Updated on 2024-07-31 GMT+08:00

Permissions and Supported Actions

This section describes fine-grained permissions management for your Workspace Application Streaming. If your account does not need individual IAM users, you can skip this section.

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.

Policy-based authorization is useful if you want to allow or deny the access to an API.

Supported Actions

You can create custom policies for more specific access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permissions: Statements in a policy that allow or deny certain operations.
  • APIs: REST APIs that can be called by a user who has been granted specific permissions.
  • Actions: Specific operations that are allowed or denied.
  • Related actions: Actions on which a specific action depends to take effect. When assigning permissions for the action to a user, you also need to assign permissions for the related actions.
  • IAM projects or enterprise projects: Applicable scope of custom policies. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM. For details about the differences between IAM projects and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?

Action

API Method

API

Supported Action

IAM Project

Enterprise Project

workspace:appGroup:list

GET

/v1/{project_id}/app-groups

Query application groups

x

workspace:appGroup:create

POST

/v1/{project_id}/app-groups

Create an application group

x

workspace:appGroup:delete

DELETE

/v1/{project_id}/app-groups/{app_group_id}

Delete an application group

x

workspace:appGroup:get

GET

/v1/{project_id}/app-groups/{app_group_id}

Query application group details

x

workspace:appGroup:update

PATCH

/v1/{project_id}/app-groups/{app_group_id}

Modify an application group

x

workspace:app:listPublishedApp

GET

/v1/{project_id}/app-groups/{app_group_id}/apps

Query published applications

x

workspace:app:publish

POST

/v1/{project_id}/app-groups/{app_group_id}/apps

Publish an application

x

workspace:app:get

GET

/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}

Query application details

x

workspace:app:update

PATCH

/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}

Modify application information

x

workspace:app:deleteIcon

DELETE

/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon

Delete a custom application icon

x

workspace:app:uploadIcon

POST

/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon

Modify a custom application icon

x

workspace:app:check

POST

/v1/{project_id}/app-groups/{app_group_id}/apps/actions/check

Verify an application

x

workspace:app:batchDisable

POST

/v1/{project_id}/app-groups/{app_group_id}/apps/actions/disable

Disable applications in batches

x

workspace:app:batchEnable

POST

/v1/{project_id}/app-groups/{app_group_id}/apps/actions/enable

Enable applications in batches

x

workspace:app:unpublish

POST

/v1/{project_id}/app-groups/{app_group_id}/apps/batch-unpublish

Unpublish applications in batches

x

workspace:appGroup:listPublishableApp

GET

/v1/{project_id}/app-groups/{app_group_id}/publishable-app

Publishable applications

x

workspace:appGroup:batchDeleteAuthorization

POST

/v1/{project_id}/app-groups/actions/batch-delete-authorization

Cancel application group authorization

x

workspace:appGroup:disassociate

POST

/v1/{project_id}/app-groups/actions/disassociate-app-group

Disassociate a service group from all application groups

x

workspace:appGroup:listAuthorization

GET

/v1/{project_id}/app-groups/actions/list-authorizations

Query application group authorization records

x

workspace:appGroup:addAuthorization

POST

/v1/{project_id}/app-groups/authorizations

Add application group authorization

x

workspace:appGroup:batchDelete

POST

/v1/{project_id}/app-groups/batch-delete

Delete application groups in batches

x

workspace:appGroup:check

POST

/v1/{project_id}/app-groups/rules/validate

Verify an application group

x

workspace:serverGroup:list

GET

/v1/{project_id}/app-server-groups

Query server groups

workspace:serverGroup:create

POST

/v1/{project_id}/app-server-groups

Create a server group

workspace:serverGroup:delete

DELETE

/v1/{project_id}/app-server-groups/{server_group_id}

Delete a server group

workspace:serverGroup:get

GET

/v1/{project_id}/app-server-groups/{server_group_id}

Query a specified server group

workspace:serverGroup:update

PATCH

/v1/{project_id}/app-server-groups/{server_group_id}

Modify a server group

workspace:serverGroup:getServerState

GET

/v1/{project_id}/app-server-groups/{server_group_id}/state

Query server statuses in a specified server group

workspace:serverGroup:listDetail

GET

/v1/{project_id}/app-server-groups/actions/list

Query basic information about a tenant server group

workspace:serverGroup:getRestrict

GET

/v1/{project_id}/app-server-groups/resources/restrict

Query specified tenant server groups

x

workspace:serverGroup:validate

POST

/v1/{project_id}/app-server-groups/rules/validate

Verify a server group

x

workspace:serverGroup:tagResource

POST

/v1/{project_id}/server-group/{server_group_id}/tags/create

Add a tag to a server group

workspace:serverGroup:unTagResource

DELETE

/v1/{project_id}/server-group/{server_group_id}/tags/delete

Delete a tag from a server group

workspace:serverGroup:listTagsForResource

GET

/v1/{project_id}/server-group/{resource_id}/tags

Query server group tags

workspace:serverGroup:listTags

GET

/v1/{project_id}/server-group/tags

Query tags on all servers of a tenant

workspace:serverGroup:batchCreateTags

POST

/v1/{project_id}/server-group/tags/batch-create

Add server group tags in batches

workspace:serverGroup:batchDeleteTags

POST

/v1/{project_id}/server-group/tags/batch-delete

Delete server group tags in batches

workspace:server:list

GET

/v1/{project_id}/app-servers

Query servers

workspace:server:delete

DELETE

/v1/{project_id}/app-servers/{server_id}

Delete a server

workspace:server:get

GET

/v1/{project_id}/app-servers/{server_id}

Query a specified server

workspace:server:update

PATCH

/v1/{project_id}/app-servers/{server_id}

Modify a server

workspace:server:changeImage

POST

/v1/{project_id}/app-servers/{server_id}/actions/change-image

Modify a server image

workspace:server:reinstall

POST

/v1/{project_id}/app-servers/{server_id}/actions/reinstall

Reinstall a server

workspace:server:getVncUrl

GET

/v1/{project_id}/app-servers/{server_id}/actions/vnc

Obtain a VNC login address

workspace:accessAgent:list

GET

/v1/{project_id}/app-servers/access-agent/actions/show-latest-version

Query the latest versions of all HDAs of a tenant

x

workspace:accessAgent:batchUpgrade

PATCH

/v1/{project_id}/app-servers/access-agent/actions/upgrade

Upgrade the HDA version of servers in batches

workspace:accessAgent:listLatestVersion

GET

/v1/{project_id}/app-servers/access-agent/latest-version

Query the latest HDA version of a tenant

x

workspace:server:listAccessAgentDetails

GET

/v1/{project_id}/app-servers/access-agent/list

Query HDA information of a server

workspace:accessAgent:getUpgradeFlag

GET

/v1/{project_id}/app-servers/access-agent/upgrade-flag

Query HDA upgrade notification flags

x

workspace:accessAgent:updateUpgradeFlag

PATCH

/v1/{project_id}/app-servers/access-agent/upgrade-flag

Update an HDA upgrade notification flag

x

workspace:accessAgent:listUpgradeRecords

GET

/v1/{project_id}/app-servers/access-agent/upgrade-record

Query HDA upgrade tracing records of a server

x

workspace:server:batchDelete

POST

/v1/{project_id}/app-servers/actions/batch-delete

Delete servers in batches

workspace:server:batchChangeMaintainMode

PATCH

/v1/{project_id}/app-servers/actions/batch-maint

Mark the server maintenance status

workspace:server:batchReboot

PATCH

/v1/{project_id}/app-servers/actions/batch-reboot

Restart a server

workspace:server:batchRejoinDomain

PATCH

/v1/{project_id}/app-servers/actions/batch-rejoin-domain

Rejoin servers to a domain in batches

workspace:server:batchStart

PATCH

/v1/{project_id}/app-servers/actions/batch-start

Start a server

workspace:server:batchStop

PATCH

/v1/{project_id}/app-servers/actions/batch-stop

Stop a server

workspace:server:batchUpdateTsvi

PATCH

/v1/{project_id}/app-servers/actions/batch-update-tsvi

Update virtual session IP configurations of servers in batches

