Permissions
Description
If you need to grant your enterprise personnel permission to access your LTS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your LTS resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use LTS resources but do not want them to be able to delete resources or perform any other high-risk operations, you can create IAM users and grant permission to use LTS resources but not permission to delete them.
If your account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
LTS Permissions
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Cloud services often depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
The system permissions supported by LTS are listed in Table 1.
Role/Policy Name | Description | Type | Dependencies |
|---|---|---|---|
LTS FullAccess | Full permissions for LTS. Users with these permissions can perform operations on LTS. | System-defined policy | CCE Administrator, OBS Administrator, and AOM FullAccess |
LTS ReadOnlyAccess | Read-only permissions for LTS. Users with these permissions can only view LTS data. | System-defined policy | CCE Administrator, OBS Administrator, and AOM FullAccess |
LTS Administrator | Administrator permissions for LTS. | System-defined role | Tenant Guest and Tenant Administrator |
Table 2 lists the common operations supported by system-defined permissions for LTS.
Operation | LTS FullAccess | LTS ReadOnlyAccess | LTS Administrator |
|---|---|---|---|
Querying a log group | √ | √ | √ |
Creating a log group | √ | × | √ |
Modifying a log group | √ | × | √ |
Deleting a log group | √ | × | √ |
Querying a log stream | √ | √ | √ |
Creating a log stream | √ | × | √ |
Modifying a log stream | √ | × | √ |
Deleting a log stream | √ | × | √ |
Configuring log collection from hosts | √ | × | √ |
Querying a filter | √ | √ | √ |
Disabling a filter | √ | × | √ |
Enabling a filter | √ | × | √ |
Deleting a filter | √ | × | √ |
Viewing a log transfer task | √ | √ | √ |
Creating a log transfer task | √ | × | √ |
Modifying a log transfer task | √ | × | √ |
Deleting a log transfer task | √ | × | √ |
Enabling a log transfer task | √ | × | √ |
Disabling a log transfer task | √ | × | √ |
Installing ICAgent | √ | × | √ |
Upgrading ICAgent | √ | × | √ |
Uninstalling ICAgent | √ | × | √ |
- Description
- LTS Permissions