策略授权参考
本章节介绍Web应用防火墙(Web Application Firewall,WAF)策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目(Project) |
|---|---|---|---|
|
查询WAF独享引擎信息 |
GET /v1/{project_id}/premium-waf/instance/{instance_id} |
waf:premiumInstance:get |
√ |
|
删除WAF独享引擎信息 |
DELETE /v1/{project_id}/premium-waf/instance/{instance_id} |
waf:premiumInstance:delete |
√ |
|
重命名WAF独享引擎 |
PUT /v1/{project_id}/premium-waf/instance/{instance_id} |
waf:premiumInstance:put |
√ |
|
创建WAF独享引擎实例 |
POST /v1/{project_id}/premium-waf/instance |
waf:premiumInstance:create |
√ |
|
查询WAF独享引擎列表 |
GET /v1/{project_id}/premium-waf/instance |
waf:premiumInstance:list |
√ |
|
创建独享模式域名 |
POST /v1/{project_id}/premium-waf/host |
waf:instance:create |
√ |
|
查询独享模式域名列表 |
GET /v1/{project_id}/premium-waf/host |
waf:instance:list |
√ |
|
修改独享模式域名配置 |
PUT /v1/{project_id}/premium-waf/host/{host_id} |
waf:instance:put |
√ |
|
查看独享模式域名配置 |
GET /v1/{project_id}/premium-waf/host/{host_id} |
waf:instance:get |
√ |
|
删除独享模式域名 |
DELETE /v1/{project_id}/premium-waf/host/{host_id} |
waf:instance:delete |
√ |
|
修改独享模式域名防护状态 |
PUT /v1/{project_id}/premium-waf/host/{host_id}/protect-status |
waf:instance:put |
√ |
|
修改独享模式域名接入状态 |
PUT /v1/{project_id}/premium-waf/host/{host_id}/access_status |
waf:instance:put |
√ |
|
查询防护策略列表 |
GET /v1/{project_id}/waf/policy |
waf:policy:list |
√ |
|
创建防护策略 |
POST /v1/{project_id}/waf/policy |
waf:policy:create |
√ |
|
根据Id查询防护策略 |
GET /v1/{project_id}/waf/policy/{policy_id} |
waf:policy:get |
√ |
|
更新防护策略 |
PATCH /v1/{project_id}/waf/policy/{policy_id} |
waf:policy:put |
√ |
|
删除防护策略 |
DELETE /v1/{project_id}/waf/policy/{policy_id} |
waf:policy:delete |
√ |
|
查询黑白名单规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip |
waf:whiteBlackIpRule:list |
√ |
|
创建黑白名单规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/whiteblackip |
waf:whiteBlackIpRule:create |
√ |
|
查询黑白名单防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} |
waf:whiteBlackIpRule:get |
√ |
|
更新黑白名单防护规则 |
PUT /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} |
waf:whiteBlackIpRule:put |
√ |
|
删除黑白名单防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} |
waf:whiteBlackIpRule:delete |
√ |
|
查询CC规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/cc |
waf:ccRule:list |
√ |
|
创建CC规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/cc |
waf:ccRule:create |
√ |
|
根据ID查询CC防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} |
waf:ccRule:get |
√ |
|
更新CC防护规则 |
PUT /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} |
waf:ccRule:put |
√ |
|
删除CC防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} |
waf:ccRule:delete |
√ |
|
查询精准防护规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/custom |
waf:preciseProtectionRule:list |
√ |
|
创建精准防护规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/custom |
waf:preciseProtectionRule:create |
√ |
|
根据Id 查询精准防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} |
waf:preciseProtectionRule:get |
√ |
|
更新精准防护规则 |
PUT /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} |
waf:preciseProtectionRule:put |
√ |
|
删除精准防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} |
waf:preciseProtectionRule:delete |
√ |
|
查询隐私屏蔽规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/privacy |
waf:privacyRule:list |
√ |
|
创建隐私屏蔽规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/privacy |
waf:privacyRule:create |
√ |
|
根据Id 查询隐私屏蔽防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} |
waf:privacyRule:get |
√ |
|
更新隐私屏蔽防护规则 |
PUT /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} |
waf:privacyRule:put |
√ |
|
删除隐私屏蔽防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} |
waf:privacyRule:delete |
√ |
|
查询防篡改规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/antitamper |
waf:antiTamperRule:list |
√ |
|
创建防篡改规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/antitamper |
waf:antiTamperRule:create |
√ |
|
根据Id 查询防篡改防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id} |
waf:antiTamperRule:get |
√ |
|
删除防篡改防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id} |
waf:antiTamperRule:delete |
√ |
|
某个网页防篡改规则更新缓存 |
POST /v1/{project_id}/waf/policy/{policy_id}/antitamper/{antitamperid}/refresh |
waf:antiTamperRule:create |
√ |
|
查询误报屏蔽规则列表 |
GET /v1/{project_id}/waf/policy/{policy_id}/ignore |
waf:falseAlarmMaskRule:list |
√ |
|
创建误报屏蔽规则 |
POST /v1/{project_id}/waf/policy/{policy_id}/ignore |
waf:falseAlarmMaskRule:create |
√ |
|
查询误报屏蔽防护规则 |
GET /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} |
waf:falseAlarmMaskRule:get |
√ |
|
更新误报屏蔽防护规则 |
PUT /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} |
waf:falseAlarmMaskRule:put |
√ |
|
删除误报屏蔽防护规则 |
DELETE /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} |
waf:falseAlarmMaskRule:delete |
√ |
|
查询证书列表 |
GET /v1/{project_id}/waf/certificate |
waf:certificate:get |
√ |
|
创建证书 |
POST /v1/{project_id}/waf/certificate |
waf:certificate:create |
√ |
|
查询证书 |
GET /v1/{project_id}/waf/certificate/{certificate_id} |
waf:certificate:list |
√ |
|
修改证书 |
PUT /v1/{project_id}/waf/certificate/{certificate_id} |
waf:certificate:put |
√ |
|
删除证书 |
DELETE /v1/{project_id}/waf/certificate/{certificate_id} |
waf:certificate:delete |
√ |
|
绑定证书到域名 |
POST /v1/{project_id}/waf/certificate/{certificate_id}/apply-to-hosts |
waf:certificate:apply |
√ |
|
查询安全总览请求与攻击数量 |
GET /v1/{project_id}/waf/overviews/statistics |
waf:event:get |
√ |
|
查询安全总览分类统计TOP信息 |
GET /v1/{project_id}/waf/overviews/classification |
waf:event:get |
√ |
|
查询攻击事件列表 |
GET /v1/{project_id}/waf/event |
waf:event:get |
√ |
|
查询攻击事件详情 |
GET /v1/{project_id}/waf/event/{eventid} |
waf:event:get |
√ |
