策略授权参考
本章节介绍Organizations云服务策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝对指定资源在特定条件下进行某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
组织管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations |
| × | × | |
| GET /v1/organizations | organizations:organizations:get | × | × | |
| DELETE /v1/organizations | organizations:organizations:delete | × | × | |
| POST /v1/organizations/leave | organizations:organizations:leave | × | × | |
| GET /v1/organizations/roots | organizations:roots:list | × | × |
组织单元管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations/organizational-units |
| × | × | |
| GET /v1/organizations/organizational-units | organizations:ous:list | × | × | |
| GET /v1/organizations/organizational-units/{organizational_unit_id} | organizations:ous:get | × | × | |
| PATCH /v1/organizations/organizational-units/{organizational_unit_id} | organizations:ous:update | × | × | |
| DELETE /v1/organizations/organizational-units/{organizational_unit_id} | organizations:ous:delete | × | × |
账号管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations/accounts |
| × | × | |
| POST /v1/organizations/accounts/{account_id}/close | organizations:accounts:close | × | × | |
| PATCH /v1/organizations/accounts/{account_id} | organizations:accounts:update | × | × | |
| GET /v1/organizations/close-account-status | organizations:closeAccountStatuses:list | × | × | |
| GET /v1/organizations/accounts | organizations:accounts:list | × | × | |
| GET /v1/organizations/accounts/{account_id} | organizations:accounts:get | × | × | |
| POST /v1/organizations/accounts/{account_id}/remove | organizations:accounts:remove | × | × | |
| POST /v1/organizations/accounts/{account_id}/move | organizations:accounts:move | × | × | |
| POST /v1/organizations/invite-account |
| × | × | |
| GET /v1/organizations/create-account-statuses | organizations:createAccountStatuses:list | × | × | |
| GET /v1/organizations/create-account-statuses/{create_account_status_id} | organizations:createAccountStatuses:get | × | × |
邀请管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| GET /v1/organizations/handshakes/{handshake_id} | organizations:handshakes:get | × | × | |
| POST/v1/received-handshakes/{handshake_id}/accept |
| × | × | |
| POST /v1/received-handshakes/{handshake_id}/decline | organizations:handshakes:decline | × | × | |
| POST /v1/organizations/handshakes/{handshake_id}/cancel | organizations:handshakes:cancel | × | × | |
| GET /v1/received-handshakes | organizations:receivedHandshakes:list | × | × | |
| GET /v1/organizations/handshakes | organizations:handshakes:list | × | × |
可信服务管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations/enable-trusted-service | organizations:trustedServices:enable | × | × | |
| POST /v1/organizations/disable-trusted-service | organizations:trustedServices:disable | × | × | |
| GET /v1/organizations/trusted-services | organizations:trustedServices:list | × | × |
委托管理员管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations/delegated-administrators/register | organizations:delegatedAdministrators:register | × | × | |
| POST /v1/organizations/delegated-administrators/deregister | organizations:delegatedAdministrators:deregister | × | × | |
| GET /v1/organizations/accounts/{account_id}/delegated-services | organizations:delegatedServices:list | × | × | |
| GET /v1/organizations/delegated-administrators | organizations:delegatedAdministrators:list | × | × |
策略管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| POST /v1/organizations/policies |
| × | × | |
| GET /v1/organizations/policies | organizations:policies:list | × | × | |
| GET /v1/organizations/policies/{policy_id} | organizations:policies:get | × | × | |
| PATCH /v1/organizations/policies/{policy_id} | organizations:policies:update | × | × | |
| DELETE /v1/organizations/policies/{policy_id} | organizations:policies:delete | × | × | |
| POST /v1/organizations/policies/enable | organizations:policies:enable | × | × | |
| POST /v1/organizations/policies/disable | organizations:policies:disable | × | × | |
| POST /v1/organizations/policies/{policy_id}/attach | organizations:policies:attach | × | × | |
| POST /v1/organizations/policies/{policy_id}/detach | organizations:policies:detach | × | × | |
| GET /v1/organizations/policies/{policy_id}/attached-entities | organizations:attachedEntities:list | × | × |
标签管理
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| GET /v1/organizations/resources/{resource_id}/tags | organizations:tags:list | × | × | |
| POST /v1/organizations/resources/{resource_id}/tag | organizations:resources:tag | × | × | |
| POST /v1/organizations/resources/{resource_id}/untag | organizations:resources:untag | × | × | |
| GET /v1/organizations/{resource_type}/{resource_id}/tags | organizations:tags:list | × | × | |
| POST /v1/organizations/{resource_type}/{resource_id}/tags/create | organizations:resources:tag | × | × | |
| POST /v1/organizations/{resource_type}/{resource_id}/tags/delete | organizations:resources:untag | × | × | |
| POST /v1/organizations/{resource_type}/resource-instances/filter | organizations:resources:listByTag | × | × | |
| POST /v1/organizations/{resource_type}/resource-instances/count | organizations:resources:countByTag | × | × | |
| GET /v1/organizations/{resource_type}/tags | organizations:resources:list | × | × |
其他
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
| GET /v1/organizations/entities/effective-policies | organizations:effectivePolicies:get | × | × | |
| GET /v1/organizations/entities | organizations:entities:list | × | × | |
| GET /v1/organizations/services | organizations:services:list | × | × | |
| GET /v1/organizations/tag-policy-services | organizations:tagPolicyServices:list | × | × | |
| GET /v1/organizations/quotas | organizations:quotas:list | × | × |
