diff --git a/docs/iam/permissions/ALL_META.TXT.json b/docs/iam/permissions/ALL_META.TXT.json
index 52341cbfb..8aa9a9edd 100644
--- a/docs/iam/permissions/ALL_META.TXT.json
+++ b/docs/iam/permissions/ALL_META.TXT.json
@@ -5,15 +5,16 @@
 	{
 		"uri":"permissions.html",
 		"node_id":"permissions.xml",
-		"product_code":"",
+		"product_code":"iam",
 		"code":"1",
-		"des":"Permissions are user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to use",
-		"doc_type":"",
+		"des":"By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users ",
+		"doc_type":"permissions",
 		"kw":"Permissions",
 		"search_title":"",
 		"metedata":[
 			{
-				
+				"prodname":"iam",
+				"documenttype":"permissions"
 			}
 		],
 		"title":"Permissions",
diff --git a/docs/iam/permissions/CLASS.TXT.json b/docs/iam/permissions/CLASS.TXT.json
index 808b7620b..3eaae1f83 100644
--- a/docs/iam/permissions/CLASS.TXT.json
+++ b/docs/iam/permissions/CLASS.TXT.json
@@ -1,10 +1,10 @@
 [
 	{
-		"desc":"Permissions are user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to use",
-		"product_code":"",
+		"desc":"By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users ",
+		"product_code":"iam",
 		"title":"Permissions",
 		"uri":"permissions.html",
-		"doc_type":"",
+		"doc_type":"permissions",
 		"p_code":"",
 		"code":"1"
 	}
diff --git a/docs/iam/permissions/en-us_image_0000001655594621.png b/docs/iam/permissions/en-us_image_0000002264517658.png
similarity index 100%
rename from docs/iam/permissions/en-us_image_0000001655594621.png
rename to docs/iam/permissions/en-us_image_0000002264517658.png
diff --git a/docs/iam/permissions/permissions.html b/docs/iam/permissions/permissions.html
index cacb27b1b..02037b235 100644
--- a/docs/iam/permissions/permissions.html
+++ b/docs/iam/permissions/permissions.html
@@ -1,503 +1,1464 @@
 <a name="permissions"></a><a name="permissions"></a>
 
 <h1 class="topictitle1">Permissions</h1>
-<div id="body29755367"><div class="section" id="permissions__section159431535321"><h4 class="sectiontitle">Permission Description</h4><p id="permissions__p27649191328">Permissions are user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to users. Cloud service management involves creating, viewing, modifying, and deleting resources of cloud services. After granting user management and cloud service management permissions to a user group, the users added to the user group can inherit permissions of the user group. User group-specific permissions simplify permission management.</p>
+<div id="body101mcpsimp"><div class="section" id="permissions__title103mcpsimp"><h4 class="sectiontitle">Permission Description</h4><p id="permissions__p881116183286">By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and <span style="color:#3D3F43;">attach permissions policies or roles to these groups</span>. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.</p>
+<div class="p" id="permissions__p16882153810540"><strong id="permissions__b4305256104016">Scope</strong>: The projects for which permissions granted to a user group will be applied.<ul id="permissions__ul4318305248"><li id="permissions__li5580725152420">Global services: Services deployed without specifying physical regions, such as Object Storage Service (OBS) , are called global services. Permissions for these services must be assigned globally.</li><li id="permissions__li20580182512246">Region-specific projects: Services deployed in specific regions, such as Elastic Cloud Server (ECS) and Bare Metal Server (BMS), are called project-level services. Permissions for these services must be assigned in region-specific projects and will be applied only for specific regions.<ul id="permissions__ul6440150182014"><li id="permissions__li0348115912190">All resources: Permissions will be applied for both global services and region-specific projects, including projects created later.</li><li id="permissions__li51471535204">Region-specific projects: Permissions will be applied for the region-specific projects you select.</li></ul>
+</li></ul>
 </div>
-<div class="section" id="permissions__section649513610325"><h4 class="sectiontitle">Permission Relationship</h4><p id="permissions__p7498125143412"><span><img id="permissions__image6498758344" src="en-us_image_0000001655594621.png"></span></p>
+<p id="permissions__p17715618687"><strong id="permissions__b582018273357">Type</strong>: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. For details, see Permission.</p>
+<ul id="permissions__ul1557382218406"><li id="permissions__li822573264616"><strong id="permissions__b1071316469539">For services that provide both policies and roles, preferentially use policies to assign permissions.</strong></li><li id="permissions__li115111144018">For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions.</li></ul>
 </div>
-<div class="section" id="permissions__section1870510192347"><h4 class="sectiontitle">Default Permissions</h4><p id="permissions__p23001934113415">The system provides two types of default permissions: user management and cloud service management.</p>
-
-<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table1125117863516" frame="border" border="1" rules="all"><caption><b>Table 1 </b>User management permissions</caption><thead align="left"><tr id="permissions__row14251282351"><th align="left" class="cellrowborder" valign="top" width="14.65146514651465%" id="mcps1.3.3.3.2.4.1.1"><p id="permissions__p885012159383"><strong id="permissions__b661019110412">Node Name</strong></p>
+<div class="section" id="permissions__title106mcpsimp"><h4 class="sectiontitle">Permission Relationship</h4><p class="msonormal" id="permissions__p107mcpsimp"><span><img id="permissions__image102" src="en-us_image_0000002264517658.png"></span></p>
+</div>
+<div class="section" id="permissions__section1210310247381"><h4 class="sectiontitle">BASE</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table101901355151212" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row16191135511220"><th align="left" class="cellrowborder" valign="top" width="15.78%" id="mcps1.3.3.2.1.6.1.1"><p id="permissions__p51911455141212">Service</p>
 </th>
-<th align="left" class="cellrowborder" valign="top" width="26.782678267826782%" id="mcps1.3.3.3.2.4.1.2"><p id="permissions__p1786091503817"><strong id="permissions__b8612171114119">Permission Name</strong></p>
+<th align="left" class="cellrowborder" valign="top" width="16.48%" id="mcps1.3.3.2.1.6.1.2"><p id="permissions__p0191125513129">Scope</p>
 </th>
-<th align="left" class="cellrowborder" valign="top" width="58.56585658565857%" id="mcps1.3.3.3.2.4.1.3"><p id="permissions__p12862111553814"><strong id="permissions__b16612141117413">Description</strong></p>
+<th align="left" class="cellrowborder" valign="top" width="15.78%" id="mcps1.3.3.2.1.6.1.3"><p id="permissions__p219185541210">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9.07%" id="mcps1.3.3.2.1.6.1.4"><p id="permissions__p5191115512124">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="42.89%" id="mcps1.3.3.2.1.6.1.5"><p id="permissions__p3191165501215">Description</p>
 </th>
 </tr>
 </thead>
-<tbody><tr id="permissions__row325188173510"><td class="cellrowborder" valign="top" width="14.65146514651465%" headers="mcps1.3.3.3.2.4.1.1 "><p id="permissions__p17251581353">Base</p>
+<tbody><tr id="permissions__row1419125514121"><td class="cellrowborder" rowspan="4" valign="top" width="15.78%" headers="mcps1.3.3.2.1.6.1.1 "><p id="permissions__p13191955181210">BASE</p>
+<p id="permissions__p15448123910481"></p>
 </td>
-<td class="cellrowborder" valign="top" width="26.782678267826782%" headers="mcps1.3.3.3.2.4.1.2 "><p id="permissions__p172522813354">Security Administrator</p>
+<td class="cellrowborder" valign="top" width="16.48%" headers="mcps1.3.3.2.1.6.1.2 "><p id="permissions__p5191155521210">Global services</p>
 </td>
-<td class="cellrowborder" valign="top" width="58.56585658565857%" headers="mcps1.3.3.3.2.4.1.3 "><p id="permissions__p142523813359">Users with this permission can: Create, delete, and modify users. Grant permissions to users.</p>
+<td class="cellrowborder" valign="top" width="15.78%" headers="mcps1.3.3.2.1.6.1.3 "><p id="permissions__p119145513127">FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.07%" headers="mcps1.3.3.2.1.6.1.4 "><p id="permissions__p4191145521218">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="42.89%" headers="mcps1.3.3.2.1.6.1.5 "><p id="permissions__p519114555122"><span style="color:#252B3A;">Full permissions for all services that support policy-based authorization</span>.</p>
 </td>
 </tr>
-<tr id="permissions__row1925288153519"><td class="cellrowborder" valign="top" width="14.65146514651465%" headers="mcps1.3.3.3.2.4.1.1 "><p id="permissions__p192529813359">IAM</p>
+<tr id="permissions__row7191185511219"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.1 "><p id="permissions__p191914553124">All resources</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.782678267826782%" headers="mcps1.3.3.3.2.4.1.2 "><p id="permissions__p1125218883519">Agent Operator</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.2 "><p id="permissions__p161911055161210">Tenant Guest</p>
 </td>
-<td class="cellrowborder" valign="top" width="58.56585658565857%" headers="mcps1.3.3.3.2.4.1.3 "><p id="permissions__p1764717913813">Users with this permission can switch to an entrusted user for processing services.</p>
+<td class="cellrowborder" rowspan="3" valign="top" headers="mcps1.3.3.2.1.6.1.3 "><p id="permissions__p18191955141217">Role</p>
 </td>
-</tr>
-</tbody>
-</table>
-</div>
-<div class="note" id="permissions__note914819591392"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="permissions__p14148145913915">Currently, policies only support fine-grained authorizationof ECS, EVS, and VPC. ECS Admin, ECS User, ECS Viewer, EVS Admin, EVS Viewer,VPC Admin, and VPC Viewer are preset fine-grained authorization policies.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.4 "><p id="permissions__p20191135511126">Read-only permissions for all services except IAM.</p>
+<div class="note" id="permissions__note155018552259"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="permissions__ul85025592519"><li id="permissions__li3501555112513">If the permission scope is <strong id="permissions__b110013514226">Global services</strong>, they will be applied for global services.</li><li id="permissions__li185010553255">If the permission scope is <strong id="permissions__b21181466624226">All resources</strong>, they will be applied for both global services and all region-specific projects, including projects created later.</li><li id="permissions__li25012553259">If the permission scope is <strong id="permissions__b4185094634226">Region-specific projects</strong>, they will be applied only for specific projects.</li></ul>
 </div></div>
-
-<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table2313123164115" frame="border" border="1" rules="all"><caption><b>Table 2 </b>User group for cloud service management</caption><thead align="left"><tr id="permissions__row4495623154114"><th align="left" class="cellrowborder" valign="top" width="18.509999999999998%" id="mcps1.3.3.5.2.4.1.1"><p id="permissions__p204958230419"><strong id="permissions__b1638414214120">Permission Name</strong></p>
+</td>
+</tr>
+<tr id="permissions__row1719115552125"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.1 "><p id="permissions__p819135518127">All resources</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.2 "><p id="permissions__p151919551121">Tenant Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.3 "><p id="permissions__p19491155182515">Full permissions for all services except IAM.</p>
+<div class="note" id="permissions__note194915552518"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="permissions__ul2049155112513"><li id="permissions__li24955513252">If the permission scope is <strong id="permissions__b8687369294226">Global services</strong>, they will be applied for global services.</li><li id="permissions__li14985542520">If the permission scope is <strong id="permissions__b2485471664226">All resources</strong>, they will be applied for both global services and all region-specific projects, including projects created later.</li><li id="permissions__li1450105522510">If the permission scope is <strong id="permissions__b180771704226">Region-specific projects</strong>, they will be applied only for specific projects.</li></ul>
+</div></div>
+</td>
+</tr>
+<tr id="permissions__row19191355101218"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.1 "><p id="permissions__p16191755191216">Global services</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.2 "><p id="permissions__p121911555122">Agent Operator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.1.6.1.3 "><p id="permissions__p18191055121218">Permissions for switching roles to access resources of delegating accounts.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__title150mcpsimp"><h4 class="sectiontitle">Compute</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table151mcpsimp" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row159mcpsimp"><th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.4.2.1.6.1.1"><p id="permissions__p161mcpsimp">Service</p>
 </th>
-<th align="left" class="cellrowborder" valign="top" width="26.52%" id="mcps1.3.3.5.2.4.1.2"><p id="permissions__p1549517233419"><strong id="permissions__b15385342104112">Managed Cloud Resource</strong></p>
+<th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.4.2.1.6.1.2"><p id="permissions__p163mcpsimp">Scope</p>
 </th>
-<th align="left" class="cellrowborder" valign="top" width="54.97%" id="mcps1.3.3.5.2.4.1.3"><p id="permissions__p9496142314415"><strong id="permissions__b1838664264112">Description</strong></p>
+<th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.4.2.1.6.1.3"><p id="permissions__p165mcpsimp">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9%" id="mcps1.3.4.2.1.6.1.4"><p id="permissions__p167mcpsimp">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="43%" id="mcps1.3.4.2.1.6.1.5"><p id="permissions__p169mcpsimp">Description</p>
 </th>
 </tr>
 </thead>
-<tbody><tr id="permissions__row849619232411"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p349642319419">Agent Operator</p>
+<tbody><tr id="permissions__row171mcpsimp"><td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p173mcpsimp">Elastic Cloud Server (ECS)</p>
+<p id="permissions__p174mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p15496192374116">Identity and Access Management</p>
+<td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p176mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p449614235418">Permissions for switching roles to access resources of delegating accounts.</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p178mcpsimp">ECS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p180mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p182mcpsimp">Full permissions for ECS.</p>
 </td>
 </tr>
-<tr id="permissions__row44968232412"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1549612236416">IAM ReadOnlyAccess</p>
+<tr id="permissions__row183mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p185mcpsimp">ECS ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p44961523134113">Identity and Access Management</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p549692394111">Read-only permissions for IAM.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p187mcpsimp">Read-only permissions for ECS.</p>
