Creating a GES Custom Policy
Custom policies can be created as a supplement to the system policies of GES. For the actions supported for custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Policy. The following section contains examples of common GES custom policies.
Example Policies
- Example 1: Allowing users to query and operate graphs
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ges:*:get*", "ges:*:list*", "ges:graph:operate" ] } ] } - Example 2: Denying graph deletion
A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.
The following method can be used if you need to assign the GES FullAccess policy to a user but also forbid the user from deleting graphs. Create a custom policy for denying graph deletion, and assign both policies to the group the user belongs to. Then the user can perform all operations on GES except deleting graphs. The following is an example deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "ges:graph:delete" ] } ] } - Example 3: Authorizing users to operate graphs whose name prefix is ges_project (ges_project names are case insensitive) and access the graph list
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ges:graph:create", "ges:graph:delete", "ges:graph:access", "ges:graph:getDetail" ], "Resource": [ "ges:*:*:graphName:ges_project*" ] }, { "Effect": "Allow", "Action": [ "ges:graph:list" ] } ] } - Example 4: Authorizing users to operate some graph resources and view all resources
The policy consists of the following two parts:
- Part 1: Authorizing users to operate resources whose name prefix is ges_project. The resources include graphs, metadata, and backups.
- Part 2: Authorizing users to query the graph, backup, task, and metadata lists, verify metadata files, and view job details
{ "Version": "1.1", "Statement": [ { "Action": [ "ges:backup:delete", "ges:graph:access", "ges:metadata:create", "ges:graph:operate", "ges:graph:delete", "ges:metadata:delete", "ges:graph:create", "ges:backup:create", "ges:metadata:getDetail", "ges:graph:getDetail" ], "Resource": [ "ges:*:*:backupName:ges_project*", "ges:*:*:graphName:ges_project*", "ges:*:*:metadataName:ges_project*" ], "Effect": "Allow" }, { "Action": [ "ges:graph:list", "ges:backup:list", "ges:jobs:list", "ges:metadata:list", "ges:metadata:operate", "ges:jobs:getDetail" ], "Effect": "Allow" } ] }
Last Article: Creating a User and Granting Permissions
Next Article: GES System Permissions
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.