Advanced Mode

The advanced mode provides a more flexible topic policy. You can specify which users and cloud services can perform which topic operations, for example, querying topic details, modifying topics, publishing messages, and deleting topics.

Introduction to Topic Policies

A topic policy is configured by a topic creator to allow or disallow other users or cloud services to perform specified operations to a topic. Table 1 lists the elements consisting of a topic policy.

**Table 1** Topic policy elements
Item	Description	Constraint
Version	Policy specification version	Only 2016-09-07 is supported.
Id	Policy ID, which uniquely identifies a policy	The policy ID must be specified.
Statement	You can use statements to grant topic operation permissions to other users or cloud services. Each topic policy may contain one or more statements.	A policy must contain at least one statement. For details about elements in a statement, see Statement Elements.

The following is an example topic policy, which contains two statements, Statement1 and Statement2.

{
    "Version": "2016-09-07",
    "Id": "access_policy_01",
    "Statement": [
       {Statement1},
       {Statement2}
    ]
}

Statement Elements

The following example shows how to modify a topic policy. Table 2 lists the statement elements.

{
    "Version": "2016-09-07", 
    "Id": "__default_policy_ID", 
    "Statement": [
           //The first statement
        {
            "Sid": "__user_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "CSP": [
                    "urn:csp:iam::123456789:root",
                    "urn:csp:iam::987654321:root"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
        }, 
        //The second statement
       {
            "Sid": "__service_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "Service": [
                    "obs"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
        }
    ]
}

**Table 2** Statement elements description
Element	Description	Constraint
Sid	Statement ID	The statement ID must be unique, for example, statement01 or statement02.
Effect	Statement effect	The effect can be Allow or Deny.
Principal NotPrincipal	Principal: object the statement applies to NotPrincipal: object the statement does not apply to The following two types of objects are supported: CSP indicates cloud users. Service indicates cloud services.	Either the Principal or NotPrincipal element must be configured. If you enter CSP, you must specify user information in the format urn:csp:iam::domainId:root. Obtain the account ID of each user you specify. If you enter Service, you must specify the cloud service names in lowercase.
Action NotAction	Action: allowed statement action NotAction: statement action not allowed You can use a wildcard character to configure a type of actions, for example, SMN:Update* and SMN:Delete. If you only enter a wildcard character () in a statement, all supported actions are configured.	Either the Action or NotAction element must be configured. The following actions are supported: SMN:UpdateTopic SMN:DeleteTopic SMN:QueryTopicDetail SMN:ListTopicAttributes SMN:UpdateTopicAttribute SMN:DeleteTopicAttributes SMN:DeleteTopicAttributeByName SMN:ListSubscriptionsByTopic SMN:Subscribe SMN:Unsubscribe SMN:Publish For details about mappings between actions and APIs, see Mappings Between SMN Actions and APIs.
Resource NotResource	Resource: topic a statement applies to NotResource: topic the statement does not apply to	Either the Resource or NotResource element must be configured. Then, enter a topic URN.
Condition	(Optional) Condition under which a policy statement takes effect	Enter supported conditional operators and keywords. For details, see Condition Elements.

Condition Elements

Conditions determine whether a statement takes effect. They enable you to configure more fine-grained control over topic permissions. Table 3 lists elements in a condition.

**Table 3** Condition elements
Item	Description	Constraint
Operation	Character strings, digits, date, or time to be matched in the operation	The time you entered must comply with ISO 8601 specifications. For details, see Table 4.
Operation keyword	Object on which the condition operator takes effect	The operation keyword must be specified. For details, see Table 5.

A statement allows the requested operation only when all conditions in the statement are met. Otherwise, the operation will be denied.

As shown in Figure 1, when a condition contains multiple operators, for example, condition1 and condition2, an AND operation is executed.

When the operator condition1 contains multiple keywords, for example, conditionKey1 and conditionKey2, an AND operation is executed.

When the keyword conditionKey1 contains multiple values, for example, value11 and value12, an OR operation is executed.

Figure 1 Condition logic

An example condition is as follows.

"Condition": {
    "DateLessThan":{
         "csp:CurrentTime":"2016-11-07T15:35:00Z"
    },
    "StringLike": {
         "smn:Endpoint":["*@gmail.com","*@hotmail.com"]
    }
}

**Table 4** Condition operators
Category	Operator	Description
String	StringEquals	Match a string (case-sensitive).
	StringNotEquals	Exclude a string (case-sensitive).
	StringEqualsIgnoreCase	Match a string (case-insensitive).
	StringNotEqualsIgnoreCase	Exclude a string (case-insensitive).
	StringLike	Match a string. The value can contain one or more wildcard characters (*).
	StringNotLike	Exclude a string. The value can contain one or more wildcard characters (*).
Numeric	NumericEquals	Match an integer or decimal.
	NumericNotEquals	Exclude an integer or decimal.
	NumericLessThan	Match any number less than an integer or decimal.
	NumericLessThanEquals	Match any number less than or equal to an integer or decimal.
	NumericGreaterThan	Match any number greater than an integer or decimal.
	NumericGreaterThanEquals	Match any number greater than or equal to an integer or decimal.
Date	DateEquals	Match a date.
	DateNotEquals	Exclude a date.
	DateLessThan	Match any time earlier than a date and time point.
	DateLessThanEquals	Match any time earlier than or equal to a date and time point.
	DateGreaterThan	Match any time later than a date and time point.
	DateGreaterThanEquals	Match any time later than or equal to a date and time point.
Bool	Bool	Match a Boolean value.

**Table 5** Condition keywords
Keyword	Description
csp:CurrentTime	Current time
smn:Protocol	Protocol of a subscription, which is valid only for the SMN:Subscribe action
smn:Endpoint	Endpoint of a subscription, which is valid only for the SMN:Subscribe action