Help Center > > Permissions Policies> Permissions Policies

Permissions Policies

Updated at: Oct 26, 2019 GMT+08:00

A policy is a set of permissions defined in JSON format. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on cloud services based on the permissions. IAM provides system-defined policies that define the common permissions for different services, such as administrator and read-only permissions. You can directly use these system-defined policies to assign permissions.

Region: Regions where permissions take effect. Select regions where the cloud service to be accessed is deployed.
  • Global region: Services in the global region are called global services, which are available to all users. Permissions for accessing these services need to be assigned in the Global region.
  • Global region - OBS: Object Storage Service (OBS) is deployed independent from other services. Permissions for accessing OBS need to be assigned in the Global-OBS region.
  • Specific regions: Services in specific regions are called project-level services. Permissions for accessing these services need to be assigned in specific regions and take effect only for these regions. To make the permissions take effect in all regions, assign the permissions in each of these regions.

Policy Type: There are fine-grained policies and role-based access control (RBAC) policies. Fine-grained policies are currently available for open beta testing. You can apply to use the fine-grained access control function free of charge.

  • If the fine-grained access control function is not enabled, only RBAC policies can be used.
  • For services (such as AOM) that only support fine-grained policies, if the fine-grained access control function is not enabled, permissions for accessing these services cannot be assigned to IAM users.
  • After the fine-gained access control function is enabled, preferably use fine-grained policies to assign permissions for accessing services that support both fine-grained and RBAC policies.
  • For services that support fine-grained access control, you can create custom policies as a supplement to system-defined policies to allow or deny access to specific types of resources.

System-Defined Policies

Service

Region

System-Defined Policies

Policy Type

Permissions

BASE

Global

Full Access

Fine-grained

Full permissions for cloud services supporting fine-grained authorization

All regions

Tenant Administrator

RBAC

Full permissions for all services except IAM

All regions

Tenant Guest

RBAC

Read-only permissions for all services except IAM

Global

Security Administrator

RBAC

Full permissions for IAM

Global

Agent Operator

RBAC

Permissions for switching roles to access resources of delegating accounts

Object Storage Service (OBS)

Global - OBS

OBS Operator

Fine-grained

Basic object operation permissions, such as viewing buckets, uploading, obtaining, and deleting objects, and obtaining object ACLs

OBS Viewer

Permissions for listing buckets, obtaining bucket metadata, listing objects in a bucket, and querying bucket locations

OBS Buckets Viewer

RBAC

Permissions for listing buckets, obtaining bucket information, obtaining bucket metadata, and listing objects

Content Delivery Network (CDN)

(Global service)

Global

CDN Domain Viewer

Fine-grained

Read-only permissions for CDN acceleration domain names

CDN Statistics Viewer

Read-only permissions for CDN statistics

CDN Logs Viewer

Read-only permissions for CDN logs

CDN Domain

Configuration

Operator

Permissions for configuring CDN acceleration domain names

CDN Refresh

And Preheat

Operator

Permissions for cache refreshing and preheating

CDN Administrator

RBAC

Full permissions for CDN

This policy depends on the Tenant Guest policy in the same project.

Business Support System (BSS)

(Project-level service)

Specific regions

NOTICE:

These are the regions where permissions of the policies supported by this service can be assigned.

BSS Administrator

RBAC

Full permissions for Billing Center, Resource Center, and My Account

BSS Operator

Query permissions for Billing Center and management permissions for Resource Center and My Account

BSS Finance

  • Topping up accounts, withdrawing money, and setting balance alerts
  • Viewing, paying, and exporting orders, and renewing resources
  • Viewing and exporting the expenditure summary, expenditure details, and income and expense details, and analyzing bills
  • Viewing and activating coupons, issuing invoices, applying for online contracts, and viewing commercial discounts

EnterpriseProject_

BSS_Administrator

Fine-grained

Permissions for accounting management of enterprise projects

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

(Project-level service)

Specific regions

Server Administrator

Fine-grained

  • Full permissions for ECS. This policy depends on the Tenant Guest policy in the same project.

    If a user needs to create, delete, or change resources of other services, the user must be granted administrator permissions in the same project.

    For example, if a user needs to create a new VPC when creating an ECS, the user must be granted VPC Administrator permissions.

  • Full permissions for EVS.
  • Permissions for performing operations on EIPs, security groups, and ports. This policy depends on the Tenant Guest policy in the same project.
  • Permissions for creating, deleting, querying, modifying, and uploading images. This policy depends on the IMS Administrator policy in the same project.

Elastic Cloud Server (ECS)

(Project-level service)

Specific regions

ECS Admin

Fine-grained

Full permissions for ECS

ECS Viewer

Read-only permissions for ECS

ECS User

Permissions for starting, stopping, restarting, and querying ECSs

Auto Scaling (AS)

(Project-level service)

Specific regions

AutoScaling Admin

Fine-grained

Full permissions for all AS resources

AutoScaling Viewer

Read-only permissions for all AS resources

AutoScaling Administrator

RBAC

Full permissions for all AS resources

This policy depends on the ELB Administrator and CES Administrator policies in the same project.

