Permissions and Supported Actions
This section describes fine-grained permissions management for your Workspace Application Streaming. If your account does not need individual IAM users, you can skip this section.
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
You can grant users permissions by using roles and policies. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.
Policy-based authorization is useful if you want to allow or deny the access to an API.
Supported Actions
You can create custom policies for more specific access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: Statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: Specific operations that are allowed or denied.
- Related actions: Actions on which a specific action depends to take effect. When assigning permissions for the action to a user, you also need to assign permissions for the related actions.
- IAM projects or enterprise projects: Applicable scope of custom policies. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM. For details about the differences between IAM projects and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Action |
API Method |
API |
Supported Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|---|
workspace:appGroup:list |
GET |
/v1/{project_id}/app-groups |
Query application groups |
√ |
x |
workspace:appGroup:create |
POST |
/v1/{project_id}/app-groups |
Create an application group |
√ |
x |
workspace:appGroup:delete |
DELETE |
/v1/{project_id}/app-groups/{app_group_id} |
Delete an application group |
√ |
x |
workspace:appGroup:get |
GET |
/v1/{project_id}/app-groups/{app_group_id} |
Query application group details |
√ |
x |
workspace:appGroup:update |
PATCH |
/v1/{project_id}/app-groups/{app_group_id} |
Modify an application group |
√ |
x |
workspace:app:listPublishedApp |
GET |
/v1/{project_id}/app-groups/{app_group_id}/apps |
Query published applications |
√ |
x |
workspace:app:publish |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps |
Publish an application |
√ |
x |
workspace:app:get |
GET |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} |
Query application details |
√ |
x |
workspace:app:update |
PATCH |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} |
Modify application information |
√ |
x |
workspace:app:deleteIcon |
DELETE |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon |
Delete a custom application icon |
√ |
x |
workspace:app:uploadIcon |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon |
Modify a custom application icon |
√ |
x |
workspace:app:check |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/check |
Verify an application |
√ |
x |
workspace:app:batchDisable |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/disable |
Disable applications in batches |
√ |
x |
workspace:app:batchEnable |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/enable |
Enable applications in batches |
√ |
x |
workspace:app:unpublish |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/batch-unpublish |
Unpublish applications in batches |
√ |
x |
workspace:appGroup:listPublishableApp |
GET |
/v1/{project_id}/app-groups/{app_group_id}/publishable-app |
Publishable applications |
√ |
x |
workspace:appGroup:batchDeleteAuthorization |
POST |
/v1/{project_id}/app-groups/actions/batch-delete-authorization |
Cancel application group authorization |
√ |
x |
workspace:appGroup:disassociate |
POST |
/v1/{project_id}/app-groups/actions/disassociate-app-group |
Disassociate a service group from all application groups |
√ |
x |
workspace:appGroup:listAuthorization |
GET |
/v1/{project_id}/app-groups/actions/list-authorizations |
Query application group authorization records |
√ |
x |
workspace:appGroup:addAuthorization |
POST |
/v1/{project_id}/app-groups/authorizations |
Add application group authorization |
√ |
x |
workspace:appGroup:batchDelete |
POST |
/v1/{project_id}/app-groups/batch-delete |
Delete application groups in batches |
√ |
x |
workspace:appGroup:check |
POST |
/v1/{project_id}/app-groups/rules/validate |
Verify an application group |
√ |
x |
workspace:serverGroup:list |
GET |