 </td>
 </tr>
-<tr id="permissions__row164966238414"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p449612239413">CBR Administrator</p>
+<tr id="permissions__row188mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p190mcpsimp">ECS CommonOperations</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p6496112313416">Cloud Backup and Recovery</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p94961623154120">Administrator permissions for CBR. Users granted these permissions can operate and use all vaults, backups, and policies.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p192mcpsimp">Permissions for starting, stopping, restarting, and querying ECSs.</p>
 </td>
 </tr>
-<tr id="permissions__row19496523134120"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p13496152318413">CBR User</p>
+<tr id="permissions__row193mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p195mcpsimp">Server Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p154961623164114">Cloud Backup and Recovery</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p197mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p4496142354115">Common user permissions for CBR. Users granted these permissions can create, view, and delete vaults and backups, but cannot create, update, or delete policies.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p199mcpsimp">Full permissions for ECS. This role must be used together with the <strong id="permissions__b200mcpsimp">Tenant Guest</strong> role in the same project.</p>
+<p id="permissions__p201mcpsimp">If a user needs to create, delete, or change resources of other services, the user must also be granted <strong id="permissions__b202mcpsimp">administrator permissions</strong> of the corresponding services in the same project.</p>
+<p id="permissions__p203mcpsimp">For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the <strong id="permissions__b204mcpsimp">VPC Administrator</strong> role.</p>
 </td>
 </tr>
-<tr id="permissions__row249622315414"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p349612318414">CBR Viewer</p>
+<tr id="permissions__row205mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p207mcpsimp">Bare Metal Server (BMS)</p>
+<p id="permissions__p208mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p04962232412">Cloud Backup and Recovery</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p210mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p04961423114119">Read-only permissions for CBR. Users granted these permissions can only view CBR data.</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p212mcpsimp">BMS FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p214mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p216mcpsimp">Full permissions for BMS.</p>
 </td>
 </tr>
-<tr id="permissions__row10496192334110"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p749614234419">CCE Admin</p>
+<tr id="permissions__row217mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p219mcpsimp">Auto Scaling (AS)</p>
+<p id="permissions__p220mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p144961323164119">Cloud Container Engine</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p222mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p17496172384111">Read and write permissions for CCE clusters, including creating, deleting, and updating a cluster.</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p224mcpsimp">AutoScaling FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p226mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p228mcpsimp">Full permissions for the Auto Scaling service.</p>
 </td>
 </tr>
-<tr id="permissions__row15496152314415"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p19496172319410">CCE Administrator</p>
+<tr id="permissions__row229mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p231mcpsimp">AutoScaling ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p194961623104119">Cloud Container Engine</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p5496122314415">All permissions related to CCE service resources. Users who use this permission must have <strong id="permissions__b2421205494218">Tenant Guest</strong>, <strong id="permissions__b6384584426">Server Administrator</strong>, <strong id="permissions__b57971543433">OBS Tenant Administrator</strong>, and <strong id="permissions__b16806191164319">ELB Administrator</strong> permissions.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p233mcpsimp">Read-only permissions for AS.</p>
 </td>
 </tr>
-<tr id="permissions__row1149620233416"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p13496172324120">CCE Viewer</p>
+<tr id="permissions__row234mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p236mcpsimp">AutoScaling Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p144968237418">Cloud Container Engine</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p238mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p5496182315416">Read-only permissions for CCE clusters.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p240mcpsimp">Full permissions for all AS resources.</p>
+<p id="permissions__p241mcpsimp">This role must be used together with the <strong id="permissions__b242mcpsimp">ELB Administrator</strong>, <strong id="permissions__b243mcpsimp">CES Administrator</strong>, <strong id="permissions__b244mcpsimp">Server Administrator</strong>, and <strong id="permissions__b245mcpsimp">Tenant Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row10496323114115"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p184961237412">CES Administrator</p>
+<tr id="permissions__row246mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p248mcpsimp">Image Management Service (IMS)</p>
+<p id="permissions__p249mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1949613230411">Cloud Eye</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p251mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p749782324118">Permissions to view monitoring metrics as well as add, modify, and delete alarm rules. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p253mcpsimp">IMS FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p255mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p257mcpsimp">Full permissions for IMS.</p>
 </td>
 </tr>
-<tr id="permissions__row1249702394112"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p144977237417">CSBS Administrator</p>
+<tr id="permissions__row258mcpsimp"><td class="cellrowborder" rowspan="5" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p260mcpsimp">FunctionGraph</p>
+<p id="permissions__p261mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p8497102324116">Cloud Server Backup Service</p>
+<td class="cellrowborder" rowspan="5" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p263mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p8497152314417">Permissions to create, restore, and delete backups of ECSs, and manage backup policies. The creation, restoration, and management permissions depend on the Server Administrator permission. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users create and restore backups. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users associate ECSs with backup policies..</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p265mcpsimp">FunctionGraph FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p267mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p269mcpsimp">Full permissions for FunctionGraph.</p>
 </td>
 </tr>
-<tr id="permissions__row34970238413"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1349717236416">CSS Administrator</p>
+<tr id="permissions__row270mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p272mcpsimp">FunctionGraph ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p249722314118">Cloud Search Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p3497223114113">Management permissions on all CSS resources.The permissions depend on the Tenant Guest and Server Administrator permissions. CSS cannot run properly if either of the permissions is unavailable.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p274mcpsimp">Read-only permissions for FunctionGraph.</p>
 </td>
 </tr>
-<tr id="permissions__row3497123164110"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p11497423144116">CTS Administrator</p>
+<tr id="permissions__row275mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p277mcpsimp">FunctionGraph CommonOperations</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p194971323124111">Cloud Trace Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p34975236410">Full permissions for CTS. This policy depends on the Tenant Guest policy in the same project and the Tenant Administrator policy in the OBS project.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p279mcpsimp">Common operation permissions for FunctionGraph, including permissions for querying functions and triggers and invoking functions.</p>
 </td>
 </tr>
-<tr id="permissions__row1349752318417"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p12497182324118">DCS Administrator</p>
+<tr id="permissions__row280mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p282mcpsimp">FunctionGraph Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p15497423154117">Distributed Cache Service</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p284mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p10497523144119">Permissions to: Create, start, stop, restart, and delete DCS instances. Change passwords of DCS instances. Configure DCS instance parameters.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p286mcpsimp">Permissions for managing FunctionGraph functions and triggers.</p>
+<p id="permissions__p287mcpsimp">This role must be used together with the <strong id="permissions__b288mcpsimp">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row549715237410"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p19497172324117">DDS Administrator</p>
+<tr id="permissions__row289mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p291mcpsimp">FunctionGraph Invoker</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p2049711237411">Document Database Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p204979236417">Users who have this right, plus <strong id="permissions__b919210235431">Tenant Guest</strong> and <strong id="permissions__b326411273432">Server Administrator</strong> rights, can perform any operations on DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the <strong id="permissions__b45535164318">Tenant Guest</strong> or <strong id="permissions__b2096517389433">Server Administrator</strong> right cannot use DDS. Users who have the <strong id="permissions__b814494654315">VPC Administrator</strong> right can create VPCs or subnets. Users who have the <strong id="permissions__b1961015254312">CES Administrator</strong> right can add or modify alarm rules for DB instances.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p293mcpsimp">Permissions for querying FunctionGraph functions and triggers.</p>
 </td>
 </tr>
-<tr id="permissions__row13497142324116"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p14497142313419">DIS Administrator</p>
+<tr id="permissions__row294mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p296mcpsimp">Dedicated Host (DeH)</p>
+<p id="permissions__p297mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p19497172314413">Data Ingestion Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p299mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p649722318412">Permissions to: Create, delete, query, and list DIS streams. Push data to DIS streams or pull data from them. Query stream monitoring metrics.</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.4.2.1.6.1.3 "><p id="permissions__p301mcpsimp">DeH FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.4.2.1.6.1.4 "><p id="permissions__p303mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.4.2.1.6.1.5 "><p id="permissions__p305mcpsimp">Full permissions for DeH.</p>
 </td>
 </tr>
-<tr id="permissions__row124971239414"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1449742394112">DMS Administrator</p>
+<tr id="permissions__row306mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p308mcpsimp">DeH CommonOperations</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p16497182316414">Distributed Message Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p149713238413">Administrator permissions for DMS. Users granted these permissions can perform all operations on DMS queues.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p310mcpsimp">Basic operation permissions for DeH.</p>
 </td>
 </tr>
-<tr id="permissions__row1849742319413"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p5497192315415">DNS Administrator</p>
+<tr id="permissions__row311mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.1 "><p id="permissions__p313mcpsimp">DeH ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p549782317414">Domain Name Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p194981423104116">Permissions to create, query, and delete zones and record sets.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.1.6.1.2 "><p id="permissions__p315mcpsimp">Read-only permissions for DeH. Users with these permissions can only query DeHs.</p>
 </td>
 </tr>
-<tr id="permissions__row24982232411"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p74988235412">DWS Administrator</p>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__title317mcpsimp"><h4 class="sectiontitle">Storage</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table318mcpsimp" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row326mcpsimp"><th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.5.2.1.6.1.1"><p id="permissions__p328mcpsimp">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.5.2.1.6.1.2"><p id="permissions__p330mcpsimp">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17%" id="mcps1.3.5.2.1.6.1.3"><p id="permissions__p332mcpsimp">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9%" id="mcps1.3.5.2.1.6.1.4"><p id="permissions__p334mcpsimp">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="42%" id="mcps1.3.5.2.1.6.1.5"><p id="permissions__p336mcpsimp">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row338mcpsimp"><td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p340mcpsimp">Object Storage Service (OBS)</p>
+<p id="permissions__p341mcpsimp">(Global service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p4498523194120">Data Warehouse Service</p>
+<td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p343mcpsimp">Global services</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p94983233415">Management permissions on all DWS resources. The permissions depend on the <strong id="permissions__b4371110204414">Tenant Guest</strong> and <strong id="permissions__b1434115204414">Server Administrator</strong> permissions. DWS cannot run properly if either of the permissions is unavailable. If DWS users are to create a VPC or a subnet, the <strong id="permissions__b6688163624410">VPC Administrator</strong> permission is required. If DWS users are to view monitoring metrics of data warehouse clusters, the <strong id="permissions__b5572152815446">CES Administrator</strong> permission is required.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p345mcpsimp">OBS OperateAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p347mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p349mcpsimp">Users with this permission can perform all operations specified by <strong id="permissions__b350mcpsimp">OBS ReadOnlyAccess</strong> and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.</p>
