Account Permission Management

CCR

  • Enterprise Edition API Reference
    • Appendix
    • Common Headers and Error Code
    • Enterprise Edition Instance APIs
    • Helm Chart Management Interface
    • Image access control APIs
    • Image Access Credential APIs
    • Image API
    • Image Migration APIs
    • Image On-demand Loading APIs
    • Image Registry APIs
    • Image Synchronization APIs
    • Namespace APIs
    • Overview
    • Service domain
    • Trigger APIs
  • Enterprise Edition Go-SDK
    • Enterprise Edition Instance
    • Initialization
    • Install the SDK Package
    • Overview
  • Enterprise Edition Operation Guide
    • Access configuration
      • Configure Access credentials
      • Configure Custom Endpoint
      • Configure IAM Access Control
      • Configure IAM Tag Permission Policy
      • Configure Robot Account
      • Network Access Control
        • Configure public network access control
        • Configure virtual private cloud access control
        • Network Access Control Overview
    • Container DevOps
      • Manage Trigger
    • Create Enterprise Edition Instance
    • Distribution Management
      • Cross-Instance Synchronization of Image
      • On-Demand Loading of Container Image
      • Using P2P Acceleration in CCE Clusters
    • Event notification
      • Configure Event Notification Alert
      • Image Push Failure Error Code and Handling Methods
    • Image Build
      • Build Based on Existing Image
    • Image Cleanup
      • Clean BOS Storage Space
      • Delete image version
      • Version Retention
    • Image Migration
      • Migrate External Image to Enterprise Edition Instance
    • Image security
      • Immutable image version
      • Security Scanning Container Image
    • Manage Namespace
    • OCI Artifact Management
      • Manage Helm Chart
      • Manage Image Registry
      • OCI Artifact Management Overview
  • Function Release Records
  • Personal Edition API Reference
    • Helm API
    • Image API
    • Image Migration APIs
    • Image Version and Image Version Scanning Interface
    • Namespace APIs
    • Overview
    • User APIs
  • Personal Edition Documentation Set
    • Account Permission Management
    • Cloud Container Engine (CCE) migration to CCR
    • Container Image Service Basic Operations
    • How to Perform Image Scanning
    • How to Upload Helm Chart
    • How to use the DockerHub image accelerator
  • Product Announcement
    • CCR Enterprise Edition Pricing Announcement
    • CCR Enterprise Edition Public Beta Announcement
    • CCR Personal Edition Announcement on Closing New Entry
    • CCR Personal Edition Announcement on Disabling Image Scanning Function
  • Product introduction
    • Core concepts
    • Enterprise Edition Different Specifications Differentiation Description
    • Key functions
    • Product advantages
    • Product Introduction
  • Product pricing
    • Billing overview
  • Quick Start
    • Enterprise Edition Quick Start
    • How to Build Docker Image
  • Service Level Agreement (SLA)
    • CCR Enterprise Edition Service Level Agreement
All documents
menu
No results found, please re-enter