/v1/{project_id}/app-server-groups |
Query server groups |
√ |
√ |
workspace:serverGroup:create |
POST |
/v1/{project_id}/app-server-groups |
Create a server group |
√ |
√ |
workspace:serverGroup:delete |
DELETE |
/v1/{project_id}/app-server-groups/{server_group_id} |
Delete a server group |
√ |
√ |
workspace:serverGroup:get |
GET |
/v1/{project_id}/app-server-groups/{server_group_id} |
Query a specified server group |
√ |
√ |
workspace:serverGroup:update |
PATCH |
/v1/{project_id}/app-server-groups/{server_group_id} |
Modify a server group |
√ |
√ |
workspace:serverGroup:getServerState |
GET |
/v1/{project_id}/app-server-groups/{server_group_id}/state |
Query server statuses in a specified server group |
√ |
√ |
workspace:serverGroup:listDetail |
GET |
/v1/{project_id}/app-server-groups/actions/list |
Query basic information about a tenant server group |
√ |
√ |
workspace:serverGroup:getRestrict |
GET |
/v1/{project_id}/app-server-groups/resources/restrict |
Query specified tenant server groups |
√ |
x |
workspace:serverGroup:validate |
POST |
/v1/{project_id}/app-server-groups/rules/validate |
Verify a server group |
√ |
x |
workspace:serverGroup:tagResource |
POST |
/v1/{project_id}/server-group/{server_group_id}/tags/create |
Add a tag to a server group |
√ |
√ |
workspace:serverGroup:unTagResource |
DELETE |
/v1/{project_id}/server-group/{server_group_id}/tags/delete |
Delete a tag from a server group |
√ |
√ |
workspace:serverGroup:listTagsForResource |
GET |
/v1/{project_id}/server-group/{resource_id}/tags |
Query server group tags |
√ |
√ |
workspace:serverGroup:listTags |
GET |
/v1/{project_id}/server-group/tags |
Query tags on all servers of a tenant |
√ |
√ |
workspace:serverGroup:batchCreateTags |
POST |
/v1/{project_id}/server-group/tags/batch-create |
Add server group tags in batches |
√ |
√ |
workspace:serverGroup:batchDeleteTags |
POST |
/v1/{project_id}/server-group/tags/batch-delete |
Delete server group tags in batches |
√ |
√ |
workspace:server:list |
GET |
/v1/{project_id}/app-servers |
Query servers |
√ |
√ |
workspace:server:delete |
DELETE |
/v1/{project_id}/app-servers/{server_id} |
Delete a server |
√ |
√ |
workspace:server:get |
GET |
/v1/{project_id}/app-servers/{server_id} |
Query a specified server |
√ |
√ |
workspace:server:update |
PATCH |
/v1/{project_id}/app-servers/{server_id} |
Modify a server |
√ |
√ |
workspace:server:changeImage |
POST |
/v1/{project_id}/app-servers/{server_id}/actions/change-image |
Modify a server image |
√ |
√ |
workspace:server:reinstall |
POST |
/v1/{project_id}/app-servers/{server_id}/actions/reinstall |
Reinstall a server |
√ |
√ |
workspace:server:getVncUrl |
GET |
/v1/{project_id}/app-servers/{server_id}/actions/vnc |
Obtain a VNC login address |
√ |
√ |
workspace:accessAgent:list |
GET |
/v1/{project_id}/app-servers/access-agent/actions/show-latest-version |
Query the latest versions of all HDAs of a tenant |
√ |
x |
workspace:accessAgent:batchUpgrade |
PATCH |
/v1/{project_id}/app-servers/access-agent/actions/upgrade |
Upgrade the HDA version of servers in batches |
√ |
√ |
workspace:accessAgent:listLatestVersion |
GET |
/v1/{project_id}/app-servers/access-agent/latest-version |
Query the latest HDA version of a tenant |
√ |
x |
workspace:server:listAccessAgentDetails |
GET |
/v1/{project_id}/app-servers/access-agent/list |
Query HDA information of a server |
√ |
√ |
workspace:accessAgent:getUpgradeFlag |
GET |
/v1/{project_id}/app-servers/access-agent/upgrade-flag |
Query HDA upgrade notification flags |
√ |
x |
workspace:accessAgent:updateUpgradeFlag |
PATCH |
/v1/{project_id}/app-servers/access-agent/upgrade-flag |
Update an HDA upgrade notification flag |
√ |
x |
workspace:accessAgent:listUpgradeRecords |
GET |
/v1/{project_id}/app-servers/access-agent/upgrade-record |
Query HDA upgrade tracing records of a server |
√ |
x |
workspace:server:batchDelete |
POST |
/v1/{project_id}/app-servers/actions/batch-delete |
Delete servers in batches |
√ |
√ |
workspace:server:batchChangeMaintainMode |
PATCH |
/v1/{project_id}/app-servers/actions/batch-maint |
Mark the server maintenance status |
√ |
√ |