 </td>
 </tr>
-<tr id="permissions__row14498142344119"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p12498723104111">DWS Database Access</p>
+<tr id="permissions__row351mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p353mcpsimp">OBS Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p4498623104120">Data Warehouse Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p349810239417">DWS Database Access permission. Users with this permission can generate temporary database user credentials based on IAM users to connect to the DWS cluster database.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p355mcpsimp">Allows you to perform any operation on all OBS resources under the account.</p>
 </td>
 </tr>
-<tr id="permissions__row1949892374117"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p8498102384116">ECS Admin</p>
+<tr id="permissions__row356mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p358mcpsimp">OBS ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p12498623134116">Elastic Cloud Server</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p449862374114">All ECS operation permissions, including creating, deleting, and viewing ECSs and modifying ECS specifications.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p360mcpsimp">Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects.</p>
 </td>
 </tr>
-<tr id="permissions__row1549892384111"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1549852315412">ECS User</p>
+<tr id="permissions__row361mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p363mcpsimp">OBS Buckets Viewer</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p2498723174110">Elastic Cloud Server</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p365mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p12498102311411">General operation permissions on ECSs (such as viewing and restarting ECSs), but not advanced operation permissions (such as creating or deleting ECSs, or reinstalling/changing ECS OSs).</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p367mcpsimp">Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.</p>
 </td>
 </tr>
-<tr id="permissions__row949812394110"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p18498122344117">ECS Viewer</p>
+<tr id="permissions__row368mcpsimp"><td class="cellrowborder" rowspan="2" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p370mcpsimp">Elastic Volume Service (EVS)</p>
+<p id="permissions__p371mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1449814233417">Elastic Cloud Server</p>
+<td class="cellrowborder" rowspan="2" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p373mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p6498182354111">ECS read-only permissions, such as viewing ECSs.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p22081618491">EVS Admin</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p377mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p2069512397911">All EVS operation permissions, including creating, deleting, and viewing EVS disks and modifying EVS disk specifications.</p>
 </td>
 </tr>
-<tr id="permissions__row17498102344112"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p12498132319415">ELB Administrator</p>
+<tr id="permissions__row380mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p740813261096">EVS Viewer</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p20498192354116">Elastic Load Balancing</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p949822374118">Permissions on all ELB resources. This permission depends on the VPC Administrator, Server Administrator, CES Administrator, and OBS Administrator permissions. Users who use the ELB Administrator permission cannot use some functions provided by the ELB service if they do not have the preceding permissions. If users who use this permission do not have the VPC Administrator and Server Administrator permissions, they cannot create or delete load balancers and backend servers. If users who use this permission do not have the CES Administrator permission, monitoring data cannot be reported to Cloud Eye. If users who use this permission do not have the OBS Administrator permission, data backups cannot be stored in OBS buckets.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p139412048097">EVS read-only permission, such as viewing EVS disks and EVS disk details.</p>
 </td>
 </tr>
-<tr id="permissions__row949815237417"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p164981123134111">EVS Admin</p>
+<tr id="permissions__row392mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p394mcpsimp">Cloud Backup and Recovery (CBR)</p>
+<p id="permissions__p395mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p14987231418">Elastic Volume Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p397mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p4498172374112">All EVS operation permissions, including creating, deleting, and viewing EVS disks and modifying EVS disk specifications.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p399mcpsimp">CBR FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p401mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p403mcpsimp">Administrator permissions for using all vaults and policies on CBR.</p>
 </td>
 </tr>
-<tr id="permissions__row1949910236419"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1049962313415">EVS Viewer</p>
+<tr id="permissions__row404mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p406mcpsimp">CBR BackupsAndVaultsFullAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p049922344120">Elastic Volume Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p549982314113">EVS read-only permission, such as viewing EVS disks and EVS disk details.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p408mcpsimp">Common user permissions for creating, viewing, and deleting vaults on CBR.</p>
 </td>
 </tr>
-<tr id="permissions__row6499122314112"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p18499142354116">GaussDB FullAccess</p>
+<tr id="permissions__row409mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p411mcpsimp">CBR ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p6499182314117">GaussDB(for MySQL)</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p17499102317415">Full permissions for GaussDB</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p413mcpsimp">Read-only permissions for viewing data on CBR.</p>
 </td>
 </tr>
-<tr id="permissions__row4499172315410"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p15499112315410">GaussDB ReadOnlyAccess</p>
+<tr id="permissions__row414mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p416mcpsimp">Storage Disaster Recovery Service (SDRS)</p>
+<p id="permissions__p417mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p10499192314118">GaussDB(for MySQL)</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p419mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p134999237415">Read-only permissions for GaussDB</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p421mcpsimp">SDRS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p423mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p425mcpsimp">Full permissions for SDRS.</p>
+<p id="permissions__p426mcpsimp">This role must be used together with the <strong id="permissions__b427mcpsimp">Tenant Guest</strong> and <strong id="permissions__b428mcpsimp">Server Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row649922314414"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p94991231419">IAM ReadOnlyAccess</p>
+<tr id="permissions__row446mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p431mcpsimp">Scalable File Service (SFS)</p>
+<p id="permissions__p432mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p14499112334118">Identity and Access Management</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p434mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p949922374111">Read-only permissions for IAM.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p448mcpsimp">SFS Turbo FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p438mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p17465259112918">All permissions of Scalable File Service (SFS Turbo).</p>
 </td>
 </tr>
-<tr id="permissions__row649919239413"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1449942314114">IMS Administrator</p>
+<tr id="permissions__row451mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p453mcpsimp">SFS Turbo ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p34992238419">Image Management Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p18499623194117">Permissions to create, modify, delete, and share images. The permissions depend on the <strong id="permissions__b64616525443">Server Administrator</strong> and <strong id="permissions__b993015619446">OBS Tenant Administrator</strong> permissions. To create an image using an ECS, users need to configure this permission as well as the <strong id="permissions__b13391644453">Server Administrator</strong> permission. To create an image using an image file, users need to configure this permission as well as the <strong id="permissions__b1376031894517">OBS Tenant Guest</strong> permission. To export an image, users need to configure this permission as well as the <strong id="permissions__b1481382410451">OBS Tenant Administrator</strong> permission. To query predefined tags when adding a tag to an image or searching for an image by tag, users need to configure this permission as well as the <strong id="permissions__b156801929114515">TMS Administrator</strong> permission.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p15413418297">The read-only permissions to all Scalable File Service (SFS Turbo) resources.</p>
 </td>
 </tr>
-<tr id="permissions__row34991123154117"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p16499723124116">KMS Administrator</p>
+<tr id="permissions__row456mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p458mcpsimp">SFS Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1149912312414">Key Management Service</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p460mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p949922344113">Permissions to: Create, enable, disable, schedule the deletion of, and cancel the scheduled deletion of CMKs. Query the list of CMKs and information about CMKs. Create random numbers. Create DEKs. Create DEKs without plaintext. Encrypt and decrypt DEKs. Change the aliases and description of CMKs. Create, revoke, and query grants on CMKs. Import, delete CMK material. Add, delete, and query CMK tags.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p031104914298">Scalable File Service Administrator.</p>
 </td>
 </tr>
-<tr id="permissions__row1149982314119"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p10499142311412">LTS Administrator</p>
+<tr id="permissions__row465mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p467mcpsimp">Cloud Server Backup Service (CSBS)</p>
+<p id="permissions__p468mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p194991923124116">Log Tank Service</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p470mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1349932318412">Permissions to create log groups, query log groups, delete log groups, create log topics, query log topics, and delete log topics.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p472mcpsimp">CSBS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p474mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p476mcpsimp">Full permissions for CSBS.</p>
+<p id="permissions__p477mcpsimp">This role must be used together with the <strong id="permissions__b478mcpsimp">Server Administrator</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row949912232418"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p449911237416">ModelArts CommonOperations</p>
+<tr id="permissions__row479mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.1 "><p id="permissions__p481mcpsimp">Volume Backup Service (VBS)</p>
+<p id="permissions__p482mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1149942319411">ModelArts</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.1.6.1.2 "><p id="permissions__p484mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p549912344119">Common user permissions for ModelArts. Users granted these permissions can operate and use ModelArts, but cannot manage dedicated resource pools.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.5.2.1.6.1.3 "><p id="permissions__p486mcpsimp">VBS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.5.2.1.6.1.4 "><p id="permissions__p488mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="42%" headers="mcps1.3.5.2.1.6.1.5 "><p id="permissions__p490mcpsimp">Full permissions for VBS.</p>
+<p id="permissions__p491mcpsimp">This role must be used together with the <strong id="permissions__b492mcpsimp">Tenant Guest</strong> and <strong id="permissions__b493mcpsimp">Server Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row12500112316416"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1750019234412">ModelArts FullAccess</p>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__title495mcpsimp"><h4 class="sectiontitle">Network</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table496mcpsimp" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row504mcpsimp"><th align="left" class="cellrowborder" valign="top" width="15.841584158415841%" id="mcps1.3.6.2.1.6.1.1"><p id="permissions__p506mcpsimp">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="15.841584158415841%" id="mcps1.3.6.2.1.6.1.2"><p id="permissions__p508mcpsimp">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17.82178217821782%" id="mcps1.3.6.2.1.6.1.3"><p id="permissions__p510mcpsimp">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="8.91089108910891%" id="mcps1.3.6.2.1.6.1.4"><p id="permissions__p512mcpsimp">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="41.584158415841586%" id="mcps1.3.6.2.1.6.1.5"><p id="permissions__p514mcpsimp">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row516mcpsimp"><td class="cellrowborder" rowspan="4" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p518mcpsimp">Virtual Private Cloud (VPC)</p>
+<p id="permissions__p519mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p950018235413">ModelArts</p>
+<td class="cellrowborder" rowspan="4" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p521mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1500172354111">Administrator permissions for ModelArts. Users granted these permissions can operate and use ModelArts.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p523mcpsimp">VPC FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p525mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p527mcpsimp">Full permissions for VPC.</p>
