If you need to assign different permissions to employees in your enterprise to access your CSS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access your resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you may need to grant some software developers in your enterprise access to CSS resources but do not want them to be able to delete them or perform any high-risk operations. To this end, you can create IAM users for the software developers and grant them only the permissions required for using CSS resources.

If you do not need to create IAM users, you can skip this section.

IAM is a free service. You pay only for the resources in your account.

Permissions Management

By default, new IAM users do not have any permissions assigned. You need to add the user to one or more groups, and apply permissions policies or roles to these groups. Users inherit permissions from the groups they are added to and can perform specified operations on cloud services based on these permissions.

CSS is a project-level service deployed in specific physical regions. CSS permissions are assigned to users in specific regions and only take effect for these regions. If you want the permissions to take effect for all regions, you need to assign the permissions to the users in each region. When accessing CSS, the users need to switch to a region where they have been authorized to use cloud services.

You can use roles and policies to grant users permissions.

Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. There are only a limited number of service-level roles for granting permissions to users. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. Roles are not ideal for fine-grained authorization and secure access control.
Policies are a type of fine-grained authorization mechanism that defines the permissions for performing operations on specific cloud resources under certain conditions. This mechanism allows for more flexible authorization. Policies allow you to meet requirements for more secure access control. For example, CSS administrators can grant CSS users only the permissions needed for managing a certain type of CSS.

Table 1 lists all the system roles supported by CSS. For example, some CSS roles are dependent on the roles of other services. When assigning CSS roles to users, you need to also assign dependent roles for the CSS permissions to take effect.

**Table 1** System-defined roles and policies supported by CSS
Role Name	Description	Dependency
Elasticsearch Administrator	CSS administrator	Dependent on the Tenant Guest and Server Administrator roles. Tenant Guest: A global role, which must be assigned in the global project. Server Administrator: A project-level role, which must be assigned in the same project.

**Table 2** Relationship between user permissions and roles
Permission Type	Description	Type	Required Role
Permission 1	Permissions: Creating, deleting, and expanding CSS clusters Manually and automatically backing up CSS cluster data Restoring CSS cluster data Creating an IAM agency Creating an OBS bucket Creating a VPC and security group Kibana Customizing a word dictionary	System-defined role	Elasticsearch Administrator Server Administrator Tenant Guest VPC Administrator Security Administrator OBS Administrator
Permission 2	Permissions: Creating, deleting, and expanding CSS clusters Manually backing up CSS cluster data Restoring CSS cluster data Kibana Customizing a word dictionary	System-defined role	Elasticsearch Administrator Server Administrator Tenant Guest
Permission 3	Permissions: Viewing the cluster list Viewing the Overview page Kibana	System-defined role	This permission is dependent on the Tenant Guest role, which must be assigned in the same project as Permission 3.

Table 3 lists the common operations supported by each system permission of CSS. Please choose proper system policies according to this table.

**Table 3** Common operations supported by each system-defined policy
Operation	CSS FullAccess	CSS ReadOnlyAccess	Elasticsearch Administrator	Remarks
Creating a cluster	√	x	√	-
Querying a cluster list	√	√	√	-
Querying cluster details	√	√	√	-
Deleting a cluster	√	x	√	-
Restarting a cluster	√	x	√	-
Expanding cluster capacity	√	x	√	-
Adding instances and expanding instance storage capacity	√	x	√	-
Querying tags of a specified cluster	√	√	√	-
Querying all tags	√	√	√	-
Loading a custom word dictionary	√	x	√	Depends on OBS and IAM permissions
Querying the status of a custom word dictionary	√	√	√	-
Deleting a custom word dictionary	√	x	√	-
Automatically setting basic configurations of a cluster snapshot	√	x	√	Depends on OBS and IAM permissions
Modifying basic configurations of a cluster snapshot	√	x	√	Depends on OBS and IAM permissions
Setting the automatic snapshot creation policy	√	x	√	-
Querying the automatic snapshot creation policy	√	√	√	-
Manually creating a snapshot	√	x	√	-
Querying the snapshot list	√	√	√	-
Restoring a snapshot	√	x	√	-
Deleting a snapshot	√	x	√	-
Disabling the snapshot function	√	x	√	-