workspace:server:batchReboot |
PATCH |
/v1/{project_id}/app-servers/actions/batch-reboot |
Restart a server |
√ |
√ |
workspace:server:batchRejoinDomain |
PATCH |
/v1/{project_id}/app-servers/actions/batch-rejoin-domain |
Rejoin servers to a domain in batches |
√ |
√ |
workspace:server:batchStart |
PATCH |
/v1/{project_id}/app-servers/actions/batch-start |
Start a server |
√ |
√ |
workspace:server:batchStop |
PATCH |
/v1/{project_id}/app-servers/actions/batch-stop |
Stop a server |
√ |
√ |
workspace:server:batchUpdateTsvi |
PATCH |
/v1/{project_id}/app-servers/actions/batch-update-tsvi |
Update virtual session IP configurations of servers in batches |
√ |
√ |
workspace:server:create |
POST |
/v1/{project_id}/app-servers/actions/create |
Create an ECS |
√ |
√ |
workspace:server:batchMigrateHosts |
PATCH |
/v1/{project_id}/app-servers/hosts/batch-migrate |
Migrate servers at the source Workspace host to the destination one |
√ |
√ |
workspace:server:getMetricData |
GET |
/v1/{project_id}/app-servers/metric-data/{server_id} |
Query monitoring information of an APS |
√ |
√ |
workspace:jobs:listSubJobs |
GET |
/v1/{project_id}/app-server-sub-jobs |
Query subtasks |
√ |
x |
workspace:jobs:batchDeleteSubJobs |
POST |
/v1/{project_id}/app-server-sub-jobs/actions/batch-delete |
Delete subtasks in batches |
√ |
x |
workspace:jobs:countSubJobs |
GET |
/v1/{project_id}/app-server-sub-jobs/actions/count |
Query the number of subtasks |
√ |
x |
workspace:appWarehouse:authorizeObs |
POST |
/v1/{project_id}/app-warehouse/action/authorize |
Obtain the AK/SK uploaded to an OBS bucket |
√ |
x |
workspace:appWarehouse:batchDeleteApp |
POST |
/v1/{project_id}/app-warehouse/actions/batch-delete |
Delete specified applications from the application repository in batches |
√ |
x |
workspace:appWarehouse:ListWarehouseApps |
GET |
/v1/{project_id}/app-warehouse/apps |
Query applications in a tenant application repository |
√ |
x |
workspace:appWarehouse:createApp |
POST |
/v1/{project_id}/app-warehouse/apps |
Add an application to the application repository |
√ |
x |
workspace:appWarehouse:deleteApp |
DELETE |
/v1/{project_id}/app-warehouse/apps/{id} |
Delete a specified application from the application repository |
√ |
x |
workspace:appWarehouse:uploadAppIcon |
POST |
/v1/{project_id}/app-warehouse/apps/icon |
Upload an icon file to the application repository |
√ |
x |
workspace:appWarehouse:createBucketOrAcl |
POST |
/v1/{project_id}/app-warehouse/bucket-and-acl/create |
Add a bucket or bucket authorization |
√ |
x |
workspace:orders:create |
POST |
/v1/{project_id}/bundles/subscribe/order |
Create an order |
√ |
x |
workspace:quotas:get |
GET |
/v1/{project_id}/check/quota |
Verify quota |
√ |
x |
workspace:volumes:listDssPoolsDetail |
GET |
/v1/{project_id}/dss-pools/detail |
Query details about dedicated distributed storage pools |
√ |
x |
workspace:images:listImageJobs |
GET |
/v1/{project_id}/image-server-jobs |
Query tasks of a tenant |
√ |
x |
workspace:images:getImageJob |
GET |
/v1/{project_id}/image-server-jobs/{job_id} |
Query task details |
√ |
x |
workspace:imageServer:list |
GET |
/v1/{project_id}/image-servers |
Query image instances |
√ |
√ |
workspace:imageServer:create |
POST |
/v1/{project_id}/image-servers |
Create an image instance |
√ |
√ |
workspace:imageServer:get |
GET |
/v1/{project_id}/image-servers/{server_id} |
Query a specified image instance |
√ |
√ |
workspace:imageServer:update |
PATCH |
/v1/{project_id}/image-servers/{server_id} |
Modify an image instance |
√ |
√ |
workspace:imageServer:attachApp |
POST |
/v1/{project_id}/image-servers/{server_id}/actions/attach-app |
Distribute software information to image instances |
√ |
√ |
workspace:imageServer:listLatestAttachedApp |
GET |
/v1/{project_id}/image-servers/{server_id}/actions/latest-attached-app |
Query information about the latest distributed software |
√ |
x |
workspace:imageServer:recreate |
POST |
/v1/{project_id}/image-servers/{server_id}/actions/recreate-image |
Build an Application Streaming image |
√ |
√ |
workspace:imageServer:batchDelete |
PATCH |
/v1/{project_id}/image-servers/actions/batch-delete |