Image Management Service (IMS)

(Project-level service)

Specific regions

IMS Admin

Fine-grained

Full permissions for IMS

IMS Viewer

Read-only permissions for IMS

IMS Administrator

RBAC

Full permissions for IMS

This policy depends on the Tenant Administrator policy in the OBS project.

Elastic Volume Service (EVS)

(Project-level service)

Specific regions

EVS Admin

Fine-grained

Full permissions for EVS

EVS Viewer

Read-only permissions for EVS

Cloud Server Backup Service (CSBS)

(Project-level service)

Specific regions

CSBS Administrator

RBAC

Full permissions for CSBS

This policy depends on the Server Administrator policy in the same project.

Volume Backup Service (VBS)

(Project-level service)

Specific regions

VBS Administrator

RBAC

Full permissions for VBS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

Dedicated Distributed Storage Service (DSS)

(Project-level service)

Specific regions

DSS Admin

RBAC

Full permissions for DSS

DSS Viewer

Read-only permissions for DSS

Virtual Private Cloud (VPC)

(Project-level service)

Specific regions

VPC Admin

Fine-grained

Full permissions for VPC

VPC Viewer

Read-only permissions for VPC

VPC Administrator

RBAC

Full permissions for VPC

This policy depends on the Tenant Guest policy in the same project.

Cloud Container Engine (CCE)

(Project-level service)

Specific regions

CCE Admin

Fine-grained

Full permissions for CCE

CCE Viewer

Read-only permissions for CCE and all operations on Kubernetes resources

CCE Administrator

RBAC

Full permissions for CCE

This policy depends on the Tenant Guest, Server Administrator, SFS Administrator, SWR Admin, and APM Admin policies in the same project and the OBS Operator policy in the OBS project.

CloudTable Service (CloudTable)

(Project-level service)

Specific regions

CloudTable

Administrator

RBAC

Full permissions for CloudTable

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

Domain Name Service (DNS)

(Project-level service)

Specific regions

DNS Administrator

RBAC

Full permissions for DNS

Cloud Trace Service (CTS)

(Project-level service)

Specific regions

CTS Administrator

RBAC

Full permissions for CTS

This policy depends on the Tenant Guest policy in the same project and the Tenant Administrator policy in the OBS project.

Simple Message Notification (SMN)

(Project-level service)

Specific regions

SMN Administrator

RBAC

Full permissions for SMN

Relational Database Service (RDS)

(Project-level service)

Specific regions

RDS Admin

Fine-grained

Full permissions for RDS

RDS Viewer

Read-only permissions for RDS

RDS DBA

DBA permissions for all operations except deleting RDS resources

RDS Administrator

RBAC

Full permissions for RDS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

Distributed Message Service (DMS)

(Project-level service)

Specific regions

DMS Administrator

RBAC

Full permissions for DMS

Document Database Service (DDS)

(Project-level service)

Specific regions

DDS Admin

Fine-grained

Full permissions for DDS

DDS Viewer

Read-only permissions for DDS

DDS DBA

DBA permissions for all operations except deleting DDS resources

DDS Administrator

RBAC

Full permissions for DDS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

If a DDS enterprise project is configured, you need to select the DAS Admin policy in the same project so that you can log in to DAS from the DDS console.

Data Replication Service (DRS)

(Project-level service)

Specific regions

DRS Administrator

RBAC

Full permissions for DRS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

Data Admin Service (DAS)

(Project-level service)

Specific regions

DAS Administrator

RBAC

Full permissions for DAS

This policy depends on the Tenant Guest policy in the same project.

Application Operations Management (AOM)

(Project-level service)

Specific regions

AOM Admin

Fine-grained

Full permissions for AOM

AOM Viewer

Read-only permissions for AOM

Application Performance Management (APM)

(Project-level service)

Specific regions

APM Admin

Fine-grained

Full permissions for APM

APM Viewer

Read-only permissions for APM

Software Repository for Container (SWR)

(Project-level service)

Specific regions

SWR Admin

RBAC

Full permissions for SWR

Cloud Eye

(Project-level service)

Specific regions

CES Administrator

RBAC

Full permissions for Cloud Eye

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

Specific regions

CES Admin

Fine-grained

Administrator permissions for performing all operations on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support fine-grained authorization.

Specific regions

CES Viewer

Read-only permissions for viewing data on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support fine-grained authorization.