 </td>
 </tr>
-<tr id="permissions__row450072316417"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p155004231412">MRS Administrator</p>
+<tr id="permissions__row528mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p530mcpsimp">VPC ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p95001323194119">MapReduce Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p0500152314117">Permissions to view MRS overview information, operation logs, cluster information, job information, HDFS file operation information, alarm list, and MRS Manager portal.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p532mcpsimp">Read-only permissions for VPC.</p>
 </td>
 </tr>
-<tr id="permissions__row115001237416"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p125001723154114">NAT Gateway Administrator</p>
+<tr id="permissions__row533mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p535mcpsimp">VPC Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1750018234414">NAT Gateway</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p537mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p12500122320419">Permissions to create, delete, modify, and query all resources of the NAT Gateway service. The permissions depend on the Tenant Guest permission. If a NAT user needs resources, including VPCs, subnets, and EIPs, to create NAT gateways, the VPC Administrator and Server Administrator permissions are required.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p539mcpsimp">Permissions for VPC, excluding permissions for creating, modifying, deleting, and viewing security groups and security group rules.</p>
+<p id="permissions__p540mcpsimp">This role must be used together with the <strong id="permissions__b541mcpsimp">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row1450072313419"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p45007230412">OBS Buckets Viewer</p>
+<tr id="permissions__row542mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p544mcpsimp">Server Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1050062317417">Object Storage Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1750092311415">Operation permissions: listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p546mcpsimp">Permissions for performing operations on EIPs, security groups, and ports.</p>
+<p id="permissions__p547mcpsimp">This role must be used together with the <strong id="permissions__b548mcpsimp">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row25001123164114"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p155001223154118">RDS Administrator</p>
+<tr id="permissions__row549mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p551mcpsimp">Elastic Load Balance (ELB)</p>
+<p id="permissions__p552mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p15500182364118">Relational Database Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p554mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p19500142394115">Users who have this right, plus <strong id="permissions__b10869175612453">Tenant Guest</strong> and <strong id="permissions__b175518194616">Server Administrator</strong> rights, can perform any operations on RDS and DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the <strong id="permissions__b59852604619">Tenant Guest</strong> or <strong id="permissions__b1740611016464">Server Administrator</strong> right cannot use RDS and DDS. NOTE Users who have the <strong id="permissions__b16327720104616">VPC Administrator</strong> right can create VPCs or subnets. Users who have the <strong id="permissions__b7163230174610">CES Administrator</strong> right can add or modify alarm rules for DB instances.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p556mcpsimp">ELB FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p558mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p560mcpsimp">Full permissions for ELB.</p>
 </td>
 </tr>
-<tr id="permissions__row117012041914"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1268321420511"><span style="color:#191919;">RDS ManageAccess</span></p>
+<tr id="permissions__row561mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p563mcpsimp">ELB ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1770110411619">Relational Database Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p07061623155112">Database administrator permissions for all operations except deleting RDS resources.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p565mcpsimp">Read-only permissions for ELB.</p>
 </td>
 </tr>
-<tr id="permissions__row125302445110"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1168351410513">RDS FullAccess</p>
+<tr id="permissions__row566mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p568mcpsimp">ELB Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p205305441119">Relational Database Service</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p570mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p813135022116">Full permissions for Relational Database Service.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p572mcpsimp">Full permissions for ELB.</p>
+<p id="permissions__p573mcpsimp">This role must be used together with the <strong id="permissions__b574mcpsimp">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row151465455117"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p468351418516">RDS ReadOnlyAccess</p>
+<tr id="permissions__row575mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p577mcpsimp">NAT Gateway</p>
+<p id="permissions__p578mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p11461451517">Relational Database Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p580mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p131467457111">Read-only permissions for Relational Database Service.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p582mcpsimp">NAT FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p584mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p586mcpsimp">Full permissions for NAT Gateway.</p>
 </td>
 </tr>
-<tr id="permissions__row125001923194120"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1750015233418">RTS Administrator</p>
+<tr id="permissions__row587mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p589mcpsimp">NAT ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p3500923164112">Resource Template Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p9500142314116">Operation permissions: All operations on RTS. To orchestrate a resource, users with this permission must also have the <strong id="permissions__b17781155016465">Administrator</strong> permission. For example: Users with this permission and the <strong id="permissions__b950814579467">Server Administrator</strong> permission can create stacks for ECS, VPC, EVS, and IMS resources. Users with this permission and the <strong id="permissions__b1459716394716">ELB Administrator</strong> permission can create an ELB resource stack.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p591mcpsimp">Read-only permissions for NAT Gateway.</p>
 </td>
 </tr>
-<tr id="permissions__row11500152344115"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p12501823194110">SDRS Administrator</p>
+<tr id="permissions__row592mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p594mcpsimp">NAT GatewayAdministrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p12501152314116">Storage Disaster Recovery Service</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p596mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p25013233413">Users with this permission can create, modify, delete, and query SDRS resources.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p598mcpsimp">Full permissions for NAT Gateway.</p>
+<p id="permissions__p599mcpsimp">This role must be used together with the <strong id="permissions__b600mcpsimp">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row1650182320411"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p350152354113">Security Administrator</p>
+<tr id="permissions__row601mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p603mcpsimp">Direct Connect</p>
+<p id="permissions__p604mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1650112317414">Base</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p606mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1250132311412">Full permissions for IAM.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p608mcpsimp">Direct Connect Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p610mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p612mcpsimp">Has all permissions for Direct Connect resources.</p>
+<p id="permissions__p613mcpsimp">For permissions of this role to take effect, users must also have the <strong id="permissions__b614mcpsimp">Tenant Guest</strong> and <strong id="permissions__b615mcpsimp">VPC Administrator</strong> permissions.</p>
 </td>
 </tr>
-<tr id="permissions__row25011723144113"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1050192304112">Server Administrator</p>
+<tr id="permissions__row616mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p618mcpsimp">DCAAS FullAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p7501323164116">Base</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p620mcpsimp">Policy</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1150182317415">For the EVS service, users with this permission can create, modify, and delete EVS disks. For the ECS service, users with this permission can create, modify, and delete ECSs.This role must be used together with the Tenant Guest role in the same project. For the VPC service, users with this permission and the Tenant Guest permission can perform all operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth. For the IMS service, users with this permission can create, delete, query, and modify images.This role must be used together with the IMS Administrator role in the same project.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p622mcpsimp">Full permissions for Direct Connect.</p>
 </td>
 </tr>
-<tr id="permissions__row2501192334115"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p2501142334116">SFS Administrator</p>
+<tr id="permissions__row623mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p625mcpsimp">DCAAS ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p14501323194118">Scalable File Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p25017231415">Users with both this permission and the <strong id="permissions__b103328137478">Tenant Guest</strong> permission can create, delete, query, expand, and downsize the file system.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p627mcpsimp">Read-only permissions for Direct Connect.</p>
 </td>
 </tr>
-<tr id="permissions__row14501162314112"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p9501122354110">SFS Turbo Administrator</p>
+<tr id="permissions__row628mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p630mcpsimp">Virtual Private Network (VPN)</p>
+<p id="permissions__p631mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p950282304111">Scalable File Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p633mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1150232364116">Users with both this permission and the Tenant Guest permission can create, delete, query, and expand the SFS Turbo file system.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p635mcpsimp">VPN Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p637mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p639mcpsimp">Administrator permissions for VPN.</p>
+<p id="permissions__p640mcpsimp">This role must be used together with the <strong id="permissions__b641mcpsimp">Tenant Guest</strong> and <strong id="permissions__b642mcpsimp">VPC Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row1550212231416"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1850252384117">SFS Turbo Viewer</p>
+<tr id="permissions__row643mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p645mcpsimp">VPN FullAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1502123144114">Scalable File Service</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p647mcpsimp">Policy</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1050252315414">Read-only permissions. Users granted these permissions can only view file system data.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p649mcpsimp">Full permissions for VPN.</p>
 </td>
 </tr>
-<tr id="permissions__row17502102384116"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1502172316418">SMN Administrator</p>
+<tr id="permissions__row650mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p652mcpsimp">VPN ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p17502323134110">Simple Message Notification</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p18502122324114">Permissions to: Create, modify, delete, and view topics. Create, delete, and view subscriptions. Create, modify, delete, and view message templates.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p654mcpsimp">Read-only permissions for VPN.</p>
 </td>
 </tr>
-<tr id="permissions__row35021523154111"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1050292354113">SWR Administrator</p>
+<tr id="permissions__row655mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p657mcpsimp">Domain Name Service (DNS)</p>
+<p id="permissions__p658mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p3502152311413">Software Repository for Container</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p660mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p105021223194116">All SWR operation permissions, including pushing and pulling images, and granting permissions.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p662mcpsimp">DNS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p664mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p666mcpsimp">Full permissions for DNS.</p>
+<p id="permissions__p667mcpsimp">This role must be used together with the <strong id="permissions__b668mcpsimp">Tenant Guest</strong> and <strong id="permissions__b669mcpsimp">VPC Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row205024234410"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1750232384120">Tenant Administrator</p>
+<tr id="permissions__row670mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p672mcpsimp">DNS FullAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p12502122384115">Base</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p674mcpsimp">Policy</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1350282311411">Administrator permissions for all services except IAM.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p676mcpsimp">Full permissions for DNS.</p>
 </td>
 </tr>
-<tr id="permissions__row1450292354111"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p175021923204118">Tenant Guest</p>
+<tr id="permissions__row677mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p679mcpsimp">DNS ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p6502112324117">Base</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p12502723134116">Read-only permissions for all services except IAM.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p681mcpsimp">Read-only permissions for DNS. Users granted these permissions can only view DNS resources.</p>
