Policy Grammar

The following uses a custom policy for OBS as an example to describe the policy grammar.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:HeadBucket",
                "obs:bucket:ListBucket",
                "obs:bucket:GetBucketLocation"
            ],
            "Condition": {
                "StringEndWithIfExists": {
                    "g:UserName": [
                        "specialCharacter"
                    ]
                },
                "Bool": {
                    "g:MFAPresent": [
                        "true"
                    ]
                }
            },
            "Resource": [
                "obs:*:*:bucket:*"
            ]
        }
    ]
}

Policy Structure

A policy consists of a version and one or more statements (indicating different actions).

Figure 1 Policy structure
Click to enlarge

Policy Parameters

Policy parameters include Version and Statement, which are described in the following table. You can create custom policies by specifying the parameters. For details, see Custom Policy Use Cases.

**Table 1** Policy parameters
Parameter		Description	Value
Version		Policy version.	1.1: indicates policy-based access control.
Statement	Effect	Determines whether to allow or deny the operations defined in the action.	Allow Deny NOTE: If an action has both Allow and Deny effects, the Deny effect takes precedence.
	Action	Operations to be performed on the service.	Format: "Service name:Resource type:Operation". Wildcard characters () are supported, indicating all options. Example: obs:bucket:ListAllMybuckets: Permissions for listing all OBS buckets. View all actions of the service in its API Reference*, for example, see Supported Actions of OBS.
	Condition	Determines when a policy takes effect. A condition consists of a condition key and an operator.	Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you set multiple conditions, the policy takes effect only when all the conditions are met. Example: StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid for users whose names end with specialCharacter.
	Resource	Resources on which the policy takes effect.	Format: Service name:Region:Account ID:Resource type:Resource path. Wildcard characters () are supported. For details about cloud services that support resource-level authorization and supported resource types, see Cloud Services that Support Resource-Level Authorization Using IAM. Example: obs:::bucket:: All OBS buckets. obs:::object:my-bucket/my-object/: All objects in the my-object* directory of the my-bucket bucket.

Condition key

A condition key is a key in the Condition element of a statement. There are global and service-level condition keys.

Global condition keys (starting with g:) apply to all operations. IAM provides common global condition keys and special global condition keys.
- Common global condition keys: Cloud services do not need to provide user identity information. Instead, IAM automatically abstracts user information and authenticates users. For details, see Common global condition keys.
- Special global condition keys: IAM obtains condition information from cloud services for authentication.
Service-level condition keys (starting with a service name abbreviation, for example, obs:) apply only to operations on the specified service. For details, see the user guide of the corresponding cloud service, for example, see OBS Request Conditions.

**Table 2** Common global condition keys
Global Condition Key	Type	Description
g:CurrentTime	Time	Time when an authentication request is received. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z.
g:DomainName	String	Account name.
g:MFAPresent	Boolean	Whether to obtain a token through MFA authentication.
g:MFAAge	Number	Validity period of a token obtained through MFA authentication. This condition must be used together with g:MFAPresent.
g:ProjectName	String	Project name.
g:ServiceName	String	Service name.
g:UserId	String	IAM user ID.
g:UserName	String	IAM user name.

Operator

An operator (see Operators), a condition key, and a condition value together constitute a complete condition statement. A policy takes effect only when its request conditions are met. The operator suffix IfExists indicates that a policy takes effect if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy takes effect if a request value is empty or equal to the specified condition value.

**Table 3** Operators (String operators are not case-sensitive unless otherwise specified.)
Operator	Type	Description
StringEquals	String	(Case-sensitive) The request value is the same as the condition value.
StringNotEquals	String	(Case-sensitive) The request value is different from the condition value.
StringEqualsIgnoreCase	String	The request value is the same as the condition value.
StringNotEqualsIgnoreCase	String	The request value is different from the condition value.
StringLike	String	The request value contains the condition value.
StringNotLike	String	The request value does not contain the condition value.
StringStartWith	String	The request value starts with the condition value.
StringEndWith	String	The request value ends with the condition value.
StringNotStartWith	String	The request value does not start with the condition value.
StringNotEndWith	String	The request value does not end with the condition value.
StringEqualsAnyOf	String	(Case-sensitive) The request value is the same as any of the configured condition values.
StringNotEqualsAnyOf	String	(Case-sensitive) The request value is different from all of the configured condition values.
StringEqualsIgnoreCaseAnyOf	String	The request value is the same as any of the configured condition values.
StringNotEqualsIgnoreCaseAnyOf	String	The request value is different from all of the configured condition values.
StringLikeAnyOf	String	The request value contains any of the configured condition values.
StringNotLikeAnyOf	String	The request value does not contain any of the configured condition values.
StringStartWithAnyOf	String	The request value starts with any of the configured condition values.
StringEndWithAnyOf	String	The request value ends with any of the configured condition values.
StringNotStartWithAnyOf	String	The request value does not start with any of the configured condition values.
StringNotEndWithAnyOf	String	The request value does not end with any of the configured condition values.
NumberEquals	Number	The request value is equal to the condition value.
NumberNotEquals	Number	The request value is not equal to the condition value.
NumberLessThan	Number	The request value is less than the condition value.
NumberLessThanEquals	Number	The request value is less than or equal to the condition value.
NumberGreaterThan	Number	The request value is greater than the condition value.
NumberGreaterThanEquals	Number	The request value is greater than or equal to the condition value.
NumberEqualsAnyOf	Number	The request value is equal to any of the configured condition values.
NumberNotEqualsAnyOf	Number	The request value is not equal to any of the configured condition values.
DateLessThan	Time	The request value is earlier than the condition value.
DateLessThanEquals	Time	The request value is earlier than or equal to the condition value.
DateGreaterThan	Time	The request value is later than the condition value.
DateGreaterThanEquals	Time	The request value is later than or equal to the condition value.
Bool	Boolean	The request value is equal to the condition value.
IpAddress	IP address	The request value is within the IP address range set in the condition value.
NotIpAddress	IP address	The request value is beyond the IP address range set in the condition value.
IsNullOrEmpty	Null	The request value is null or an empty string.
IsNull	Null	The request value is null.
IsNotNull	Null	The request value is not null.