vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dli/umn/dli_03_0100.html
Su, Xiaomeng fdd43c552e dli_umn_20240808 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Su, Xiaomeng <suxiaomeng1@huawei.com>
Co-committed-by: Su, Xiaomeng <suxiaomeng1@huawei.com>
2024-08-09 11:00:57 +00:00

74 lines
11 KiB
HTML
Raw Blame History

<a name="dli_03_0100"></a><a name="dli_03_0100"></a>
<h1 class="topictitle1">How Do I Manage Fine-Grained DLI Permissions?</h1>
<div id="body8662426"><p id="dli_03_0100__en-us_topic_0000001103929830_p8060118">DLI has a comprehensive permission control mechanism and supports fine-grained authentication through Identity and Access Management (IAM). You can create policies in IAM to manage DLI permissions.</p>
<p id="dli_03_0100__en-us_topic_0000001103929830_p188991750134717">With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use DLI resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DLI resources.</p>
<div class="note" id="dli_03_0100__en-us_topic_0000001103929830_note17965103310292"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dli_03_0100__en-us_topic_0000001103929830_p2966183352919">For a new user, you need to log in for the system to record the metadata before using DLI.</p>
</div></div>
<p id="dli_03_0100__en-us_topic_0000001103929830_p446382154810">IAM is free to use, and you only need to pay for the resources in your account. </p>
<p id="dli_03_0100__en-us_topic_0000001103929830_p8642155123119">If your cloud account does not need individual IAM users for permissions management, skip over this section.</p>
<div class="section" id="dli_03_0100__en-us_topic_0000001103929830_section0826035122314"><h4 class="sectiontitle">DLI System Permissions</h4><div class="p" id="dli_03_0100__en-us_topic_0000001103929830_p934171813107">You can grant users permissions by using roles and policies.<ul id="dli_03_0100__en-us_topic_0000001103929830_ul2804101433117"><li id="dli_03_0100__en-us_topic_0000001103929830_li28043143315">Roles: A type of coarse-grained authorization that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. Roles are not an ideal choice for fine-grained authorization and secure access control.</li><li id="dli_03_0100__en-us_topic_0000001103929830_li480481493115">Policies: A type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. For example, you can grant DLI users only the permissions for managing a certain type of cloud servers.</li></ul>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dli_03_0100__table6578220217" frame="border" border="1" rules="all"><caption><b>Table 1 </b>DLI system permissions</caption><thead align="left"><tr id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_row1916124942412"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.6.3.2.5.1.1"><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p1616154914249">Role/Policy Name</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.6.3.2.5.1.2"><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p616194952410">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.3.2.5.1.3"><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p116204916243">Category</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35%" id="mcps1.3.6.3.2.5.1.4"><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_p1176119524410">Dependency</p>
</th>
</tr>
</thead>
<tbody><tr id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_row9615165162914"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.6.3.2.5.1.1 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p05661101252">DLI FullAccess</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.6.3.2.5.1.2 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p8566410102511">Full permissions for DLI.</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.3.2.5.1.3 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p165664105256">System-defined policy</p>
</td>
<td class="cellrowborder" valign="top" width="35%" headers="mcps1.3.6.3.2.5.1.4 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_p18800101284715">This role depends on other roles in the same project.</p>
<ul id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_ul1091313219455"><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_li891493219452">Creating a datasource connection: <strong id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_b1788683318268">VPC ReadOnlyAccess</strong></li><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_li29147324457">Creating a tag: <strong id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_b18233181519277">TMS FullAccess</strong> and <strong id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_b1355392014275">EPS EPS FullAccess</strong></li><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_li189141032174519">Using OBS for storage: <strong id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_b72961547142720">OBS OperateAccess</strong></li><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_li891415323457">Creating an agency: <strong id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_b1673095210279">Security Administrator</strong></li></ul>
</td>
</tr>
<tr id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_row9786108162910"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.6.3.2.5.1.1 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p145301015112510">DLI ReadOnlyAccess</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.6.3.2.5.1.2 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p2530915172514">Read-only permissions for DLI.</p>
<p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p275775023011">With read-only permissions, you can use DLI resources and perform operations that do not require fine-grained permissions. For example, create global variables, create packages and package groups, submit jobs to the default queue, create tables in the default database, create datasource connections, and delete datasource connections.</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.3.2.5.1.3 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p18530915162514">System-defined policy</p>
</td>
<td class="cellrowborder" valign="top" width="35%" headers="mcps1.3.6.3.2.5.1.4 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_p776118517446">None</p>
</td>
</tr>
<tr id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_row12852521175716"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.6.3.2.5.1.1 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p1285232111571">Tenant Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.6.3.2.5.1.2 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p18853152175711">Tenant administrator</p>
<ul id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_ul1231319105816"><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_li17311619195817">Job execution permissions for DLI resources. After a database or a queue is created, the user can use the ACL to assign rights to other users.</li><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_li1032519125814">Scope: project-level service</li></ul>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.3.2.5.1.3 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p12853142111579">System-defined role</p>
</td>
<td class="cellrowborder" valign="top" width="35%" headers="mcps1.3.6.3.2.5.1.4 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_p2076114514415">None</p>
</td>
</tr>
<tr id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_row1917749132415"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.6.3.2.5.1.1 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p79511462325">DLI Service Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.6.3.2.5.1.2 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p49787271109">DLI administrator.</p>
<ul id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_ul973112019319"><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_li147319201035">Job execution permissions for DLI resources. After a database or a queue is created, the user can use the ACL to assign rights to other users.</li><li id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_li167321520337">Scope: project-level service</li></ul>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.3.2.5.1.3 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_en-us_topic_0206791772_p5263816561">System-defined role</p>
</td>
<td class="cellrowborder" valign="top" width="35%" headers="mcps1.3.6.3.2.5.1.4 "><p id="dli_03_0100__en-us_topic_0000001103929830_dli_01_0440_dli_07_0006_p177619574410">None</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dli_03_0223.html">Usage</a></div>
</div>
</div>
View Git Blame Copy Permalink