

×

×

Viewing the cost breakdown information of an enterprise project

×

×

Exporting the cost breakdown information of an enterprise project

×

×

  • EPS FullAccess: This policy grants all EPS permissions. The following is the policy content:
    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "eps:enterpriseProjects:update",                   //Modify an enterprise project.
                    "eps:enterpriseProjects:create",                   //Create an enterprise project.
                    "eps:enterpriseProjects:enable",                   //Enable an enterprise project.
                    "eps:enterpriseProjects:disable",                  //Disable an enterprise project.
                    "eps:resources:list",                              //Query resources in an enterprise project.
                    "eps:resources:add",                               //Add a resource to an enterprise project.
                    "eps:resources:remove",                            //Remove a resource from an enterprise project.
                    "iam:groups:list",                                 
                    "iam:policies:list",                               
                    "iam:enterpriseProjectGroups:combine",             
                    "iam:enterpriseProjectGroups:listGroups",          
                    "iam:enterpriseProjectGroups:listPolicies",        
                ],
                "Effect": "Allow"
            }
        ]
    }
  • EPS ReadOnlyAccess: This policy grants the permissions to view basic information. The following is the policy content:
    {   
       "Version": "1.1",   
       "Statement": [      
          {          
            "Effect": "Allow",         
             "Action": [             
                "eps:resources:list",            
                "iam:enterpriseProjectGroups:listGroups",           
                "iam:enterpriseProjectGroups:listPolicies"         
                ]      
           }   
       ]
    }
  • Enterprise Project BSS FullAccess: This policy grants all the operations permissions of an enterprise project. The following is the policy content:
    {
          "Version": "1.1",
          "Statement": [
                {
                      "Action": [
                            "bss:enterpriseProjectFundQuota:view",         //View fund quota settings of an enterprise project.
                            "bss:enterpriseProjectFundQuotaFinance:view",  //View fund quota adjustment records of an enterprise project.
                            "bss:renewal:view",                            //View renewal details of an enterprise project.
                            "bss:renewal:update",                          //Enable or disable auto-renewal and manual renewal for a resource, change billing mode from pay-per-use to yearly/monthly for a resource, and release a resource.
                            "bss:order:view",                              //View a yearly/monthly order.
                            "bss:order:update",                            //Place a yearly/monthly order.
                            "bss:unsubscribe:update",                      //Unsubscribe from resources and view unsubscription records.
                            "bss:bill:view",                               //View the expenditure summary of an enterprise project.
                            "bss:bill:update",                             //Export the expenditure summary of an enterprise project.
                            "bss:billDetail:view",                         //View expenditure details of an enterprise project.
                            "bss:billDetail:update"                        //Export expenditure details of an enterprise project.
                            "bss:consumption:view",                        //View the expenditure breakdown information of an enterprise project.
                            "bss:consumption:update"                       //Export the expenditure breakdown information of an enterprise project.
                      ],
                      "Effect": "Allow"
                }
          ]
    }

For an IAM user that has used an enterprise project, the permissions may change (the default enterprise project cannot be viewed, resources cannot be viewed, or resources cannot be added to or removed from an enterprise project). Configure policies based on the required permissions. For details, see Procedure.