 </td>
 </tr>
-<tr id="permissions__row185028231416"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p5502172314418">TMS Administrator</p>
+<tr id="permissions__row682mcpsimp"><td class="cellrowborder" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p684mcpsimp">VPC Endpoint (VPCEP)</p>
+<p id="permissions__p685mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p95025233419">Tag Management Service</p>
+<td class="cellrowborder" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p687mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p15503172344119">Users with this permission can create, modify, and delete predefined tags.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p689mcpsimp">VPCEndpoint Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p691mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p693mcpsimp">Full permissions for VPCEP.</p>
+<p id="permissions__p694mcpsimp">This role must be used together with the <strong id="permissions__b695mcpsimp">Server Administrator</strong>, <strong id="permissions__b696mcpsimp">VPC Administrator</strong>, and <strong id="permissions__b697mcpsimp">DNS Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row9503152384116"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1050317237413">VBS Administrator</p>
+<tr id="permissions__row698mcpsimp"><td class="cellrowborder" rowspan="2" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p700mcpsimp">Enterprise Router</p>
+<p id="permissions__p701mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p450322319413">Volume Backup Service</p>
+<td class="cellrowborder" rowspan="2" valign="top" width="15.841584158415841%" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p703mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p6503923194111">Permissions to create backups, delete backups, and restore data using backups. This permission depends on the <strong id="permissions__b1558116265472">ServerAdministrator</strong> and <strong id="permissions__b589618317470">Tenant Guest</strong> permissions. The VBS administrator must have permissions to manage EVS disks and read images.</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.6.2.1.6.1.3 "><p id="permissions__p705mcpsimp">ER FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="8.91089108910891%" headers="mcps1.3.6.2.1.6.1.4 "><p id="permissions__p707mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.6.2.1.6.1.5 "><p id="permissions__p709mcpsimp">Full permissions for ER.</p>
 </td>
 </tr>
-<tr id="permissions__row15030232412"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1850332317410">VPC Admin</p>
+<tr id="permissions__row710mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.1 "><p id="permissions__p712mcpsimp">ER ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1350372310417">Virtual Private Cloud</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1050372318414">All VPC operation permissions, including creating, querying, modifying, and deleting VPCs, subnets, and security groups.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.6.2.1.6.1.2 "><p id="permissions__p714mcpsimp">Read-only permissions for ER.</p>
 </td>
 </tr>
-<tr id="permissions__row35031123154113"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1850313238419">VPC Administrator</p>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__title716mcpsimp"><h4 class="sectiontitle">Containers</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table717mcpsimp" frame="border" border="1" rules="all"><caption><b>Table 1 </b>User management permissions</caption><thead align="left"><tr id="permissions__row726mcpsimp"><th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.7.2.2.6.1.1"><p id="permissions__p728mcpsimp">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.7.2.2.6.1.2"><p id="permissions__p730mcpsimp">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17%" id="mcps1.3.7.2.2.6.1.3"><p id="permissions__p732mcpsimp">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="8%" id="mcps1.3.7.2.2.6.1.4"><p id="permissions__p734mcpsimp">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="43%" id="mcps1.3.7.2.2.6.1.5"><p id="permissions__p736mcpsimp">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row738mcpsimp"><td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p740mcpsimp">Cloud Container Engine (CCE)</p>
+<p id="permissions__p741mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p35038236417">Virtual Private Cloud</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p743mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p8503182320413">All operation permissions on VPCs, subnets, ports, VPNs, and Direct Connect resources. A user with the VPC Administrator permission must have the Tenant Guest permission.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.7.2.2.6.1.3 "><p id="permissions__p745mcpsimp">CCE FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="8%" headers="mcps1.3.7.2.2.6.1.4 "><p id="permissions__p747mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.7.2.2.6.1.5 "><p id="permissions__p749mcpsimp">Full permissions for CCE.</p>
 </td>
 </tr>
-<tr id="permissions__row450342304120"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p650317233412">VPC Viewer</p>
+<tr id="permissions__row750mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p752mcpsimp">CCE ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p18503172314111">Virtual Private Cloud</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1850322314414">VPC real-only permission, such as querying VPCs.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p754mcpsimp">Permissions to view CCE cluster resources, excluding namespace-level permissions for clusters that have Kubernetes RBAC enabled.</p>
 </td>
 </tr>
-<tr id="permissions__row3503523154110"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p1503132318412">VPCEndpoint Administrator</p>
+<tr id="permissions__row755mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p757mcpsimp">CCE Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p7503192374116">VPC Endpoint</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p759mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1850382354111">Full permissions for VPCEP. This role must be used together with the <strong id="permissions__b0730144294717">Server Administrator</strong>, <strong id="permissions__b1121114713477">VPC Administrator</strong>, and <strong id="permissions__b18758125212475">DNS Administrator</strong> roles in the same project.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.3 "><p id="permissions__p761mcpsimp">Read and write permissions for CCE clusters and all resources (including workloads and services) in the clusters.</p>
+<p id="permissions__p762mcpsimp">This role depends on the following permissions:</p>
+<p id="permissions__p763mcpsimp">Global services: <strong id="permissions__b764mcpsimp">OBS Buckets Viewer</strong>.</p>
+<p id="permissions__p765mcpsimp">Region-specific projects (same projects): <strong id="permissions__b766mcpsimp">Tenant Guest</strong>, <strong id="permissions__b767mcpsimp">Server Administrator</strong>, <strong id="permissions__b768mcpsimp">ELB Administrator</strong>, <strong id="permissions__b769mcpsimp">SFS Administrator</strong>, <strong id="permissions__b770mcpsimp">SWR Admin</strong>, and <strong id="permissions__b771mcpsimp">APM FullAccess</strong>.</p>
+<div class="note" id="permissions__note772mcpsimp"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="permissions__p773mcpsimp">Users also granted permissions with the <strong id="permissions__b774mcpsimp">NAT Gateway Administrator</strong> role can use NAT Gateway functions for clusters.</p>
+</div></div>
 </td>
 </tr>
-<tr id="permissions__row1350322374118"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p05031923164119">WAF Administrator</p>
+<tr id="permissions__row775mcpsimp"><td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p780mcpsimp">Cloud Container Instance (CCI)</p>
+<p id="permissions__p781mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p195031423134117">Web Application Firewall</p>
+<td class="cellrowborder" rowspan="4" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p783mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p145039236412">Permissions to: Create and delete WAF instances. Configure, enable, disable WAF instances. Modify the protection policies of WAF instances. Configure alarm notification for WAF instances. Query the WAF instance list and details. Authenticate the domain name of a WAF instance.</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.7.2.2.6.1.3 "><p id="permissions__p785mcpsimp">CCI FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="8%" headers="mcps1.3.7.2.2.6.1.4 "><p id="permissions__p789mcpsimp">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.7.2.2.6.1.5 "><p id="permissions__p791mcpsimp">Full permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.</p>
 </td>
 </tr>
-<tr id="permissions__row1550342354113"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p145031423184115">Anti-DDoS Administrator</p>
+<tr id="permissions__row792mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p794mcpsimp">CCI ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p115032239413">Anti-DDoS</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p8504122344116">Permissions to enable, disable, and modify configurations. This permission depends on the <strong id="permissions__b15812165844720">Tenant Guest</strong> permission and must have permission to query EIPs in VPCs.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p796mcpsimp">Read-only permissions for CCI. Users granted these permissions can only view CCI resources.</p>
 </td>
 </tr>
-<tr id="permissions__row2050415232417"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p2050462311414">DRS Administrator</p>
+<tr id="permissions__row797mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p799mcpsimp">CCI CommonOperations</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p13504152317411">Data Replication Service</p>
-</td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1150410239411">Basic permission, which must be added when DRS is used.Dependent on the Tenant Guest, Server Administrator, and RDS Administrator policies.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p801mcpsimp">Common user permissions for CCI. Users granted these permissions can perform all operations except creating, deleting, and modifying role-based access control (RBAC) policies, networks, and namespaced resources.</p>
 </td>
 </tr>
-<tr id="permissions__row1959110410496"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p195917415497"><span style="color:#191919;">DRS FullAccess</span></p>
+<tr id="permissions__row802mcpsimp"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p804mcpsimp">CCI Administrator</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p85910414914">Data Replication Service</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p806mcpsimp">Role</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p05917414499"><span style="color:#191919;">Dependent on the </span><span style="color:#36383C;">VPC FullAccess</span><span style="color:#191919;">, </span><span style="color:#36383C;">RDS ReadOnlyAccess</span><span style="color:#191919;">, and </span><span style="color:#36383C;">SMN Administrator</span><span style="color:#191919;">, </span><span style="color:#36383C;">OBS Administrator</span><span style="color:#191919;">, and </span><span style="color:#36383C;">EPS ReadOnlyAccess</span><span style="color:#191919;"> policies.</span></p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.2.6.1.3 "><p id="permissions__p808mcpsimp">Administrator permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources.</p>
 </td>
 </tr>
-<tr id="permissions__row86188174914"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p861886491"><span style="color:#191919;">DRS FullWithOutDeletePermission</span></p>
+<tr id="permissions__row809mcpsimp"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.1 "><p id="permissions__p814mcpsimp">Software Repository for Container (SWR)</p>
+<p id="permissions__p815mcpsimp">(Project-level service)</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p10450830165011">Data Replication Service</p>
+<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.7.2.2.6.1.2 "><p id="permissions__p817mcpsimp">Region-specific projects</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p166178154913"><span style="color:#191919;">Dependent on the </span><span style="color:#36383C;">VPC FullAccess</span><span style="color:#191919;">, </span><span style="color:#36383C;">RDS ReadOnlyAccess</span><span style="color:#191919;">, and </span><span style="color:#36383C;">SMN Administrator</span><span style="color:#191919;">, and </span><span style="color:#36383C;">OBS Administrator</span><span style="color:#191919;"> policies.</span></p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.7.2.2.6.1.3 "><p id="permissions__p1050292354113">SWR Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="8%" headers="mcps1.3.7.2.2.6.1.4 "><p id="permissions__p821mcpsimp">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="43%" headers="mcps1.3.7.2.2.6.1.5 "><p id="permissions__p105021223194116">All SWR operation permissions, including pushing and pulling images, and granting permissions.</p>
 </td>
 </tr>
-<tr id="permissions__row184341120154920"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p943414208499"><span style="color:#191919;">DRS ReadOnlyAccess</span></p>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__section220411785217"><h4 class="sectiontitle">Security &amp; Compliance</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table081018518328" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row1681175173211"><th align="left" class="cellrowborder" valign="top" width="17%" id="mcps1.3.8.2.1.6.1.1"><p id="permissions__p1056207336">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.8.2.1.6.1.2"><p id="permissions__p1656106334">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="18%" id="mcps1.3.8.2.1.6.1.3"><p id="permissions__p9574016332">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9%" id="mcps1.3.8.2.1.6.1.4"><p id="permissions__p17570093315">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="41%" id="mcps1.3.8.2.1.6.1.5"><p id="permissions__p35811043319">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row12771017222"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p1773014229">Anti-DDoS</p>
+<p id="permissions__p154811443182411">(Project-level service)</p>
+<p id="permissions__p1486352755212"></p>
+<p id="permissions__p8806430135215"></p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p10789658749">Data Replication Service</p>
+<td class="cellrowborder" rowspan="3" valign="top" width="15%" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p9952123652219">Region-specific projects</p>
+<p id="permissions__p1486319275520"></p>
+<p id="permissions__p080693065218"></p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p18927191125110">Configure the following policies as required:</p>
-<p id="permissions__p18927415514">RDS ReadOnlyAccess: This parameter needs to be configured when RDS is selected.</p>