CCR

  • Enterprise Edition API Reference
    • Appendix
    • Common Headers and Error Code
    • Enterprise Edition Instance APIs
    • Helm Chart Management Interface
    • Image access control APIs
    • Image Access Credential APIs
    • Image API
    • Image Migration APIs
    • Image On-demand Loading APIs
    • Image Registry APIs
    • Image Synchronization APIs
    • Namespace APIs
    • Overview
    • Service domain
    • Trigger APIs
  • Enterprise Edition Go-SDK
    • Enterprise Edition Instance
    • Initialization
    • Install the SDK Package
    • Overview
  • Enterprise Edition Operation Guide
    • Access configuration
      • Configure Access credentials
      • Configure Custom Endpoint
      • Configure IAM Access Control
      • Configure IAM Tag Permission Policy
      • Configure Robot Account
      • Network Access Control
        • Configure public network access control
        • Configure virtual private cloud access control
        • Network Access Control Overview
    • Container DevOps
      • Manage Trigger
    • Create Enterprise Edition Instance
    • Distribution Management
      • Cross-Instance Synchronization of Image
      • On-Demand Loading of Container Image
      • Using P2P Acceleration in CCE Clusters
    • Event notification
      • Configure Event Notification Alert
      • Image Push Failure Error Code and Handling Methods
    • Image Build
      • Build Based on Existing Image
    • Image Cleanup
      • Clean BOS Storage Space
      • Delete image version
      • Version Retention
    • Image Migration
      • Migrate External Image to Enterprise Edition Instance
    • Image security
      • Immutable image version
      • Security Scanning Container Image
    • Manage Namespace
    • OCI Artifact Management
      • Manage Helm Chart
      • Manage Image Registry
      • OCI Artifact Management Overview
  • Function Release Records
  • Personal Edition API Reference
    • Helm API
    • Image API
    • Image Migration APIs
    • Image Version and Image Version Scanning Interface
    • Namespace APIs
    • Overview
    • User APIs
  • Personal Edition Documentation Set
    • Account Permission Management
    • Cloud Container Engine (CCE) migration to CCR
    • Container Image Service Basic Operations
    • How to Perform Image Scanning
    • How to Upload Helm Chart
    • How to use the DockerHub image accelerator
  • Product Announcement
    • CCR Enterprise Edition Pricing Announcement
    • CCR Enterprise Edition Public Beta Announcement
    • CCR Personal Edition Announcement on Closing New Entry
    • CCR Personal Edition Announcement on Disabling Image Scanning Function
  • Product introduction
    • Core concepts
    • Enterprise Edition Different Specifications Differentiation Description
    • Key functions
    • Product advantages
    • Product Introduction
  • Product pricing
    • Billing overview
  • Quick Start
    • Enterprise Edition Quick Start
    • How to Build Docker Image
  • Service Level Agreement (SLA)
    • CCR Enterprise Edition Service Level Agreement
  • Document center
  • arrow
  • CCR
  • arrow
  • Personal Edition Documentation Set
  • arrow
  • Account Permission Management
Table of contents on this page
  • Descriptions of root account and sub-accounts namespace permissions
  • How to authorize sub-accounts
  • Account permission policy
  • CCRFullControlPolicy
  • CCROperatePolicy
  • CCRReadPolicy
  • How to add permission policies to sub-accounts

Account Permission Management

Updated at:2025-11-03

Descriptions of root account and sub-accounts namespace permissions

Namespace permissions are divided into read-write and read-only permissions. Namespace authorization is required for docker command line operations:

  • Accounts with read-write access can manage namespaces and their images, grant permissions to other sub-accounts, and use Docker to push or pull images.
  • Accounts with read-only access can view namespaces and images, and use Docker to pull images.

Root accounts and sub-accounts have distinct namespace permissions. The root account has access to all sub-account namespaces. This means sub-accounts can create namespaces, while the root account can perform CRUD operations on them. Sub-accounts can modify or delete namespaces they create but need authorization to act on namespaces created by others.

How to authorize sub-accounts

Go to the Namespace section in the left navigation bar, find the namespace requiring authorization, and click Sub-account Authorization for the respective namespace.

image.png

A pop-up window on the right will list all sub-accounts with CCR service enabled. Choose either Read-write or Read-only authorization as needed.

image.png

The username corresponds to the Docker login name, which can be found under Access Credentials - Username.

image.png

Account permission policy

CCR provides three types of permission policies for managing sub-account permissions regarding interfaces and APIs. Root accounts do not require explicit permissions. For sub-accounts, three types of authorization options are available for operations on the CCR interface.

  • CCRFullControlPolicy: Full control permissions of CCR
  • CCROperatePolicy: Permissions for CCR maintenance and operation
  • CCRReadPolicy: Read-only access permissions of CCR

CCRFullControlPolicy

CCRFullControlPolicy: Permissions for operations on all pages and APIs, including:

  • Create a namespace, authorize the namespace, generate temporary keys, initiate image scanning, create an image migration registry, create an image migration strategy, create an image migration task, and upload Helm packages;
  • Delete namespaces, images, image versions, image migration registries, image migration strategies, image migration tasks, Helm packages, etc.;
  • Update namespaces, images, image versions, image migration registries, start image migration strategies, stop image migration tasks, etc.;
  • Retrieve namespace lists, images, image versions, image version scanning results, Helm, image migration registries, image migration tasks, etc.;

CCROperatePolicy

CCROperatePolicy: Support creating, updating, and reading on pages and APIs:

  • Initiate image scanning, generate temporary keys, and upload Helm packages;
  • Update namespaces, images, image versions, image migration registries, start image migration strategies, stop image migration tasks, etc.;
  • Retrieve namespace lists, images, image versions, image version scanning results, Helm, image migration registries, image migration tasks, etc.;

CCRReadPolicy

CCRReadPolicy: Only reading on pages and APIs:

  • Retrieve namespace lists, images, image versions, image version scanning results, Helm, image migration registries, image migration tasks, etc.;

How to add permission policies to sub-accounts

Navigate to User Center - Identity and Access Management - Edit Permissions to assign CCR permission policies or super administrator rights.

image.png

Previous
Personal Edition API Reference
Next
Cloud Container Engine (CCE) migration to CCR