Delete image instances in batches |
√ |
√ |
workspace:imageServer:listImageSubJobs |
GET |
/v1/{project_id}/image-server-sub-jobs |
Query subtasks |
√ |
x |
workspace:imageServer:batchDeleteImageSubJobs |
PATCH |
/v1/{project_id}/image-server-sub-jobs/actions/batch-delete |
Delete subtasks in batches |
√ |
x |
workspace:imageServer:countImageSubJobs |
GET |
/v1/{project_id}/image-server-sub-jobs/actions/count |
Query the number of subtasks |
√ |
x |
workspace:jobs:get |
GET |
/v1/{project_id}/job/{job_id} |
Query the task execution status |
√ |
x |
workspace:appGroup:listMailRecord |
GET |
/v1/{project_id}/mails |
Query records of sending emails on application group authorization |
√ |
x |
workspace:appGroup:resendMail |
POST |
/v1/{project_id}/mails/actions/send |
Resend an email on application group authorization (based on authorization email records) |
√ |
x |
workspace:appGroup:resendMail |
POST |
/v1/{project_id}/mails/actions/send-by-authorization |
Resend an email on application group authorization (based on authorization records) |
√ |
x |
workspace:storage:listPersistentStorage |
GET |
/v1/{project_id}/persistent-storages |
Query Workspace storage space |
√ |
x |
workspace:storage:createPersistentStorage |
POST |
/v1/{project_id}/persistent-storages |
Create Workspace storage space |
√ |
x |
workspace:storage:deletePersistentStorage |
DELETE |
/v1/{project_id}/persistent-storages/{storage_id} |
Delete Workspace storage space |
√ |
x |
workspace:storage:updateUserFolderAssignment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-folder |
Create a personal storage directory |
√ |
x |
workspace:storage:updateShareFolderAssignment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-share-folder |
Change members of a shared directory |
√ |
x |
workspace:storage:createShareFolder |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/create-share-folder |
Create a shared storage directory |
√ |
x |
workspace:storage:deleteStorageClaim |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-storage-claim |
Delete a shared directory |
√ |
x |
workspace:storage:deleteUserStorageAttachment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-user-attachment |
Delete a personal storage directory |
√ |
x |
workspace:storage:batchDeletePersistentStorage |
POST |
/v1/{project_id}/persistent-storages/actions/batch-delete |
Delete Workspace storage space |
√ |
x |
workspace:storage:listStorageAssignment |
GET |
/v1/{project_id}/persistent-storages/actions/list-attachments |
Query personal storage directories |
√ |
x |
workspace:storage:listShareFolder |
GET |
/v1/{project_id}/persistent-storages/actions/list-share-folders |
Query shared storage directories |
√ |
x |
workspace:policyGroups:list |
GET |
/v1/{project_id}/policy-groups |
Query policy groups |
√ |
x |
workspace:policyGroups:create |
POST |
/v1/{project_id}/policy-groups |
Add a policy group |
√ |
x |
workspace:policyGroups:delete |
DELETE |
/v1/{project_id}/policy-groups/{policy_group_id} |
Delete a policy group |
√ |
x |
workspace:policyGroups:get |
GET |
/v1/{project_id}/policy-groups/{policy_group_id} |
Query details about a policy group |
√ |
x |
workspace:policyGroups:update |
PATCH |
/v1/{project_id}/policy-groups/{policy_group_id} |
Modify a policy group |
√ |
x |
workspace:policyGroups:listPolicies |
GET |
/v1/{project_id}/policy-groups/{policy_group_id}/policy |
Query policy items of a policy group |
√ |
x |
workspace:policyGroups:listTargets |
GET |
/v1/{project_id}/policy-groups/{policy_group_id}/target |
Query objects to which a policy group is applied |
√ |
x |
workspace:policyGroups:getOriginalPolicies |
GET |
/v1/{project_id}/policy-groups/actions/list-original-policy |
Query initial policy items |
√ |
x |
workspace:policyGroups:listDetail |
GET |
/v1/{project_id}/policy-groups/show/detail |
Query details about policy groups |
√ |
x |
workspace:policyGroups:listTemplate |
GET |
/v1/{project_id}/policy-templates |
Query policy templates |
√ |
x |
workspace:policyGroups:createTemplate |
POST |
/v1/{project_id}/policy-templates |
Add a policy template |
√ |
x |
workspace:policyGroups:deleteTemplate |
