Help Center> > Permission Policy

Permission Policy

Updated at: Dec 14, 2018 16:36

Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies.

IAM supports default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control.

Log in to the IAM console and choose Policies to view all default and custom policies. You can click the name of a policy to check its format. For details, see Policy Content.

Default Policy

NOTE:
  • Permission granularity: Minimum authorization granularity provided by IAM. Currently, service-level and operation-level granularities are supported.
    • Service level: grants users permission of a service.
    • Operation level: grants users permissions of operations defined by APIs.

    Only services with the operation-level granularity support custom policies. For details, see Creating Custom Policies. The policies allow you to allow or disallow users to perform certain operations on services or resources.

  • Application scope: Scope where a policy takes effect. Global and projects are regions. Cloud services are deployed in different regions. For example, IAM is deployed in the global zone while EVS is deployed in other regions. A global-level policy takes effect only at the global level and does not take effect in other regions.
    • Global-level service: When adding permissions to a user group, you can select the policy in the global region. It is not displayed in a project.
    • Project-level service: When adding permissions to a user group, you can select the policy in a project. The policy is not displayed in the global region.

Service

Permission Granularity

Policy

Application Scope

Permitted Operations

API Permission

BASE

-

Security Administrator

Global-level service

  • Create, delete, and modify users.
  • Grant permissions to users.

-

-

Agent Operator

Global-level service

Switch the role to a delegating account to access resources.

-

-

Tenant Administrator

Global-level service/project-level service

  • All operations for My Account, Billing Center, and Resource Center.
  • All operations on cloud resources owned by an account.

-

-

Full Access

Global-level service

All operations on cloud resources owned by an account.

-

-

Tenant Guest

Global-level service/project-level service

Read-only permissions on cloud resources owned by an account.

-

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

-

Server Administrator

Project-level service

  • For the ECS service: creating, deleting, and modifying ECSs
  • For the EVS service: creating, deleting, and modifying EVS disks
  • For the VPC service: Users with this permission and the Tenant Guest permission can perform all operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth.
  • For the IMS service: creating, deleting, querying and modifying images

-

Elastic Cloud Server (ECS)

Operation level

ECS Admin

Project-level service

All operations on an ECS.

For details, see API Permissions.

ECS Viewer

Project-level service

Read-only permissions on an ECS.

ECS User

Project-level service

Start, stop, restart, and query an ECS.

Auto Scaling (AS)

Operation level

AutoScaling Admin

Global-level service/project-level service

All operations on AS resources.

-

Operation level

AutoScaling Viewer

Global-level service/project-level service

Read-only permissions on AS resources.

Service level

AutoScaling Administrator

Global-level service

  • All operations on AS resources.
  • To be granted this permission, users must also have the ELB Administrator and CES Administrator permissions.

Image Management Service (IMS)

Operation level

IMS Admin

Project-level service

All operations on IMS.

For details, see API Permissions.

Operation level

IMS Viewer

Project-level service

Read-only permissions on IMS.

Operation level

IMS Administrator

Project-level service

  • All operations on IMS.
  • Users with this permission and the Tenant Guest permission for the regions where OBS is deployed can create an image using an image file.

Elastic Volume Service (EVS)

Operation level

EVS Admin

Project-level service

All operations on an EVS disk.

For details, see API Permissions.

EVS Viewer

Project-level service

Read-only permissions on an EVS disk.

Cloud Server Backup Service (CSBS)

Service level

CSBS Administrator

Project-level service

Users with this permission can delete cloud server backups. Users with this permission and the Server Administrator permission can create a cloud server backup, restore a cloud server, and manage backup policies.

If a user does not have the Server Administrator permission:

  • When the user creates a backup or restores a cloud server, the user cannot obtain information about the cloud server.
  • When the user associates a cloud server with a backup policy, the user cannot obtain information about the cloud server.

-

Volume Backup Service (VBS)

Service level

VBS Administrator

Project-level service

Users with this permission and the Server Administrator and Guest permissions can perform the following operations:

  • Create an EVS disk backup.
  • Delete an EVS disk backup.
  • Restore an EVS disk.

