资源粒度授权使用说明
资源类型 | URN |
|---|---|
workspace | secmaster:<region>:<account-id>:workspace:<workspace-id> |
playbook | secmaster:<region>:<account-id>:playbook:<workspace-id>/<playbook-id> |
workflow | secmaster:<region>:<account-id>:workflow:<workspace-id>/<workflow-id> |
connection | secmaster:<region>:<account-id>:connection:<workspace-id>/<connection-id> |
task | secmaster:<region>:<account-id>:task:<workspace-id>/<task-id> |
indicator | secmaster:<region>:<account-id>:indicator:<workspace-id>/<indicator-id> |
alert | secmaster:<region>:<account-id>:alert:<workspace-id>/<alert-id> |
incident | secmaster:<region>:<account-id>:incident:<workspace-id>/<incident-id> |
dataobject | secmaster:<region>:<account-id>:dataobject:<workspace-id>/<dataobject-id> |
metric | secmaster:<region>:<account-id>:metric:<workspace-id>/<metric-id> |
resource | secmaster:<region>:<account-id>:resource:<workspace-id>/<resource-id> |
report | secmaster:<region>:<account-id>:report:<workspace-id>/<report-id> |
emergencyVulnerability | secmaster:<region>:<account-id>:emergencyVulnerability:<workspace-id>/<emergency-vulnerability-id> |
dataspace | secmaster:<region>:<account-id>:dataspace:<workspace-id>/<dataspace-id> |
pipe | secmaster:<region>:<account-id>:pipe:<workspace-id>/<pipe-id> |
alertRule | secmaster:<region>:<account-id>:alertRule:<workspace-id>/<alertRule-id> |
vulnerability | secmaster:<region>:<account-id>:vulnerability:<workspace-id>/<vulnerability-id> |
alertRuleTemplate | secmaster:<region>:<account-id>:alertRuleTemplate:<workspace-id>/<alertRuleTemplate-id> |
searchCondition | secmaster:<region>:<account-id>:searchCondition:<workspace-id>/<searchCondition-id> |
dataclass | secmaster:<region>:<account-id>:dataclass:<workspace-id>/<dataclass-id> |
mapping | secmaster:<region>:<account-id>:mapping:<workspace-id>/<mapping-id> |
layout | secmaster:<region>:<account-id>:layout:<workspace-id>/<layout-id> |
catalogue | secmaster:<region>:<account-id>:catalogue:<workspace-id>/<catalogue-id> |
table | secmaster:<region>:<account-id>:table:<workspace-id>/<table-id> |
policy | secmaster:<region>:<account-id>:policy:<workspace-id>/<policy-id> |
baseline | secmaster:<region>:<account-id>:baseline:<workspace-id>/<baseline-id> |
shipper | secmaster:<region>:<account-id>:shipper:<workspace-id>/<shipper-id> |
analysisScript | secmaster:<region>:<account-id>:analysisScript:<workspace-id>/<analysisScript-id> |
collectorChannel | secmaster:<region>:<account-id>:collectorChannel:<workspace-id>/<collectorChannel-id> |
collectorChannelGroup | secmaster:<region>:<account-id>:collectorChannelGroup:<workspace-id>/<collectorChannelGroup-id> |
collectorConnection | secmaster:<region>:<account-id>:collectorConnection:<workspace-id>/<collectorConnection-id> |
collectorParser | secmaster:<region>:<account-id>:collectorParser:<workspace-id>/<collectorParser-id> |
component | secmaster:<region>:<account-id>:component:<workspace-id>/<component-id> |
node | secmaster:<region>:<account-id>:node:<workspace-id>/<node-id> |
accountAgency | secmaster:<region>:<account-id>:accountAgency:<accountAgency-id> |
设置资源唯一标识时,您需要将<region>、<account-id>、<workspace-id>等变量参数修改为实际的参数信息,或者直接使用*通配符。
资源粒度授权策略示例:
剧本的资源标识secmaster:<region>:<account-id>:playbook:<workspace-id>/<playbook-id>,将
- <region>、<account-id>替换为*通配符。
- <workspace-id>配置为“7430b8e4-be12-4bd4-80f7-1aa02123551c”。
- <playbook-id>替换为*通配符。
将如下策略授权给用户A,表示用户A具有工作空间id为“7430b8e4-be12-4bd4-80f7-1aa02123551c”下的所有剧本的审核权限。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secmaster:playbook:approve"
],
"Resource": [
"secmaster:*:*:playbook:7430b8e4-be12-4bd4-80f7-1aa02123551c/*"
]
}
]
} 
