资源粒度授权使用说明
|
资源类型 |
URN |
|---|---|
|
workspace |
secmaster:<region>:<account-id>:workspace:<workspace-id> |
|
playbook |
secmaster:<region>:<account-id>:playbook:<workspace-id>/<playbook-id> |
|
workflow |
secmaster:<region>:<account-id>:workflow:<workspace-id>/<workflow-id> |
|
connection |
secmaster:<region>:<account-id>:connection:<workspace-id>/<connection-id> |
|
task |
secmaster:<region>:<account-id>:task:<workspace-id>/<task-id> |
|
indicator |
secmaster:<region>:<account-id>:indicator:<workspace-id>/<indicator-id> |
|
alert |
secmaster:<region>:<account-id>:alert:<workspace-id>/<alert-id> |
|
incident |
secmaster:<region>:<account-id>:incident:<workspace-id>/<incident-id> |
|
dataobject |
secmaster:<region>:<account-id>:dataobject:<workspace-id>/<dataobject-id> |
|
metric |
secmaster:<region>:<account-id>:metric:<workspace-id>/<metric-id> |
|
resource |
secmaster:<region>:<account-id>:resource:<workspace-id>/<resource-id> |
|
report |
secmaster:<region>:<account-id>:report:<workspace-id>/<report-id> |
|
emergencyVulnerability |
secmaster:<region>:<account-id>:emergencyVulnerability:<workspace-id>/<emergency-vulnerability-id> |
|
dataspace |
secmaster:<region>:<account-id>:dataspace:<workspace-id>/<dataspace-id> |
|
pipe |
secmaster:<region>:<account-id>:pipe:<workspace-id>/<pipe-id> |
|
alertRule |
secmaster:<region>:<account-id>:alertRule:<workspace-id>/<alertRule-id> |
|
vulnerability |
secmaster:<region>:<account-id>:vulnerability:<workspace-id>/<vulnerability-id> |
|
alertRuleTemplate |
secmaster:<region>:<account-id>:alertRuleTemplate:<workspace-id>/<alertRuleTemplate-id> |
|
searchCondition |
secmaster:<region>:<account-id>:searchCondition:<workspace-id>/<searchCondition-id> |
|
dataclass |
secmaster:<region>:<account-id>:dataclass:<workspace-id>/<dataclass-id> |
|
mapping |
secmaster:<region>:<account-id>:mapping:<workspace-id>/<mapping-id> |
|
layout |
secmaster:<region>:<account-id>:layout:<workspace-id>/<layout-id> |
|
catalogue |
secmaster:<region>:<account-id>:catalogue:<workspace-id>/<catalogue-id> |
|
table |
secmaster:<region>:<account-id>:table:<workspace-id>/<table-id> |
|
policy |
secmaster:<region>:<account-id>:policy:<workspace-id>/<policy-id> |
|
baseline |
secmaster:<region>:<account-id>:baseline:<workspace-id>/<baseline-id> |
|
shipper |
secmaster:<region>:<account-id>:shipper:<workspace-id>/<shipper-id> |
|
analysisScript |
secmaster:<region>:<account-id>:analysisScript:<workspace-id>/<analysisScript-id> |
|
collectorChannel |
secmaster:<region>:<account-id>:collectorChannel:<workspace-id>/<collectorChannel-id> |
|
collectorChannelGroup |
secmaster:<region>:<account-id>:collectorChannelGroup:<workspace-id>/<collectorChannelGroup-id> |
|
collectorConnection |
secmaster:<region>:<account-id>:collectorConnection:<workspace-id>/<collectorConnection-id> |
|
collectorParser |
secmaster:<region>:<account-id>:collectorParser:<workspace-id>/<collectorParser-id> |
|
component |
secmaster:<region>:<account-id>:component:<workspace-id>/<component-id> |
|
node |
secmaster:<region>:<account-id>:node:<workspace-id>/<node-id> |
|
accountAgency |
secmaster:<region>:<account-id>:accountAgency:<accountAgency-id> |
设置资源唯一标识时,您需要将<region>、<account-id>、<workspace-id>等变量参数修改为实际的参数信息,或者直接使用*通配符。
资源粒度授权策略示例:
剧本的资源标识secmaster:<region>:<account-id>:playbook:<workspace-id>/<playbook-id>,将
- <region>、<account-id>替换为*通配符。
- <workspace-id>配置为“7430b8e4-be12-4bd4-80f7-1aa02123551c”。
- <playbook-id>替换为*通配符。
将如下策略授权给用户A,表示用户A具有工作空间id为“7430b8e4-be12-4bd4-80f7-1aa02123551c”下的所有剧本的审核权限。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secmaster:playbook:approve"
],
"Resource": [
"secmaster:*:*:playbook:7430b8e4-be12-4bd4-80f7-1aa02123551c/*"
]
}
]
}
