Help Center/ DataArts Studio/ Best Practices/ Preventing an IAM User from Logging In to DataArts Studio by Setting Specific Conditions
Updated on 2022-09-15 GMT+08:00
View PDF

Preventing an IAM User from Logging In to DataArts Studio by Setting Specific Conditions

This section describes how to prevent an IAM user from logging in to DataArts Studio by setting specific conditions. This section uses the time condition as an example, which prevents an IAM user from logging in to DataArts Studio after a specified time.

Prerequisites

You have created an IAM user. For details, see Creating an IAM User.

Creating a Custom Policy

The system default permissions cannot be modified. To set specific conditions, you need to create a custom authorization policy.

  1. Log in to the console as the administrator.

    Figure 1 Logging in to the console

  2. Hover the mouse over the username in the upper right corner and select Identity and Access Management.

    Figure 2 Identity and Access Management

  3. In the navigation pane, choose Permissions > Policies/Roles.

    Figure 3 Policies/Roles

  4. Click Create Custom Policy in the upper right corner. For details about how to configure custom permissions, see Policy Syntax.
  5. On the Create Custom Policy page, enter CurrentTime for Policy Name and select Visual editor for Policy View.

    Figure 4 Create Custom Policy

  6. Configure the policy content.

    1. Allow/Deny: Select Deny.
      Figure 5 Allow/Deny
    2. Select service: Enter a keyword to search for and select it.
      Figure 6 Select service
    3. Select action: Select all actions.
      Figure 7 Select action
    4. (Optional) Select resource: By default, all resources are selected.
      Figure 8 Select resource
    5. (Optional) Add request condition: Click Add Request Condition. In the displayed dialog box, select g:CurrentTime for Condition Key, DateGreaterThan for Qualifier, and set the time.
      Figure 9 Add Request Condition
    6. Click OK.
      Figure 10 Clicking OK
    7. Select JSON for Policy View to view the code for the custom policy. 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "DGC:*:*"
            ],
            "Condition": {
                "DateGreaterThan": {
                    "g:CurrentTime": [
                        "2023-01-01T00:00:00Z"
                    ]
                }
            }
        }
    ]
}

Granting the Custom Policy to an IAM User

The custom policy cannot be directly granted to an IAM user. You must grant the policy to a user group and then add the IAM user to the user group.

  1. On the IAM console, choose User Groups in the navigation pane. Then click Create User Group in the upper right corner.

    Figure 11 Create User Group

  2. Enter the user group name and click OK.

    Figure 12 Entering the user group name

  3. On the User Groups page, locate the create user group and click Authorize in the Operation column.

    Figure 13 Authorize

  4. Select the created custom policy and click Next.

    Figure 14 Selecting the custom policy

  5. Set the authorization scope. By default, All resources are selected. Then click OK.

    Figure 15 Setting the authorization scope

  6. You can select Do not show again so that the following dialog box will not be displayed when you grant permissions to the user group in the future.

    Figure 16 Effective time notification

  7. Click Finish to go back to the User Groups page.

    Figure 17 Successful authorization

  8. Click the name of the created user group.

    Figure 18 User group

  9. Click the Users tab and then Add.

    Figure 19 Adding a user

  10. Select an IAM user and click OK.

    Figure 20 Selecting an IAM user

  11. The IAM user is added successfully, and the custom policy has been granted to the IAM user.

    Figure 21 IAM user added