-<p id="permissions__p492791135117">SMN Administrator: This parameter needs to be configured when SMN is selected.</p>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p127712032210">Anti-DDoS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.8.2.1.6.1.4 "><p id="permissions__p677909226">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41%" headers="mcps1.3.8.2.1.6.1.5 "><p id="permissions__p1245995492414">Full permissions for Anti-DDoS.</p>
+<p id="permissions__p44601540241">This role must be used together with the <strong id="permissions__b189502692">Tenant Guest</strong> role in the same project.</p>
 </td>
 </tr>
-<tr id="permissions__row054541212518"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p545171044716">GeminiDB FullAccess</p>
+<tr id="permissions__row19863152716522"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p11863142765211">Anti-DDoS FullAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1854618125510">GeminiDB</p>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p986315275528">Policy</p>
+<p id="permissions__p10806730105214"></p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p134551013478">Full permissions for GeminiDB.</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p686302718527">All permissions for Anti-DDoS.</p>
 </td>
 </tr>
-<tr id="permissions__row127209818518"><td class="cellrowborder" valign="top" width="18.509999999999998%" headers="mcps1.3.3.5.2.4.1.1 "><p id="permissions__p09917145811">GeminiDB ReadOnlyAccess</p>
+<tr id="permissions__row11806330175216"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p188063307529">Anti-DDoS ReadOnlyAccess</p>
 </td>
-<td class="cellrowborder" valign="top" width="26.52%" headers="mcps1.3.3.5.2.4.1.2 "><p id="permissions__p1072019819512">GeminiDB</p>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p158066305527">Read-only permissions for Anti-DDoS.</p>
 </td>
-<td class="cellrowborder" valign="top" width="54.97%" headers="mcps1.3.3.5.2.4.1.3 "><p id="permissions__p1191173585">Read-only permissions for GeminiDB.</p>
+</tr>
+<tr id="permissions__row9812351153215"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p9995162372419">Host Security Service (HSS)</p>
+<p id="permissions__p1758314874919">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="15%" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p693731383410">Region-specific projects</p>
+<p id="permissions__p9837172210334"></p>
+<p id="permissions__p1087262353314"></p>
+</td>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p13715619121411">HSS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.8.2.1.6.1.4 "><p id="permissions__p1843143651510">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41%" headers="mcps1.3.8.2.1.6.1.5 "><p id="permissions__p17754122153915">Full permissions for HSS.</p>
+</td>
+</tr>
+<tr id="permissions__row583792211337"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p1837322103313">HSS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p103580573414">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p209616525339">Full permissions for HSS.</p>
+</td>
+</tr>
+<tr id="permissions__row118715237336"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p18726239337">HSS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p199617526336">Read-only permissions for HSS.</p>
+</td>
+</tr>
+<tr id="permissions__row12812155123217"><td class="cellrowborder" rowspan="5" valign="top" width="17%" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p13871353349">Database Security Service (DBSS)</p>
+<p id="permissions__p18703558134917">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="5" valign="top" width="15%" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p19381113153414">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p1073216303542">DBSS System Administrator</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9%" headers="mcps1.3.8.2.1.6.1.4 "><p id="permissions__p15430364159">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41%" headers="mcps1.3.8.2.1.6.1.5 "><p id="permissions__p16500644022">Full permissions for DBSS.</p>
+</td>
+</tr>
+<tr id="permissions__row188121151143211"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p1217412216557">DBSS Audit Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p73363571740">Security auditing permissions for DBSS.</p>
+</td>
+</tr>
+<tr id="permissions__row13812155111326"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p167791758175418">DBSS Security Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p596414304410">Security protection permissions for DBSS.</p>
+</td>
+</tr>
+<tr id="permissions__row4368646051"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p1594815386216">DBSS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p17151758529">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p994818384213">Full permissions for DBSS.</p>
+</td>
+</tr>
+<tr id="permissions__row20368114611519"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p594810385215">DBSS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p13948153818219">Read-only permissions for DBSS. Users granted these permissions can only view this service and cannot configure resources in it.</p>
+</td>
+</tr>
+<tr id="permissions__row510022319366"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p209941623122419">Web Application Firewall (WAF)</p>
+<p id="permissions__p10544615497">(Project-level service)</p>
+<p id="permissions__p121256296241"></p>
+</td>
+<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p14937141363419">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p17331211171">WAF Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.8.2.1.6.1.4 "><p id="permissions__p204353610154">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="41%" headers="mcps1.3.8.2.1.6.1.5 "><p id="permissions__p145039236412">Permissions to: Create and delete WAF instances. Configure, enable, disable WAF instances. Modify the protection policies of WAF instances. Configure alarm notification for WAF instances. Query the WAF instance list and details. Authenticate the domain name of a WAF instance.</p>
+</td>
+</tr>
+<tr id="permissions__row151820446330"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.8.2.1.6.1.1 "><p id="permissions__p9182104403320">Cloud Firewall (CFW)</p>
+<p id="permissions__p4603032173516">(Project-level service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.8.2.1.6.1.2 "><p id="permissions__p8661165513516">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.8.2.1.6.1.3 "><p id="permissions__p2182164413338">CFW FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" width="9%" headers="mcps1.3.8.2.1.6.1.4 "><p id="permissions__p1074194013362">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="41%" headers="mcps1.3.8.2.1.6.1.5 "><p id="permissions__p16182144473312">Full permissions for CFW.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__section7388193514107"><h4 class="sectiontitle">Management &amp; Governance</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table015012330405" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row17150183314405"><th align="left" class="cellrowborder" valign="top" width="17%" id="mcps1.3.9.2.1.6.1.1"><p id="permissions__p1912941194018">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="15.52%" id="mcps1.3.9.2.1.6.1.2"><p id="permissions__p17127417407">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="18.05%" id="mcps1.3.9.2.1.6.1.3"><p id="permissions__p71224116401">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9.42%" id="mcps1.3.9.2.1.6.1.4"><p id="permissions__p19121241124020">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="40.01%" id="mcps1.3.9.2.1.6.1.5"><p id="permissions__p612241134013">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row1771420572915"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p57977234130">Identity and Access Management (IAM)</p>
+<p id="permissions__p1496411322139">(Global service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p1943375913910">Global service</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p343345913916">IAM ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p7344131412614">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p174341659493">Read-only permissions for IAM.</p>
+</td>
+</tr>
+<tr id="permissions__row5271191021212"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p0237201214123">Agent Operator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p2353135541110">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p1723710126126">Permissions for switching roles to access services of a delegating account.</p>
+</td>
+</tr>
+<tr id="permissions__row21511833184011"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p16994923152418">Cloud Eye</p>
+<p id="permissions__p52124319494">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p593711373420">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p106734485467">CES Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p5432361156">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p176181344111212">Administrator permissions for Cloud Eye</p>
+</td>
+</tr>
+<tr id="permissions__row61516334400"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p91585211919">CES FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p18361055144514">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p537195712125">Administrator permissions for Cloud Eye. Users granted these permissions can perform all operations on Cloud Eye.</p>
+</td>
+</tr>
+<tr id="permissions__row13151123374018"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p8652617512">CES ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p1249321241314">Read-only permissions for Cloud Eye. Users granted these permissions can only view Cloud Eye data.</p>
+</td>
+</tr>
+<tr id="permissions__row191511133174012"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p187901129194611">Application Operations Management (AOM)</p>
+<p id="permissions__p9919193334913">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p17936413183420">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p136644017144">AOM Admin</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p21154517479">Policy</p>
+<p id="permissions__p294518257422"></p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p18449127141517">Administrator permissions for AOM. Users granted these permissions can operate and use AOM.</p>
+</td>
+</tr>
+<tr id="permissions__row1515110333403"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p133487881412">AOM Viewer</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p8121408203">Read-only permissions for AOM. Users granted these permissions can only view AOM data.</p>
+</td>
+</tr>
+<tr id="permissions__row161522337401"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p195425917471">Application Performance Management (APM)</p>
+<p id="permissions__p15818173617492">(Project-level service)</p>
+<p id="permissions__p1368219593157"></p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p2936113173416">Region-specific projects</p>
+<p id="permissions__p168295918151"></p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p196395211412">APM FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p1660133264813">Policy</p>
+<p id="permissions__p17105151819437"></p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p5470103713219">All permissions for APM.</p>
+</td>
+</tr>
+<tr id="permissions__row101525336404"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p10791252111414">APM ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p1913475182112">Read-only permissions for APM.</p>
+</td>
+</tr>
+<tr id="permissions__row1168265981518"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p114451912164">APM Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p214416194160">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p81441195167">Administrator for APM.All permissions of APM.</p>
+</td>
+</tr>
+<tr id="permissions__row1324615427500"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p15988192312244">Cloud Trace Service (CTS)</p>
+<p id="permissions__p9881312134915">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p3934191310348">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p172467420505">CTS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p1713969195118">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p6246144225014">Full permissions for CTS.</p>
+</td>
+</tr>
+<tr id="permissions__row053711451506"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p9537164505018">CTS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p175378456509">Read-only permissions for CTS.</p>
+</td>
+</tr>
+<tr id="permissions__row1297703211437"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p185037294505">Log Tank Service (LTS)</p>
+<p id="permissions__p0503142935016">(Project-level service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p149339132340">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p07081831133218">LTS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p54211362156">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p1349932318412">Permissions to create log groups, query log groups, delete log groups, create log topics, query log topics, and delete log topics.</p>
+</td>
+</tr>
+<tr id="permissions__row15594568373"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p12923129113916">Tag Management Service (TMS)</p>
+<p id="permissions__p0636112154019">(Global service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p1792821303418">Global services</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p12251125493920">TMS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p1242836171515">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p18346923162915">Users with this permission can create, modify, and delete predefined tags.</p>
+</td>
+</tr>
+<tr id="permissions__row7507533174319"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p163291224649">Resource Template Service (RTS)</p>
+<p id="permissions__p7659125816437">(Project-level service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p139341713153410">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p33291824544">RTS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p142103661518">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p752521203014">Operation permissions: All operations on RTS. To orchestrate a resource, users with this permission must also have the Administrator permission. For example: Users with this permission and the Server Administrator permission can create stacks for ECS, VPC, EVS, and IMS resources. Users with this permission and the ELB Administrator permission can create an ELB resource stack.</p>
+</td>
+</tr>
+<tr id="permissions__row13374717184011"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p35144411409">Config</p>
+<p id="permissions__p19514134194013">(Global service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="15.52%" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p33741617114013">Global services</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.05%" headers="mcps1.3.9.2.1.6.1.3 "><p id="permissions__p19579133012348">Config FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.42%" headers="mcps1.3.9.2.1.6.1.4 "><p id="permissions__p137444054110">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="40.01%" headers="mcps1.3.9.2.1.6.1.5 "><p id="permissions__p274420084113">Full permissions for Config</p>