workspace:server:create

POST

/v1/{project_id}/app-servers/actions/create

Create an ECS

workspace:server:batchMigrateHosts

PATCH

/v1/{project_id}/app-servers/hosts/batch-migrate

Migrate servers at the source Workspace host to the destination one

workspace:server:getMetricData

GET

/v1/{project_id}/app-servers/metric-data/{server_id}

Query monitoring information of an APS

workspace:jobs:listSubJobs

GET

/v1/{project_id}/app-server-sub-jobs

Query subtasks

x

workspace:jobs:batchDeleteSubJobs

POST

/v1/{project_id}/app-server-sub-jobs/actions/batch-delete

Delete subtasks in batches

x

workspace:jobs:countSubJobs

GET

/v1/{project_id}/app-server-sub-jobs/actions/count

Query the number of subtasks

x

workspace:appWarehouse:authorizeObs

POST

/v1/{project_id}/app-warehouse/action/authorize

Obtain the AK/SK uploaded to an OBS bucket

x

workspace:appWarehouse:batchDeleteApp

POST

/v1/{project_id}/app-warehouse/actions/batch-delete

Delete specified applications from the application repository in batches

x

workspace:appWarehouse:ListWarehouseApps

GET

/v1/{project_id}/app-warehouse/apps

Query applications in a tenant application repository

x

workspace:appWarehouse:createApp

POST

/v1/{project_id}/app-warehouse/apps

Add an application to the application repository

x

workspace:appWarehouse:deleteApp

DELETE

/v1/{project_id}/app-warehouse/apps/{id}

Delete a specified application from the application repository

x

workspace:appWarehouse:uploadAppIcon

POST

/v1/{project_id}/app-warehouse/apps/icon

Upload an icon file to the application repository

x

workspace:appWarehouse:createBucketOrAcl

POST

/v1/{project_id}/app-warehouse/bucket-and-acl/create

Add a bucket or bucket authorization

x

workspace:orders:create

POST

/v1/{project_id}/bundles/subscribe/order

Create an order

x

workspace:quotas:get

GET

/v1/{project_id}/check/quota

Verify quota

x

workspace:volumes:listDssPoolsDetail

GET

/v1/{project_id}/dss-pools/detail

Query details about dedicated distributed storage pools

x

workspace:images:listImageJobs

GET

/v1/{project_id}/image-server-jobs

Query tasks of a tenant

x

workspace:images:getImageJob

GET

/v1/{project_id}/image-server-jobs/{job_id}

Query task details

x

workspace:imageServer:list

GET

/v1/{project_id}/image-servers

Query image instances

workspace:imageServer:create

POST

/v1/{project_id}/image-servers

Create an image instance

workspace:imageServer:get

GET

/v1/{project_id}/image-servers/{server_id}

Query a specified image instance

workspace:imageServer:update

PATCH

/v1/{project_id}/image-servers/{server_id}

Modify an image instance

workspace:imageServer:attachApp

POST

/v1/{project_id}/image-servers/{server_id}/actions/attach-app

Distribute software information to image instances

workspace:imageServer:listLatestAttachedApp

GET

/v1/{project_id}/image-servers/{server_id}/actions/latest-attached-app

Query information about the latest distributed software

x

workspace:imageServer:recreate

POST

/v1/{project_id}/image-servers/{server_id}/actions/recreate-image

Build an Application Streaming image

workspace:imageServer:batchDelete

PATCH

/v1/{project_id}/image-servers/actions/batch-delete

Delete image instances in batches

workspace:imageServer:listImageSubJobs

GET

/v1/{project_id}/image-server-sub-jobs

Query subtasks

x

workspace:imageServer:batchDeleteImageSubJobs

PATCH

/v1/{project_id}/image-server-sub-jobs/actions/batch-delete

Delete subtasks in batches

x

workspace:imageServer:countImageSubJobs

GET

/v1/{project_id}/image-server-sub-jobs/actions/count

Query the number of subtasks

x

workspace:jobs:get

GET

/v1/{project_id}/job/{job_id}

Query the task execution status

x

workspace:appGroup:listMailRecord

GET

/v1/{project_id}/mails

Query records of sending emails on application group authorization

x

workspace:appGroup:resendMail

POST

/v1/{project_id}/mails/actions/send

Resend an email on application group authorization (based on authorization email records)

x

workspace:appGroup:resendMail

POST

/v1/{project_id}/mails/actions/send-by-authorization

Resend an email on application group authorization (based on authorization records)