-

Dedicated Distributed Storage Service (DSS)

Operation level

DSS Admin

Project-level service

All operations on DSS.

-

DSS Viewer

Project-level service

Read-only permissions on DSS.

Virtual Private Cloud (VPC)

Operation level

VPC Admin

Project-level service

All operations on VPC.

-

VPC Viewer

Project-level service

Read-only permissions on VPC.

VPC Administrator

Project-level service

All operations on VPC. To be granted this permission, users must also have the Tenant Guest permission.

Cloud Container Engine (CCE)

Operation level

CCE Admin

Project-level service

All operations on CCE.

-

Operation level

CCE Viewer

Project-level service

Read-only permissions on CCE and all operations on Kubernetes resources.

-

CCE Administrator

Project-level service

CCE Administrator

-

Application Operations Management (AOM)

Operation level

AOM Admin

Project-level service

All operations on AOM.

For details, see API Permissions.

Operation level

AOM Viewer

Project-level service

Read-only permissions on AOM.

Application Performance Management (APM)

Operation level

APM Admin

Project-level service

All operations on APM.

For details, see API Permissions.

Operation level

APM Viewer

Project-level service

Read-only permissions on APM.

Cloud Eye

Service level

CES Administrator

Project-level service

Users with this permission can perform the following operations:

  • View metrics.
  • Add, modify, and delete alarm rules.

To be granted this permission, users must also have the Tenant Guest permission.

-

Web Application Firewall (WAF)

Service level

WAF Administrator

Project-level service

Users with this permission can perform the following operations:

  • Create and delete WAF instances.
  • Configure, enable, disable WAF instances.
  • Modify the protection policies of WAF instances.
  • Configure alarm notification for WAF instances.
  • Query the WAF instance list and details.
  • Authenticate the domain name of a WAF instance.

-

Host Security Service (HSS)

Service level

HSS Administrator

Project-level service

Users with this permission can perform the following operations:

  • Enable and disable HSS.
  • Perform manual detections.
  • Set alarm information and perform security configurations.
  • View security overview on the Dashboard page.
  • View the ECS list and risk details.
  • View reports of asset management, vulnerability management, intrusion detection, and baseline inspection.

-

Vulnerability Scan Service (VSS)

Service level

VSS Administrator

Project-level service

Users with this permission can perform the following operations:

  • Create, restart, and cancel scan tasks.
  • Query task lists and details.
  • Query vulnerability lists and details.
  • Put mis-reporting tags on vulnerabilities.
  • Authenticate domain names.

-

Security Expert Service (SES)

Service level

SES Administrator

Project-level service

  • Purchase SES.
  • Supplement and modify service order information.
  • View the service order list and service order details.
  • Authenticate the host or domain to be assessed, hardened, or monitored.
  • Download the assessment report.
  • Evaluate SES.

-

Database Security Service (DBSS)

Service level

DBSS System Administrator

Project-level service

  • Buy instances.
  • Delete instances.
  • Obtain an instance list.
  • Start, stop, and restart an instance.
  • Upgrade service instances.
  • Bind or unbind an EIP.
NOTE:

To purchase an instance, users must have both the VPC and BSS permissions.

-

Service level

DBSS Audit Administrator

Project-level service

  • Obtain an instance list.
  • Log in to the DBSS console.

-

Service level

DBSS Security Administrator

Project-level service

  • Obtain an instance list.
  • Log in to the DBSS console.

-

Data Encryption Workshop (DEW)

Service level

KMS Administrator

Project-level service

  • Key management

    Users with this permission can perform the following operations:

    • Create, enable, disable, schedule the deletion of, and cancel the deletion of keys.
    • Query the list of keys.
    • Query the information about keys.
    • Create random numbers and data keys, including plaintext-free keys.
    • Encrypt and decrypt data keys.
    • Change the aliases and description of keys.
    • Add, delete, and query key tags.
  • Key pair management

    Users with this permission and the Server Administrator permission can perform the following operations:

    • Create, import, and delete key pairs.
    • Query the list of key pairs.
    • Query the information about key pairs.
    • Reset, replace, bind, and unbind key pairs.
    • Import, export, and clear private keys.
    • Query and delete records about failed tasks.
  • Dedicated encryption

    Users with this permission can perform the following operations:

    Create customized business orders.

