Creating a Custom Policy
Scenarios
Custom policies can be created as a supplement to the system policies of IMS. For the actions supported for custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following two ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Policy. This section provides examples of common IMS custom policies.
Example Policies
- Example 1: Allowing users to create images
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ims:serverImages:create", "obs:bucket:*", "obs:object:*", "kms:*:*", "ecs:cloudServers:get", "ecs:servers:get", "ecs:serverVolumes:use", "ecs:cloudServers:list", "ecs:serverVolumeAttachments:list", "ecs:servers:list", "evs:volumes:*", "bms:servers:list", "bms:servers:get", "bms:serverFlavors:get" ] } ] }
The action required for creating an image is ims:serverImages:create. Others are dependent actions for creating an image.
- Example 2: Denying image deletion
A deny policy must be used in conjunction with other policies to take effect. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.
The following method can be used if you need to assign the IMS FullAccess policy to a user but also forbid the user from deleting images. Create a custom policy for denying image deletion, and assign both the policies to the group the user belongs to. Then, the user can perform all operations on IMS except deleting images. The following is an example deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "ims:images:delete" ] } ] }
Last Article: Creating a User and Granting Permissions
Next Article: Change History
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.