x

workspace:storage:listPersistentStorage

GET

/v1/{project_id}/persistent-storages

Query Workspace storage space

x

workspace:storage:createPersistentStorage

POST

/v1/{project_id}/persistent-storages

Create Workspace storage space

x

workspace:storage:deletePersistentStorage

DELETE

/v1/{project_id}/persistent-storages/{storage_id}

Delete Workspace storage space

x

workspace:storage:updateUserFolderAssignment

POST

/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-folder

Create a personal storage directory

x

workspace:storage:updateShareFolderAssignment

POST

/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-share-folder

Change members of a shared directory

x

workspace:storage:createShareFolder

POST

/v1/{project_id}/persistent-storages/{storage_id}/actions/create-share-folder

Create a shared storage directory

x

workspace:storage:deleteStorageClaim

POST

/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-storage-claim

Delete a shared directory

x

workspace:storage:deleteUserStorageAttachment

POST

/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-user-attachment

Delete a personal storage directory

x

workspace:storage:batchDeletePersistentStorage

POST

/v1/{project_id}/persistent-storages/actions/batch-delete

Delete Workspace storage space

x

workspace:storage:listStorageAssignment

GET

/v1/{project_id}/persistent-storages/actions/list-attachments

Query personal storage directories

x

workspace:storage:listShareFolder

GET

/v1/{project_id}/persistent-storages/actions/list-share-folders

Query shared storage directories

x

workspace:policyGroups:list

GET

/v1/{project_id}/policy-groups

Query policy groups

x

workspace:policyGroups:create

POST

/v1/{project_id}/policy-groups

Add a policy group

x

workspace:policyGroups:delete

DELETE

/v1/{project_id}/policy-groups/{policy_group_id}

Delete a policy group

x

workspace:policyGroups:get

GET

/v1/{project_id}/policy-groups/{policy_group_id}

Query details about a policy group

x

workspace:policyGroups:update

PATCH

/v1/{project_id}/policy-groups/{policy_group_id}

Modify a policy group

x

workspace:policyGroups:listPolicies

GET

/v1/{project_id}/policy-groups/{policy_group_id}/policy

Query policy items of a policy group

x

workspace:policyGroups:listTargets

GET

/v1/{project_id}/policy-groups/{policy_group_id}/target

Query objects to which a policy group is applied

x

workspace:policyGroups:getOriginalPolicies

GET

/v1/{project_id}/policy-groups/actions/list-original-policy

Query initial policy items

x

workspace:policyGroups:listDetail

GET

/v1/{project_id}/policy-groups/show/detail

Query details about policy groups

x

workspace:policyGroups:listTemplate

GET

/v1/{project_id}/policy-templates

Query policy templates

x

workspace:policyGroups:createTemplate

POST

/v1/{project_id}/policy-templates

Add a policy template

x

workspace:policyGroups:deleteTemplate

DELETE

/v1/{project_id}/policy-templates/{policy_template_id}

Delete a policy template

x

workspace:policyGroups:updateTemplate

PATCH

/v1/{project_id}/policy-templates/{policy_template_id}

Modify a policy template

x

workspace:privacystatements:get

GET

/v1/{project_id}/privacy-statement

Query the latest privacy statement

x

workspace:privacystatements:sign

POST

/v1/{project_id}/privacy-statement

Sign the privacy statement