DELETE |
/v1/{project_id}/policy-templates/{policy_template_id} |
Delete a policy template |
√ |
x |
workspace:policyGroups:updateTemplate |
PATCH |
/v1/{project_id}/policy-templates/{policy_template_id} |
Modify a policy template |
√ |
x |
workspace:privacystatements:get |
GET |
/v1/{project_id}/privacy-statement |
Query the latest privacy statement |
√ |
x |
workspace:privacystatements:sign |
POST |
/v1/{project_id}/privacy-statement |
Sign the privacy statement |
√ |
x |
workspace:scalingPolicy:delete |
DELETE |
/v1/{project_id}/scaling-policy |
Delete an Auto Scaling policy |
√ |
x |
workspace:scalingPolicy:list |
GET |
/v1/{project_id}/scaling-policy |
Query Auto Scaling policies of a server group |
√ |
x |
workspace:scalingPolicy:create |
PUT |
/v1/{project_id}/scaling-policy |
Add or modify an Auto Scaling policy |
√ |
x |
workspace:scheduledTasks:list |
GET |
/v1/{project_id}/schedule-task |
Query scheduled tasks |
√ |
x |
workspace:scheduledTasks:create |
POST |
/v1/{project_id}/schedule-task |
Add a scheduled task |
√ |
x |
workspace:scheduledTasks:getRecord |
GET |
/v1/{project_id}/schedule-task/{execute_history_id}/execute-detail |
Query executed subtasks of a scheduled task |
√ |
x |
workspace:scheduledTasks:delete |
DELETE |
/v1/{project_id}/schedule-task/{task_id} |
Delete a task |
√ |
x |
workspace:scheduledTasks:get |
GET |
/v1/{project_id}/schedule-task/{task_id} |
Query details about a specified scheduled task |
√ |
x |
workspace:scheduledTasks:update |
PATCH |
/v1/{project_id}/schedule-task/{task_id} |
Modify a scheduled task |
√ |
x |
workspace:scheduledTasks:listRecords |
GET |
/v1/{project_id}/schedule-task/{task_id}/execute-history |
Query the execution list of scheduled tasks |
√ |
x |
workspace:scheduledTasks:batchDelete |
POST |
/v1/{project_id}/schedule-task/actions/batch-delete |
Delete scheduled tasks in batches |
√ |
x |
workspace:scheduledTasks:getFuture |
POST |
/v1/{project_id}/schedule-task/future-executions |
Query the list of future execution time |
√ |
x |
workspace:session:listAppConnection |
POST |
/v1/{project_id}/session/app-connection |
Query application usage records |
√ |
x |
workspace:session:logoffUserSession |
POST |
/v1/{project_id}/session/logoff |
Log out of a session |
√ |
x |
workspace:session:listUserConnection |
POST |
/v1/{project_id}/session/user-connection |
Query user login records |
√ |
x |
workspace:session:listSessionByUserName |
GET |
/v1/{project_id}/session/user-session-info |
Query current sessions by username |
√ |
x |
workspace:storagePolicy:create |
PUT |
/v1/{project_id}/storages-policy/actions/create-statements |
Add or update a custom policy for storage directory access |
√ |
x |
workspace:storagePolicy:list |
GET |
/v1/{project_id}/storages-policy/actions/list-statements |
Query policies for storage directory access |
√ |
x |
workspace:users:list |
GET |
/v1/{project_id}/users |
Query users or user groups |
√ |
x |
workspace:storage:listSfs3Storage |
GET |
/v1/persistent-storages/actions/list-sfs-storages |
Query SFS 3.0 |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/availability-zone |
Query AZs |
√ |
x |
workspace:tenants:listConfigInfo |
POST |
/v1/{project_id}/bundles/batch-query-config-info |
Query enterprise system configurations |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/product |
Query Application Streaming packages |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/session-type |
Query session packages |
√ |
x |
workspace:tenants:active |
POST |
/v1/{project_id}/tenant/action/active |
Activate and initialize a tenant service |
√ |
x |
workspace:tenants:listTenantProfile |
GET |
/v1/{project_id}/tenant/profile |
Query tenant information |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/volume-type |
Query available disk types |
√ |
x |
workspace:server:listServerMetricData |
GET |
/v1/{project_id}/app-servers/server-metric-data/{server_id} |
Query server monitoring data |
√ |
x |
workspace:session:listSessions |
GET |
/v1/{project_id}/session/list-sessions |
Query enterprise sessions |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.