Web Application Firewall (WAF)

(Project-level service)

Specific regions

WAF Administrator

RBAC

Full permissions for WAF

Host Security Service (HSS)

(Project-level service)

Specific regions

HSS Administrator

RBAC

Full permissions for HSS

Vulnerability Scan Service (VSS)

(Project-level service)

Specific regions

VSS Administrator

RBAC

Full permissions for VSS

Security Expert Service (SES)

(Project-level service)

Specific regions

SES Administrator

RBAC

Full permissions for SES

Database Security Service (DBSS)

(Project-level service)

Specific regions

DBSS System Administrator

RBAC

Full permissions for DBSS

DBSS Audit Administrator

Security auditing permissions for DBSS

DBSS Security Administrator

Security protection permissions for DBSS

Data Encryption Workshop (DEW)

(Project-level service)

Specific regions

KMS Administrator

RBAC

Full permissions for DEW

Anti-DDoS

(Project-level service)

Specific regions

Anti-DDoS Administrator

RBAC

Full permissions for Anti-DDoS

This policy depends on the Tenant Guest policy in the same project.

Scalable File Service (SFS)

(Project-level service)

Specific regions

SFS Admin

Fine-grained

Full permissions for SFS

SFS Viewer

Read-only permissions for SFS

SFS Administrator

RBAC

Full permissions for SFS

This policy depends on the Tenant Guest policy in the same project.

Distributed Cache Service (DCS)

(Project-level service)

Specific regions

DCS Admin

Fine-grained

Full permissions for DCS

DCS User

Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances

DCS Viewer

Read-only permissions for DCS

DCS Administrator

RBAC

Full permissions for DCS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

MapReduce Service (MRS)

(Project-level service)

Specific regions

MRS Admin

Fine-grained

Full permissions for MRS

MRS User

Common user permissions for MRS operations except creating and deleting resources

MRS Viewer

Read-only permissions for MRS

MRS Administrator

RBAC

Full permissions for MRS

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

ServiceStage

Cloud Performance Test Service (CPTS)

(Project-level service)

Specific regions

SvcStg Admin

RBAC

  • Full permissions for ServiceStage, including service, application, node, stack, and pipeline management.
  • Permissions for performing operations on test resources of all users in CPTS, such as adding, deleting, modifying, and querying test resources

SvcStg Developer

  • Common user permissions for ServiceStage except node management
  • Permissions for performing operations only on a user's own test resources, such as adding, deleting, modifying, and querying test resources

SvcStg Operator

  • Read-only permissions for ServiceStage
  • Read-only permissions only for a user's own test resources

Workspace

(Project-level service)

Specific regions

Workspace Administrator

RBAC

Full permissions for Workspace

This policy depends on the Tenant Guest, Server Administrator, and VPC Administrator policies in the same project.

Elastic Load Balance (ELB)

(Project-level service)

Specific regions

ELB Admin

Fine-grained

Full permissions for ELB

ELB Viewer

Read-only permissions for ELB

ELB Service Administrator

RBAC

Full permissions for ELB

This policy depends on the Tenant Guest policy in the same project.

NAT Gateway

(Project-level service)

Specific regions

NAT Admin

Fine-grained

Full permissions for NAT Gateway

NAT Viewer

Read-only permission for NAT Gateway

NAT Gateway Administrator

RBAC

Full permissions for NAT Gateway

This policy depends on the Tenant Guest policy in the same project.

Direct Connect

(Project-level service)

Specific regions

Direct Connect Administrator

RBAC

Full permissions for Direct Connect

This policy depends on the Tenant Guest policy in the same project.

Cloud Backup and Recovery (CBR)

(Project-level service)

Specific regions

CBR Admin

Fine-grained

Administrator permissions for using all vaults and policies on CBR

CBR User

Fine-grained

Common user permissions for creating, viewing, and deleting vaults on CBR

CBR Viewer

Fine-grained

Read-only permissions for viewing data on CBR

Graph Engine Service (GES)

(Project-level service)

Specific regions

GES Administrator

RBAC

Full permissions for GES

This policy depends on the Tenant Guest and Server Administrator policies in the same project.

GES Operator

Permissions for viewing and accessing graphs

This policy depends on the Tenant Guest policy in the same project.

Specific regions

GES Admin

Fine-grained

Administrator permissions for performing all operations (including creation, deletion, access, and upgrade operations) on GES

GES User

Operator permissions for all operations except creating and deleting graphs

GES Viewer

Read-only permissions for viewing resources, such as graphs, metadata, and backup data

Data Lake Factory (DLF)

(Project-level service)

Specific regions

DLF Administrator

RBAC

Full permissions for DLF

This policy depends on the Tenant Administrator policy in the same project.

DLF Admin

Fine-grained

Full permissions for DLF

DLF Developer

Developer permissions for DLF. Users granted these permissions can use DLF to develop scripts and orchestrate jobs, but cannot create, delete, or modify workspaces.

DLF Operator

O&M permissions for DLF. Users granted these permissions can maintain scripts, jobs, and other resources, but cannot create, delete, or modify any resources.

DLF Viewer

Read-only permissions for DLF. Users granted these permissions can only view DLF resources.

ModelArts

(Project-level service)

Specific regions

ModelArts Admin

Fine-grained

Administrator permissions for performing all operations on ModelArts

ModelArts User

Permissions for performing all operations except managing dedicated resource pools on ModelArts

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel