OpenTelekomCloud Proposal Bot
b6e0030d26
Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com> Co-authored-by: OpenTelekomCloud Proposal Bot <proposalbot@otc-service.com> Co-committed-by: OpenTelekomCloud Proposal Bot <proposalbot@otc-service.com>
16 KiB
- original_name
cc_01_0008.html
Permissions
If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM allows you to control access to your Cloud Connect resources.
With IAM, you can create IAM users for certain employees in your enterprise and assign permissions to control their access to Cloud Connect resources. For example, you can assign permissions to software developers so that they use Cloud Connect but cannot delete Cloud Connect resources or perform any other high-risk operations.
Skip this part if you do not require individual IAM users for refined permissions management.
IAM is a free service. For more information about IAM, see the What Is IAM?
Cloud Connect Permissions
By default, new IAM users do not have permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups.
Cloud Connect is a global service for access from any region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.
You can grant permissions by using roles or policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions based on user responsibility. This mechanism provides only a limited number of service-level roles. When using roles to grant permissions, you may need to also assign other dependency roles. Roles are not an ideal choice for fine-grained authorization.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, the administrator can grant Cloud Connect users only the permissions for managing cloud connections.
Table 1 <cc_01_0008__en-us_topic_0173524723_en-us_topic_0173475706_en-us_topic_0170232209_table481412518317> lists the system-defined roles or policies supported by Cloud Connect.
| System Role/Policy Name | Description | Type | Dependency |
|---|---|---|---|
| Cross Connect Administrator | Administrator permissions for Cloud Connect. Users with this role must also have the Tenant Guest and VPC Administrator permissions. Note Users who have these permissions can only view Cloud Connect resources. You are advised to use the CC FullAccess policy. |
System-defined role | Tenant Guest and VPC Administrator
|
| CC FullAccess | All permissions on Cloud Connect. | System-defined policy | CC Network Depend QueryAccess |
| CC ReadOnlyAccess | Read-only permissions for Cloud Connect. Users who have these permissions can only view Cloud Connect resources. | System-defined policy | - |
| CC Network Depend QueryAccess | Read-only permissions required to access dependency resources when using Cloud Connect. Users who have these permissions can view VPCs. Note If you only have the CC FullAccess permission, you cannot select Enterprise Router on the console. In this case, you need the CC Network Depend QueryAccess, Tenant Guest, or ER FullAccess permission. |
System-defined policy | - |
Table 2 <cc_01_0008__table13641113421711> lists common operations supported by each system-defined role.
Note
When you configure system policies CC FullAccess and CC ReadOnlyAccess, select Global services for Scope. In this case, the two system policies can take effect for resources such as network instances, inter-domain bandwidths, and routes.
| Operation | Cross Connect Administrator | CC FullAccess | CC ReadOnlyAccess | CC Network Depend QueryAccess |
|---|---|---|---|---|
| Creating a central network | x | Y | x | x |
| Updating a central network | x | Y | x | x |
| Deleting a central network | x | Y | x | x |
| Querying details of a central network | Y | Y | Y | x |
| Querying central networks | Y | Y | Y | x |
| Adding a central network policy | x | Y | x | x |
| Applying a central network policy | x | Y | x | x |
| Deleting a central network policy | x | Y | x | x |
| Querying central network policies | Y | Y | Y | x |
| Querying policy changes | Y | Y | Y | x |
| Querying central network connections | Y | Y | Y | x |
| Updating a central network connection | x | Y | x | x |
| Querying quotas | Y | Y | Y | x |
| Querying the capabilities | Y | Y | Y | x |
| Creating a global connection bandwidth | x | Y | x | x |
| Updating a global connection bandwidth | x | Y | x | x |
| Querying a global connection bandwidth | Y | Y | Y | x |
| Deleting a global connection bandwidth | x | Y | x | x |