+</td>
+</tr>
+<tr id="permissions__row317672017144"><td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.1 "><p id="permissions__p77971646163413">Config ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.9.2.1.6.1.2 "><p id="permissions__p83001353133418">Read-only permissions for Config.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__section1898913210375"><h4 class="sectiontitle">Application</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table81709136473" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row6170713144713"><th align="left" class="cellrowborder" valign="top" width="17.09%" id="mcps1.3.10.2.1.6.1.1"><p id="permissions__p11809163217617">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="15.690000000000001%" id="mcps1.3.10.2.1.6.1.2"><p id="permissions__p15809103215614">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17.96%" id="mcps1.3.10.2.1.6.1.3"><p id="permissions__p280943218611">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9.76%" id="mcps1.3.10.2.1.6.1.4"><p id="permissions__p158091932769">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="39.5%" id="mcps1.3.10.2.1.6.1.5"><p id="permissions__p180913214610">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row18286161175413"><td class="cellrowborder" valign="top" width="17.09%" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p112100515548">Cloud Service Engine (CSE)</p>
+</td>
+<td class="cellrowborder" valign="top" width="15.690000000000001%" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p104494414557">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p328671175417">CES Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.76%" headers="mcps1.3.10.2.1.6.1.4 "><p id="permissions__p186411059115512">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="39.5%" headers="mcps1.3.10.2.1.6.1.5 "><p id="permissions__p749782324118">Permissions to view monitoring metrics as well as add, modify, and delete alarm rules. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.</p>
+</td>
+</tr>
+<tr id="permissions__row10171213204712"><td class="cellrowborder" rowspan="4" valign="top" width="17.09%" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p1301324152420">Distributed Cache Service (DCS)</p>
+<p id="permissions__p142192122502">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="4" valign="top" width="15.690000000000001%" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p83102325814">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p14310133219815">DCS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9.76%" headers="mcps1.3.10.2.1.6.1.4 "><p id="permissions__p354410434282">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="39.5%" headers="mcps1.3.10.2.1.6.1.5 "><p id="permissions__p431114322814">Full permissions for DCS.</p>
+</td>
+</tr>
+<tr id="permissions__row817181364715"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p0311123213813">DCS UserAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p83117321681">Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances.</p>
+</td>
+</tr>
+<tr id="permissions__row3171713114716"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p143126321488">DCS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p131216321983">Read-only permissions for DCS.</p>
+</td>
+</tr>
+<tr id="permissions__row18171813194715"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p10312832787">DCS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p1031219321084">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p431333218812">Full permissions for DCS.</p>
+<p id="permissions__p1931319321081">This role must be used together with the <strong id="permissions__b427164216254">Tenant Guest</strong> and <strong id="permissions__b327124210253">Server Administrator</strong> roles in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row1734812493513"><td class="cellrowborder" rowspan="7" valign="top" width="17.09%" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p886552619020">Distributed Message Service (DMS)</p>
+<p id="permissions__p178817232311">(Project-level service)</p>
+<p id="permissions__p129667325447"></p>
+<p id="permissions__p1827893634412"></p>
+<p id="permissions__p38701038164411"></p>
+<p id="permissions__p1544134114519"></p>
+</td>
+<td class="cellrowborder" rowspan="7" valign="top" width="15.690000000000001%" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p1221964075315">Region-specific projects</p>
+<p id="permissions__p15966153294411"></p>
+<p id="permissions__p02781036174412"></p>
+<p id="permissions__p1870538114415"></p>
+<p id="permissions__p145444444513"></p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p12420115593515">DMS UserAccess</p>
+</td>
+<td class="cellrowborder" rowspan="7" valign="top" width="9.76%" headers="mcps1.3.10.2.1.6.1.4 "><p id="permissions__p188318110322">Policy</p>
+<p id="permissions__p92261229123515"></p>
+<p id="permissions__p7966193214416"></p>
+<p id="permissions__p1278536114417"></p>
+<p id="permissions__p1187011381447"></p>
+<p id="permissions__p2054434114512"></p>
+</td>
+<td class="cellrowborder" valign="top" width="39.5%" headers="mcps1.3.10.2.1.6.1.5 "><p id="permissions__p126941604360">Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping.</p>
+</td>
+</tr>
+<tr id="permissions__row1811773110356"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p1042114556356">DMS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p156947011368">Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data.</p>
+</td>
+</tr>
+<tr id="permissions__row1122632923520"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p14421105543512">DMS FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p176941407361">Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS.</p>
+</td>
+</tr>
+<tr id="permissions__row17966133212441"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p29662323442">DMS VPCAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p7966332124418">VPC operation permissions to assign to DMS agencies.</p>
+</td>
+</tr>
+<tr id="permissions__row1527813634415"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p5278143618449">DMS KMSAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p127933611442">KMS operation permissions to assign to DMS agencies.</p>
+</td>
+</tr>
+<tr id="permissions__row14870123818441"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p1787033874414">DMS ELBAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p187018386444">ELB operation permissions to assign to DMS agencies.</p>
+</td>
+</tr>
+<tr id="permissions__row1054418494514"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p15544144144516">DMSAgencyCheckAccessPolicy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p175441141451">IAM operation permissions to assign to DMS agencies.</p>
+</td>
+</tr>
+<tr id="permissions__row1359095315810"><td class="cellrowborder" rowspan="3" valign="top" width="17.09%" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p4793153913220">Simple Message Notification (SMN)</p>
+<p id="permissions__p1546991674920">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.690000000000001%" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p1293461303416">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p1999510562243">SMN Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.76%" headers="mcps1.3.10.2.1.6.1.4 "><p id="permissions__p5421836181512">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="39.5%" headers="mcps1.3.10.2.1.6.1.5 "><p id="permissions__p3836172912335">Full permissions for SMN.</p>
+<p id="permissions__p41891821113711">This role must be used together with the <strong id="permissions__b228075012520">Tenant Guest</strong> role in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row7726142864317"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p177811473457">SMN FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p9161304447">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p27277285433">Full permissions for SMN.</p>
+</td>
+</tr>
+<tr id="permissions__row11727228104310"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p1727142814312">SMN ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p2727162814436">Read-only permissions for SMN.</p>
+</td>
+</tr>
+<tr id="permissions__row2748853386"><td class="cellrowborder" rowspan="3" valign="top" width="17.09%" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p4129134016337">API Gateway (APIG)</p>
+<p id="permissions__p2012910404339">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="15.690000000000001%" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p1593601312344">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p14163194151314">APIG Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.76%" headers="mcps1.3.10.2.1.6.1.4 "><p id="permissions__p643103618153">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="39.5%" headers="mcps1.3.10.2.1.6.1.5 "><p id="permissions__p616313419135">Administrator permissions for API Gateway. Users granted these permissions can use all functions of the <strong id="permissions__b571010291219">shared</strong> and <strong id="permissions__b16717135331511">dedicated</strong> gateways.</p>
+<p id="permissions__p15621134442213">To use VPC channels, the user must also be assigned the <strong id="permissions__b1496034593110">VPC Administrator</strong> role.</p>
+<p id="permissions__p17453662312">To use custom authentication, the user must also be assigned the <strong id="permissions__b19757175212313">FunctionGraph Administrator</strong> role.</p>
+</td>
+</tr>
+<tr id="permissions__row9915232812"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p20924231683">APIG FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p099675812331">Policy</p>
+<p id="permissions__p13449241818"></p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.3 "><p id="permissions__p16921823383">Full permissions for API Gateway. Users granted these permissions can use all functions of <strong id="permissions__b56701158215">dedicated</strong> API gateways.</p>
+</td>
+</tr>
+<tr id="permissions__row1734411242818"><td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.1 "><p id="permissions__p11344524387">APIG ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.10.2.1.6.1.2 "><p id="permissions__p534510249814">Read-only permissions for API Gateway. Users granted these permissions can only view <strong id="permissions__b2241242827">dedicated</strong> API gateways.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__section2429113819508"><h4 class="sectiontitle">Database</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table188681337162914" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row1786953772919"><th align="left" class="cellrowborder" valign="top" width="17%" id="mcps1.3.11.2.1.6.1.1"><p id="permissions__p1048210457297">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="16.36%" id="mcps1.3.11.2.1.6.1.2"><p id="permissions__p174822045172918">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="18.14%" id="mcps1.3.11.2.1.6.1.3"><p id="permissions__p15482164511297">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="9.86%" id="mcps1.3.11.2.1.6.1.4"><p id="permissions__p12482114512917">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="38.64%" id="mcps1.3.11.2.1.6.1.5"><p id="permissions__p2027151011313">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row186919370292"><td class="cellrowborder" rowspan="4" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p1998919235243">Relational Database Service (RDS)</p>
+<p id="permissions__p419721944919">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="4" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p2934913173416">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p12153159514">RDS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p1837415301249">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p350752535614">Full permissions for RDS.</p>
+</td>
+</tr>
+<tr id="permissions__row98695375290"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p10259757514">RDS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p221057195611">Read-only permissions for RDS.</p>
+</td>
+</tr>
+<tr id="permissions__row118724155323"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p174567713259">RDS ManageAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p14464197202518">Database administrator permissions for all operations except deleting RDS resources.</p>
+</td>
+</tr>
+<tr id="permissions__row29874152323"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p2029616514516">RDS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p144293615151">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p3711191482514">Full permissions for RDS.</p>
+<p id="permissions__p49906812517">This role must be used together with the <strong id="permissions__b16347155502516">Tenant Guest</strong> and <strong id="permissions__b1734725592518">Server Administrator</strong> roles in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row7576201620327"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p773813281153">Document Database Service (DDS)</p>
+<p id="permissions__p221462524914">(Project-level service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p19935013143412">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p151762131085">DDS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p94214361157">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p204979236417">Users who have this right, plus <strong id="permissions__b919210235431">Tenant Guest</strong> and <strong id="permissions__b326411273432">Server Administrator</strong> rights, can perform any operations on DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the <strong id="permissions__b45535164318">Tenant Guest</strong> or <strong id="permissions__b2096517389433">Server Administrator</strong> right cannot use DDS. Users who have the <strong id="permissions__b814494654315">VPC Administrator</strong> right can create VPCs or subnets. Users who have the <strong id="permissions__b1961015254312">CES Administrator</strong> right can add or modify alarm rules for DB instances.</p>
+</td>
+</tr>
+<tr id="permissions__row197157163323"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p8991152332410">Data Replication Service (DRS)</p>
+<p id="permissions__p1599712713494">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p793511393416">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p728183504714">DRS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p75811688">Policy</p>
+<p id="permissions__p958715019269"></p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p1828103516478">Full permissions for DRS.</p>
+</td>
+</tr>
+<tr id="permissions__row027183516472"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p155844501262">DRS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p65844509266">Read-only permissions for DRS.</p>
+</td>
+</tr>
+<tr id="permissions__row233015510464"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p19330355174616">DRS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p833045554613">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p188834013481">Full permissions for DRS.</p>
