Permissions Management

If you need to assign different permissions to employees in your enterprise to access your DBSS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your cloud resources.

With IAM, you can create IAM users and assign permissions to control their access to specific resources. For example, some software developers in your enterprise need to use DBSS but must not delete DBSS resources or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DBSS resources.

If your account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

DBSS Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. After authorization, the user can perform specified operations on BMS based on the permissions.

DBSS is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions , the users only have permissions for ECSs in the selected projects. If you set Scope to All resources, the users have permissions for ECSs in all region-specific projects. When accessing DBSS, the users need to switch to a region where they have been authorized to use cloud services.

You can grant permissions by using roles and policies.

Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage a certain type of ECSs. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For details about the API actions supported by DBSS, see section "Permissions and Supported Actions".

Table 1 describes all the system-defined DBSS roles.

Table 1 System roles supported by DBSS
Role Name	Description	Dependency
DBSS System Administrator (DBSS system administrator, who has the permissions to perform operations on DBSS system resources)	Users with this set of permissions can perform the following operations on database audit: Creating an instance Starting, disabling, and restarting an instance Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the monitoring information Obtaining the operation logs Managing databases Managing agents Configuring email notifications Backup and restoration	To perform payment operations (for example, purchasing or renewing a DBSS instance), you must have the BSS Administrator, VPC Administrator, and ECS Administrator roles. VPC Administrator: Users with this set of permissions can perform all execution permission for Virtual Private Cloud (VPC). It is a project-level role, which must be assigned in the same project. BSS Administrator: Users with this set of permissions can perform any operation on menu items on pages My Account, Billing Center, and Resource Center. It is a project-level role, which must be assigned in the same project. ECS Administrator: Users with this set of permissions can perform any operations on an ECS. It is a project-level role, which must be assigned in the same project.
DBSS Audit Administrator (DBSS audit administrator, who has the permissions to check DBSS security logs)	Users with this set of permission can perform the following operations on database audit: Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the report results Obtaining the rule information Obtaining the statement information Obtaining the session information Obtaining the monitoring information Obtaining the operation logs Obtaining the database list Managing reports	None
DBSS Security Administrator (DBSS security administrator, who has the permissions to set DBSS security policies)	Users with this set of permission can perform the following operations on database audit: Obtaining the instance list Obtaining the basic information of an instance Obtaining the audit statistics Obtaining the report results Obtaining the rule information Obtaining the statement information Obtaining the session information Obtaining the monitoring information Obtaining the operation logs Obtaining the database list Configuring audit rules Configuring alarm notifications Managing reports	None

Была ли эта статья полезна?

Поддержка Юридические документы