-

Anti-DDoS

Service level

Anti-DDoS Administrator

Project-level service

Users with this permission and the Tenant Guest permission can query EIPs in VPCs and perform all operations on Anti-DDoS.

-

Simple Message Notification (SMN)

Service level

SMN Administrator

Global-level service

All operations on SMN.

-

Relational Database Service (RDS)

Operation level

RDS Admin

Project-level service

All operations on RDS.

-

Operation level

RDS Viewer

Project-level service

Read-only permissions on RDS.

-

Service level

RDS Administrator

Project-level service

  • All operations on RDS. To be granted this permission, users must also have the Tenant Guest and Server Administrator permissions.
  • Users with this permission and the VPC Administrator permission can create a VPC or subnet.
  • Users with this permission and the CES Administrator permission can modify or create alarm rules for database instances.
  • Users with this permission and the TMS Administrator permission can query predefined tags of Tag Management Service (TMS) and create, modify, and delete predefined tags.
  • Users with this permission and the KMS Administrator permission can buy KMS keys and encrypt RDS DB instances.
  • Users with this permission and the Security Administrator permission can buy the RDS and DBSS services together.

-

Operation level

RDS DBA

Project-level service

DBA permissions on RDS except the database deletion operations.

-

Distributed Message Service (DMS)

-

DMS Administrator

Project-level service

All operations on DMS.

-

Document Database Service (DDS)

Operation level

DDS Admin

Project-level service

All operations on DDS.

-

Operation level

DDS Viewer

Project-level service

Read-only permissions on DDS.

Service level

DDS Administrator

Project-level service

  • All operations on DDS. To be granted this permission, users must also have the Tenant Guest and Server Administrator permissions.
  • Users with this permission and the VPC Administrator permission can create a VPC or subnet.
  • Users with this permission and the CES Administrator permission can modify or create alarm rules for database instances.
  • Users with this permission and the TMS Administrator permission can query predefined tags of Tag Management Service (TMS) and create, modify, and delete predefined tags.
  • Users with this permission and the KMS Administrator permission can buy KMS keys and encrypt DDS DB instances.

Operation level

DDS DBA

Project-level service

DBA permissions on DDS except the database deletion operations.

Data Replication Service (DRS)

Service level

DRS Administrator

Project-level service

All operations on DRS. To be granted this permission, users must also have the Tenant Guest and Server Administrator permissions.

-

Data Admin Service (DAS)

Service level

DRS Administrator

Project-level service

All operations on DAS. To be granted this permission, users must also have the Tenant Guest permission.

-

CDN

Operation level

CDN Administrator

Global-level service

All operations on CDN.

For details, see API Permissions.

Operation level

CDN Domain Viewer

Global-level service

Read-only permissions on CDN acceleration domain names.

Operation level

CDN Statistics Viewer

Global-level service

Read-only permissions on CDN statistics.

Operation level

CDN Logs Viewer

Global-level service

Read-only permissions on CDN logs.

Operation level

CDN Domain Configuration Operator

Global-level service

Configure the CDN acceleration domain name.

Operation level

CDN Refresh And Preheat Operator

Global-level service

Configure CDN cache refreshing and preheating.

Scalable File Service (SFS)

Service level

SFS Administrator

Project-level service

All operations on SFS. To be granted this permission, users must also have the Tenant Guest permission.

-

Software Repository for Container (SWR)

Operation level

SWR Admin

Global-level service

Common developer permissions. Permissions on resource management depend on the authorization of Tenant Administrator.

-

Operation level

ServiceStage Developer

Global-level service

Common developer permissions. Permissions on resource management depend on the authorization of Tenant Administrator.