x

workspace:scalingPolicy:delete

DELETE

/v1/{project_id}/scaling-policy

Delete an Auto Scaling policy

x

workspace:scalingPolicy:list

GET

/v1/{project_id}/scaling-policy

Query Auto Scaling policies of a server group

x

workspace:scalingPolicy:create

PUT

/v1/{project_id}/scaling-policy

Add or modify an Auto Scaling policy

x

workspace:scheduledTasks:list

GET

/v1/{project_id}/schedule-task

Query scheduled tasks

x

workspace:scheduledTasks:create

POST

/v1/{project_id}/schedule-task

Add a scheduled task

x

workspace:scheduledTasks:getRecord

GET

/v1/{project_id}/schedule-task/{execute_history_id}/execute-detail

Query executed subtasks of a scheduled task

x

workspace:scheduledTasks:delete

DELETE

/v1/{project_id}/schedule-task/{task_id}

Delete a task

x

workspace:scheduledTasks:get

GET

/v1/{project_id}/schedule-task/{task_id}

Query details about a specified scheduled task

x

workspace:scheduledTasks:update

PATCH

/v1/{project_id}/schedule-task/{task_id}

Modify a scheduled task

x

workspace:scheduledTasks:listRecords

GET

/v1/{project_id}/schedule-task/{task_id}/execute-history

Query the execution list of scheduled tasks

x

workspace:scheduledTasks:batchDelete

POST

/v1/{project_id}/schedule-task/actions/batch-delete

Delete scheduled tasks in batches

x

workspace:scheduledTasks:getFuture

POST

/v1/{project_id}/schedule-task/future-executions

Query the list of future execution time

x

workspace:session:listAppConnection

POST

/v1/{project_id}/session/app-connection

Query application usage records

x

workspace:session:logoffUserSession

POST

/v1/{project_id}/session/logoff

Log out of a session

x

workspace:session:listUserConnection

POST

/v1/{project_id}/session/user-connection

Query user login records

x

workspace:session:listSessionByUserName

GET

/v1/{project_id}/session/user-session-info

Query current sessions by username

x

workspace:storagePolicy:create

PUT

/v1/{project_id}/storages-policy/actions/create-statements

Add or update a custom policy for storage directory access

x

workspace:storagePolicy:list

GET

/v1/{project_id}/storages-policy/actions/list-statements

Query policies for storage directory access

x

workspace:users:list

GET

/v1/{project_id}/users

Query users or user groups

x

workspace:storage:listSfs3Storage

GET

/v1/persistent-storages/actions/list-sfs-storages

Query SFS 3.0

x

workspace:baseResource:list

GET

/v1/{project_id}/availability-zone

Query AZs

x

workspace:tenants:listConfigInfo

POST

/v1/{project_id}/bundles/batch-query-config-info

Query enterprise system configurations

x

workspace:baseResource:list

GET

/v1/{project_id}/product

Query Application Streaming packages

x

workspace:baseResource:list

GET

/v1/{project_id}/session-type

Query session packages

x

workspace:tenants:active

POST

/v1/{project_id}/tenant/action/active

Activate and initialize a tenant service

x

workspace:tenants:listTenantProfile

GET

/v1/{project_id}/tenant/profile

Query tenant information

x

workspace:baseResource:list

GET

/v1/{project_id}/volume-type

Query available disk types

x

workspace:server:listServerMetricData

GET

/v1/{project_id}/app-servers/server-metric-data/{server_id}

Query server monitoring data

x

workspace:session:listSessions

GET

/v1/{project_id}/session/list-sessions

Query enterprise sessions

x