Esta página aún no está disponible en su idioma local. Estamos trabajando arduamente para agregar más versiones de idiomas. Gracias por tu apoyo.
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Public Zones
- Private Zones
- Record Sets
- PTR Records
- Intelligent Resolution
- Permissions Management
- Using CTS to Collect DNS Key Operations
- Quota Adjustment
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- APIs
- Examples
- Permissions Policies and Supported Actions
- Appendix
- Best Practices
-
FAQs
-
DNS Overview
- Will I Be Billed for the DNS Service?
- How Many Zones, PTR Records, and Record Sets Can I Create?
- What Are Huawei Cloud DNS Servers?
- What Are Huawei Cloud Private DNS Server Addresses?
- What Are the Differences Between Public and Private Domain Names?
- Does DNS Support IPv6?
- Does DNS Support Explicit and Implicit URLs?
- Does DNS Support Dynamic Domain Name Resolution?
- Does DNS Support Wildcard Entries?
- What Is TTL?
- How Many Domain Name Levels Does DNS Support?
- How Are Zones Queried to Resolve a Domain Name?
- What Are the Priorities of Resolution Lines?
- Why Was the Email Address Format Changed in the SOA Record?
- What Is CAA?
- Why Should I Set Priority For an MX Record Set?
- Can DNS Point a Domain Name to a Specific Port?
- Invalid Domain Resolution
- Website Access Failures
-
Public Zones
- Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
- How Do I Add Record Sets to Subdomains?
- Which IP Address Is Returned for the Domain Name If There Are Multiple IP Addresses in a Record Set?
- Can I Modify a Zone?
- Can DNS Translate a Domain Name to IP Addresses of On-premises Servers or Third-Party Servers?
- How Can Multiple Domain Names Be Linked to the Same Website?
- How Do I View and Change the DNS Servers of a Domain Name?
-
Private Zones
- Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
- How Do I Change Default DNS Servers of an ECS to Huawei Cloud Private DNS Servers?
- How Can I Access an ECS Using Its Host Name?
- How Can I Map the Private IP Address of an ECS to a Domain Name?
- How Can I Use a Private Domain Name to Route Internet Traffic?
- Can I Use Private Domain Names Across Regions?
- Do I Need to Register Private Domain Names?
- Will a Deleted VPC Be Automatically Disassociated from the Private Zone?
- Are Private DNS Server Addresses the Same for All Users?
- What Are the Restrictions on Concurrent Private DNS Requests?
- Reverse Resolution
- Domain Transfer
-
DNS Overview
Show all
Creating Custom Policies
You can create custom policies to supplement system-defined policies and implement more refined access control.
You can create custom policies in either of the following two ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
The following describes how to create a custom policy that allows users to modify DNS zones in the visual editor and JSON view.
For details, see Creating a Custom Policy. Some examples of common custom DNS policies are provided.
Example Custom Policies
- Example 1: Authorize users to create zones, add record sets, and view the zones and record sets.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dns:zone:create", "dns:recordset:create", "dns:zone:list" "dns:recordset:list" ] }, { "Effect": "Allow", "Action": [ "vpc:*:get*, "vpc:*:list*" ] } ] } - Example 2: Disallow users to delete DNS resources.
A deny policy must be used together with other policies. If the permissions granted to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
The following method can be used if you need to assign permissions of the DNS FullAccess policy to a user but also forbid the user from deleting DNS resources. Create a custom policy to disallow resource deletion and assign both policies to the group the user belongs to. Then the user can perform all operations on DNS except deleting resources. The following is an example deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "dns:*:delete*" ] } ] }
- Example 3: Defining permissions for multiple services in a policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple actions:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dns:zone:update", "dns:zone:list" ] }, { "Effect": "Allow", "Action": [ "vpc:subnets:create", "vpc:vips:update" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
