策略授权参考
本章节介绍Web应用防火墙(Web Application Firewall,WAF)策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) |
|---|---|---|---|
| 查询WAF独享引擎信息 | GET /v1/{project_id}/premium-waf/instance/{instance_id} | waf:premiumInstance:get | √ |
| 删除WAF独享引擎信息 | DELETE /v1/{project_id}/premium-waf/instance/{instance_id} | waf:premiumInstance:delete | √ |
| 重命名WAF独享引擎 | PUT /v1/{project_id}/premium-waf/instance/{instance_id} | waf:premiumInstance:put | √ |
| 创建WAF独享引擎实例 | POST /v1/{project_id}/premium-waf/instance | waf:premiumInstance:create | √ |
| 查询WAF独享引擎列表 | GET /v1/{project_id}/premium-waf/instance | waf:premiumInstance:list | √ |
| 创建独享模式域名 | POST /v1/{project_id}/premium-waf/host | waf:instance:create | √ |
| 查询独享模式域名列表 | GET /v1/{project_id}/premium-waf/host | waf:instance:list | √ |
| 修改独享模式域名配置 | PUT /v1/{project_id}/premium-waf/host/{host_id} | waf:instance:put | √ |
| 查看独享模式域名配置 | GET /v1/{project_id}/premium-waf/host/{host_id} | waf:instance:get | √ |
| 删除独享模式域名 | DELETE /v1/{project_id}/premium-waf/host/{host_id} | waf:instance:delete | √ |
| 修改独享模式域名防护状态 | PUT /v1/{project_id}/premium-waf/host/{host_id}/protect-status | waf:instance:put | √ |
| 修改独享模式域名接入状态 | PUT /v1/{project_id}/premium-waf/host/{host_id}/access_status | waf:instance:put | √ |
| 查询防护策略列表 | GET /v1/{project_id}/waf/policy | waf:policy:list | √ |
| 创建防护策略 | POST /v1/{project_id}/waf/policy | waf:policy:create | √ |
| 根据Id查询防护策略 | GET /v1/{project_id}/waf/policy/{policy_id} | waf:policy:get | √ |
| 更新防护策略 | PATCH /v1/{project_id}/waf/policy/{policy_id} | waf:policy:put | √ |
| 删除防护策略 | DELETE /v1/{project_id}/waf/policy/{policy_id} | waf:policy:delete | √ |
| 查询黑白名单规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip | waf:whiteBlackIpRule:list | √ |
| 创建黑白名单规则 | POST /v1/{project_id}/waf/policy/{policy_id}/whiteblackip | waf:whiteBlackIpRule:create | √ |
| 查询黑白名单防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} | waf:whiteBlackIpRule:get | √ |
| 更新黑白名单防护规则 | PUT /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} | waf:whiteBlackIpRule:put | √ |
| 删除黑白名单防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id} | waf:whiteBlackIpRule:delete | √ |
| 查询CC规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/cc | waf:ccRule:list | √ |
| 创建CC规则 | POST /v1/{project_id}/waf/policy/{policy_id}/cc | waf:ccRule:create | √ |
| 根据ID查询CC防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} | waf:ccRule:get | √ |
| 更新CC防护规则 | PUT /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} | waf:ccRule:put | √ |
| 删除CC防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id} | waf:ccRule:delete | √ |
| 查询精准防护规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/custom | waf:preciseProtectionRule:list | √ |
| 创建精准防护规则 | POST /v1/{project_id}/waf/policy/{policy_id}/custom | waf:preciseProtectionRule:create | √ |
| 根据Id 查询精准防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} | waf:preciseProtectionRule:get | √ |
| 更新精准防护规则 | PUT /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} | waf:preciseProtectionRule:put | √ |
| 删除精准防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id} | waf:preciseProtectionRule:delete | √ |
| 查询隐私屏蔽规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/privacy | waf:privacyRule:list | √ |
| 创建隐私屏蔽规则 | POST /v1/{project_id}/waf/policy/{policy_id}/privacy | waf:privacyRule:create | √ |
| 根据Id 查询隐私屏蔽防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} | waf:privacyRule:get | √ |
| 更新隐私屏蔽防护规则 | PUT /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} | waf:privacyRule:put | √ |
| 删除隐私屏蔽防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id} | waf:privacyRule:delete | √ |
| 查询防篡改规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/antitamper | waf:antiTamperRule:list | √ |
| 创建防篡改规则 | POST /v1/{project_id}/waf/policy/{policy_id}/antitamper | waf:antiTamperRule:create | √ |
| 根据Id 查询防篡改防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id} | waf:antiTamperRule:get | √ |
| 删除防篡改防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id} | waf:antiTamperRule:delete | √ |
| 某个网页防篡改规则更新缓存 | POST /v1/{project_id}/waf/policy/{policy_id}/antitamper/{antitamperid}/refresh | waf:antiTamperRule:create | √ |
| 查询误报屏蔽规则列表 | GET /v1/{project_id}/waf/policy/{policy_id}/ignore | waf:falseAlarmMaskRule:list | √ |
| 创建误报屏蔽规则 | POST /v1/{project_id}/waf/policy/{policy_id}/ignore | waf:falseAlarmMaskRule:create | √ |
| 查询误报屏蔽防护规则 | GET /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} | waf:falseAlarmMaskRule:get | √ |
| 更新误报屏蔽防护规则 | PUT /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} | waf:falseAlarmMaskRule:put | √ |
| 删除误报屏蔽防护规则 | DELETE /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id} | waf:falseAlarmMaskRule:delete | √ |
| 查询证书列表 | GET /v1/{project_id}/waf/certificate | waf:certificate:get | √ |
| 创建证书 | POST /v1/{project_id}/waf/certificate | waf:certificate:create | √ |
| 查询证书 | GET /v1/{project_id}/waf/certificate/{certificate_id} | waf:certificate:list | √ |
| 修改证书 | PUT /v1/{project_id}/waf/certificate/{certificate_id} | waf:certificate:put | √ |
| 删除证书 | DELETE /v1/{project_id}/waf/certificate/{certificate_id} | waf:certificate:delete | √ |
| 绑定证书到域名 | POST /v1/{project_id}/waf/certificate/{certificate_id}/apply-to-hosts | waf:certificate:apply | √ |
| 查询安全总览请求与攻击数量 | GET /v1/{project_id}/waf/overviews/statistics | waf:event:get | √ |
| 查询安全总览分类统计TOP信息 | GET /v1/{project_id}/waf/overviews/classification | waf:event:get | √ |
| 查询攻击事件列表 | GET /v1/{project_id}/waf/event | waf:event:get | √ |
| 查询攻击事件详情 | GET /v1/{project_id}/waf/event/{eventid} | waf:event:get | √ |