+<p id="permissions__p1588312004810">This role must be used together with the <span style="color:#36383C;">Tenant Guest</span> and <span style="color:#36383C;">Server Administrator</span> roles in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row6866181615326"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p199914234247">Data Admin Service (DAS)</p>
+<p id="permissions__p996923034910">(Project-level service)</p>
+<p id="permissions__p13649181223915"></p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p15935191311348">Region-specific projects</p>
+<p id="permissions__p1364961233919"></p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p06241169213">DAS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p342153681511">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p38455689512">DAS administrator with full permissions.</p>
+<p id="permissions__p28136127328">This role must be used together with the <strong id="permissions__b2092213822614">Tenant Guest</strong> role in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row06481612153917"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p176491412113912">DAS FullAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p8649201223920">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p1264911126394">Full permissions for DAS.</p>
+</td>
+</tr>
+<tr id="permissions__row142261763214"><td class="cellrowborder" rowspan="3" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p35081578114">Distributed Database Middleware (DDM)</p>
+<p id="permissions__p55081274118">(Project-level service)</p>
+<p id="permissions__p189191419103214"></p>
+<p id="permissions__p891701983211"></p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p1393517136343">Region-specific projects</p>
+<p id="permissions__p19919191914329"></p>
+<p id="permissions__p1991715192320"></p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p126590502271">DDM FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p123822034101117">Policy</p>
+<p id="permissions__p0918119103216"></p>
+<p id="permissions__p791614197322"></p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p1496292619274">Full permissions for DDM.</p>
+</td>
+</tr>
+<tr id="permissions__row153181917143211"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p8198151212283">DDM CommonOperations</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p1585551173411">Common permissions for DDM.</p>
+<p id="permissions__p20246117125313">Users with common permissions cannot perform the following operations:</p>
+<ul id="permissions__ul3339191595419"><li id="permissions__li16339121516545">Buying DDM instances</li><li id="permissions__li1582419437545">Deleting DDM instances</li><li id="permissions__li433218195552">Scaling up instances</li><li id="permissions__li1422662473310">Rolling back instances or clearing data when scale-up fails</li></ul>
+</td>
+</tr>
+<tr id="permissions__row4452141733213"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p384161482811">DDM ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p596272622710">Read-only permissions for DDM.</p>
+</td>
+</tr>
+<tr id="permissions__row12202163011566"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p78956505125">GeminiDB</p>
+<p id="permissions__p1589525013127">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p157962376578">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p5202133013565">GeminiDB FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p10860183014163">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p192020304568"><span style="color:#252B3A;">Full permissions for multi-model NoSQL databases.</span></p>
+</td>
+</tr>
+<tr id="permissions__row92030307562"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p85331734191419">GeminiDB ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p220333017564"><span style="color:#252B3A;">Read-only permissions for multi-model NoSQL databases.</span></p>
+</td>
+</tr>
+<tr id="permissions__row9999292316"><td class="cellrowborder" rowspan="2" valign="top" width="17%" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p11195202361514">GaussDB</p>
+<p id="permissions__p1619582312155">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="16.36%" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p181627123312">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="18.14%" headers="mcps1.3.11.2.1.6.1.3 "><p id="permissions__p1199182953114">GaussDB FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="9.86%" headers="mcps1.3.11.2.1.6.1.4 "><p id="permissions__p1374274911161">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="38.64%" headers="mcps1.3.11.2.1.6.1.5 "><p id="permissions__p99912910312">Full permissions for GaussDB.</p>
+</td>
+</tr>
+<tr id="permissions__row099182913111"><td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.1 "><p id="permissions__p179922933117">GaussDB ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.11.2.1.6.1.2 "><p id="permissions__p499182973115">Read-only permissions for GaussDB.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div class="section" id="permissions__section14647822101615"><h4 class="sectiontitle">Enterprise Intelligence</h4>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="permissions__table5952647114719" frame="border" border="1" rules="all"><thead align="left"><tr id="permissions__row49520479471"><th align="left" class="cellrowborder" valign="top" width="16.74%" id="mcps1.3.12.2.1.6.1.1"><p id="permissions__p13707185564718">Service</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17.7%" id="mcps1.3.12.2.1.6.1.2"><p id="permissions__p127071855134715">Scope</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="17.96%" id="mcps1.3.12.2.1.6.1.3"><p id="permissions__p1970705574712">Policy/Role Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="10.36%" id="mcps1.3.12.2.1.6.1.4"><p id="permissions__p17707195554712">Type</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="37.24%" id="mcps1.3.12.2.1.6.1.5"><p id="permissions__p1970755517472">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="permissions__row20953204713470"><td class="cellrowborder" rowspan="2" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p576440142912">ModelArts</p>
+<p id="permissions__p157684022911">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p2848251184014">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p1084895194011">ModelArts FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p522731313020">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p1584816516409">Administrator permissions for performing all operations on ModelArts.</p>
+</td>
+</tr>
+<tr id="permissions__row149537474471"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p6210559409">ModelArts CommonOperations</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p15211955194011">Permissions for performing all operations except managing dedicated resource pools on ModelArts.</p>
+</td>
+</tr>
+<tr id="permissions__row169531947124719"><td class="cellrowborder" rowspan="2" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p164801561257">DataArts Studio</p>
+<p id="permissions__p1048017614516">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p17888158194913">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p1028862317182">DARTS Administrator</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p1272919123115">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p2257204813183">Instance administrator who has all management permissions on a DataArts Studio instance and its workspaces, permissions of dependent services, and service operation permissions in all workspaces.</p>
+</td>
+</tr>
+<tr id="permissions__row1294914583482"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p1347014231131">DARTS User</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p1591289190">Common user who has permissions to view a DataArts Studio instance and its workspaces, and the permissions of dependent services. After assigned a role, a common user has permissions of the role to perform service operations.</p>
+</td>
+</tr>
+<tr id="permissions__row12871259194816"><td class="cellrowborder" rowspan="4" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p12740134133214">MapReduce Service (MRS)</p>
+<p id="permissions__p199071515175018">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="4" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p7941101363412">Region-specific projects</p>
+<p id="permissions__p341219616502"></p>
+<p id="permissions__p4410965501"></p>
+<p id="permissions__p1408126155014"></p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p09251459114813">MRS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p8782011133216">Policy</p>
+<p id="permissions__p341126195013"></p>
+<p id="permissions__p940915611503"></p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p73857453563">Full permissions for MRS.</p>
+</td>
+</tr>
+<tr id="permissions__row121518594486"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p162121144918">MRS CommonOperations</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p5666195125617">Common user permissions for MRS operations except creating and deleting resources.</p>
+</td>
+</tr>
+<tr id="permissions__row834795915484"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p14814294910">MRS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p14205757125615">Read-only permissions for MRS.</p>
+</td>
+</tr>
+<tr id="permissions__row1795434714710"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p15771133720407">MRS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p1977114376406">Role</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p777203724018">Full permissions for MRS.</p>
+<p id="permissions__p31764812437">This role must be used together with the <strong id="permissions__b153458472267">Tenant Guest</strong> and <strong id="permissions__b1634534718262">Server Administrator</strong> roles in the same project.</p>
+</td>
+</tr>
+<tr id="permissions__row1095494715478"><td class="cellrowborder" rowspan="4" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p055917374339">GaussDB(DWS)</p>
+<p id="permissions__p4382104019376">(Project-level service)</p>
+<p id="permissions__p173410478509"></p>
+<p id="permissions__p3311447145015"></p>
+<p id="permissions__p1427847125019"></p>
+</td>
+<td class="cellrowborder" rowspan="4" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p4931171311347">Region-specific projects</p>
+<p id="permissions__p143494785019"></p>
+<p id="permissions__p14311547205015"></p>
+<p id="permissions__p3277473501"></p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p15680433796">DWS FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p1788081983514">Policy</p>
+<p id="permissions__p432144715507"></p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p105781835388">Database administrator permissions for GaussDB(DWS). Users granted these permissions can perform all operations on GaussDB(DWS).</p>
+</td>
+</tr>
+<tr id="permissions__row1947716185016"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p5269185481014">DWS ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p926916540100">Read-only permissions for GaussDB(DWS). Users granted these permissions can only view GaussDB(DWS) data.</p>
+</td>
+</tr>
+<tr id="permissions__row19300117195016"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p636286110142">DWS Administrator</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p641136161519">Role</p>
+<p id="permissions__p1525124715018"></p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p637475719382">Database administrator permissions for GaussDB(DWS). Users granted these permissions can perform operations on all GaussDB(DWS) resources.</p>
+<p id="permissions__p17374657193813">Users granted permissions of the VPC Administrator policy can create VPCs and subnets.</p>
+<p id="permissions__p1237413578389">Users granted permissions of the Cloud Eye Administrator policy can view monitoring information of data warehouse clusters.</p>
+<p id="permissions__p113740570384">If you need to create an agency, you also need to configure the Security Administrator permission.</p>
+</td>
+</tr>
+<tr id="permissions__row1546951716502"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p1579613515132">DWS Database Access</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p17315101217392">GaussDB(DWS) database access permission. Users with this permission can generate the temporary database user credentials based on IAM users to connect to the database in the GaussDB(DWS) cluster.</p>
+</td>
+</tr>
+<tr id="permissions__row462411745018"><td class="cellrowborder" rowspan="3" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p69441010361">Data Lake Insight (DLI)</p>
+<p id="permissions__p1794121014363">(Project-level service)</p>
+</td>
+<td class="cellrowborder" rowspan="3" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p293214139345">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p79511462325">DLI Service Admin</p>
+</td>
+<td class="cellrowborder" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p542836121513">Role</p>
+<p id="permissions__p156832345511"></p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p104301323123316">Full permissions for DLI.</p>
+</td>
+</tr>
+<tr id="permissions__row396994993217"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p17969194953219">DLI FullAccess</p>
+</td>
+<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p1296795713365">Policy</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p11969749143219">Full permissions for DLI. Users granted these permissions can perform all operations on DLI.</p>
+</td>
+</tr>
+<tr id="permissions__row10823950173210"><td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p118237507321">DLI ReadOnlyAccess</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p1682305012324">Users granted these permissions can only view the queue list, job list, job details, database list, table list, table creation statements, table fields, and job metadata such as job creation, update, and deletion.</p>
+</td>
+</tr>
+<tr id="permissions__row111259355116"><td class="cellrowborder" valign="top" width="16.74%" headers="mcps1.3.12.2.1.6.1.1 "><p id="permissions__p644114719396">Cloud Search Service (CSS)</p>
+<p id="permissions__p174415713393">(Project-level service)</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.7%" headers="mcps1.3.12.2.1.6.1.2 "><p id="permissions__p2933113153416">Region-specific projects</p>
+</td>
+<td class="cellrowborder" valign="top" width="17.96%" headers="mcps1.3.12.2.1.6.1.3 "><p id="permissions__p19192161994314">CSS Administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="10.36%" headers="mcps1.3.12.2.1.6.1.4 "><p id="permissions__p1042173614151">Role</p>
+</td>
+<td class="cellrowborder" valign="top" width="37.24%" headers="mcps1.3.12.2.1.6.1.5 "><p id="permissions__p1848242318911">Full permissions for CSS.</p>
+<p id="permissions__p11396133220915">This role must be used together with the <strong id="permissions__b18646106102715">Tenant Guest</strong> and <strong id="permissions__b186469611273">Server Administrator</strong> roles in the same project.</p>
 </td>
 </tr>
 </tbody>