Operation level

Tenant Administrator

Global-level service

Create, delete, update, and authorize resources such as organizations, warehouses, images, pipelines, and pipeline groups.

Operation level

Tenant Guest

Global-level service

Read-only permissions on resources if the Tenant Administrator permission is authorized.

Workspace

Service level

Workspace Administrator

Project-level service

  • All operations on Workspace. To be granted this permission, users must also have the Tenant Guest, Server Administrator, and VPC Administrator permissions.
  • Users with this permission and the Tenant Guest permission can query the image used for creating desktops.
  • Users with this permission and the Server Administrator permission can manage image authorization, ports, and security group rules.
  • Users with this permission and the VPC Administrator permission can query VPC and subnet information as well as manage security groups and IP address creation, query, and deletion.

-

Domain Name Service (DNS)

Service level

DNS Administrator

Global-level service

All operations on DNS.

-

Cloud Trace Service (CTS)

Service level

CTS Administrator

Global-level service

All operations on CTS.

-

Business Support System

(BSS)

Service level

BSS Administrator

Project-level service

Users with this permission can perform operations on all menus in the My Account, Billing Center, and Resource Center.

-

Service level

BSS Operator

Project-level service

Users with this permission can:

  • Access all menus in My Account and Resource Center.
  • Perform the following operations in Billing Center:
    • View, cancel, and export orders, renew and change the tariff, and unsubscribe and release resources.
    • View and export the consumption summary and details, and analyze bills.
    • View and activate coupons, apply for online contracts, and view commercial discounts.

-

Service level

BSS Finance

Project-level service

Users with this permission can perform the following operations in Billing Center:

  • Recharge accounts, withdraw cash, and set low balance warning.
  • View, pay, and export orders, and renew resources.
  • View and export the consumption summary, consumption details, and income and expense details, and analyze bills.
  • View and activate coupons, issue invoices, apply for online contracts, and view commercial discounts.

-

Policy Content

On the IAM console, choose Policies and click a policy name, for example, VPC Admin. Details about the policy are displayed in the Policy Content box. Each policy contains one or more statements, and each statement describes a set of permissions.

The policy content of VPC Administrator is as follows:

{
         "Version": "1.1",
         "Statement": [
                 {
                         "Action": [
                                 "vpc:vpcs:*",
                                 "vpc:routers:*",
                                 "vpc:networks:*",
                                 "vpc:subnets:*",
                                 "vpc:ports:*",
                                 "vpc:privateIps:*",
                                 "vpc:peerings:*",
                                 "vpc:routes:*",
                                 "vpc:lbaas:*",
                                 "vpc:vpns:*",
                                 "ecs:*:get",
                                 "ecs:*:list",
                                 "elb:*:get",
                                 "elb:*:list"
                         ],
                         "Effect": "Allow"
                 }
         ]
}
Table 1 Permission information parameters

Parameter

Description

Value

Version

Indicates the policy version.

  • 1.0: service-level policy
  • 1.1: operation-level policy

Statement

Action

Indicates allowed operations.

Format: Service name:Resource type:Action.

Example: vpc:subnet:*, which indicates that all operations on VPC subnets are allowed. In the example, vpc is the service name, subnet is the resource type, and the wildcard character * indicates all operations.

Effect

Indicates whether an operation included in an action is allowed.

Values:

  • Allow: Indicates the operation is allowed.
  • Deny: Indicates the operation is not allowed.
NOTE:

If both Allow and Deny are found in statements, the policy evaluation starts with Deny.

Depends

NOTE:

For a service-level policy, you can only specify operations in an individual service in the Action field. If this service depends on other permissions, you must define them in the Depends field.

When configuring permissions for a user group, you must select both the policy to be added and the depended policy.

catalog

Indicates the service associated with other permissions that users must have in order to be granted this permission.

Service name

For example: Base

display_name

Indicates the name of other permissions that users must have in order to be granted this permission.

Permission name

For example: Server Administrator

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 100 character

Content is empty.

OK Cancel