Help Center/ Config/ API Reference/ APIs/ Compliance/ Updating an Organization Rule

Updated on 2026-04-24 GMT+08:00

Updating an Organization Rule

Function

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

PUT /v1/resource-manager/organizations/{organization_id}/policy-assignments/{organization_policy_assignment_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
organization_id	Yes	String	Specifies the organization ID. Maximum: 34
organization_policy_assignment_id	Yes	String	Specifies the organization rule ID. Maximum: 32

Request Parameters

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
excluded_accounts	No	Array of strings	Specifies the accounts to be excluded from the rule. Maximum: 32
organization_policy_assignment_name	Yes	String	Specifies the organization rule name. Maximum: 252
managed_policy_assignment_metadata	No	ManagedPolicyAssignmentMetadata object	Specifies the metadata of a managed rule.
custom_policy_assignment_metadata	No	CustomPolicyAssignmentMetadata object	Custom rule metadata.

**Table 3** ManagedPolicyAssignmentMetadata
Parameter	Mandatory	Type	Description
description	No	String	Specifies the rule description. Maximum: 512
period	No	String	Specifies the trigger period.
parameters	No	Map<String,PolicyParameterValue>	Specifies the input parameter.
policy_filter	No	PolicyFilterDefinition object	Specifies the policy filter of a rule.
policy_filter_v2	No	PolicyFilterDefinitionV2 object	Specifies the policy filter of a rule.
policy_definition_id	Yes	String	Specifies the identifier of a predefined policy. Maximum: 36

**Table 4** CustomPolicyAssignmentMetadata
Parameter	Mandatory	Type	Description
description	No	String	Rule description. Maximum: 512
period	No	String	Triggering period.
parameters	No	Map<String,PolicyParameterValue>	Input parameters.
policy_filter	No	PolicyFilterDefinition object	Specifies the policy filter of a rule.
policy_filter_v2	No	PolicyFilterDefinitionV2 object	Specifies the policy filter of a rule.
function_urn	Yes	String	URN of a custom function. Maximum: 1024

**Table 5** PolicyParameterValue
Parameter	Mandatory	Type	Description
value	No	Object	Specifies the value of the rule parameter.

**Table 6** PolicyFilterDefinition
Parameter	Mandatory	Type	Description
region_id	No	String	Specifies the region ID. Maximum: 128
resource_provider	No	String	Specifies the cloud service name. Maximum: 128
resource_type	No	String	Specifies the resource type. Maximum: 128
resource_id	No	String	Specifies the resource ID. Maximum: 512
tag_key	No	String	Specifies the tag key. Maximum: 128
tag_value	No	String	Specifies the tag value. Maximum: 256

**Table 7** PolicyFilterDefinitionV2
Parameter	Mandatory	Type	Description
region_ids	No	Array of strings	Specifies the region IDs.
resource_types	No	Array of strings	Specifies the cloud services.
resource_ids	No	Array of strings	Specifies the resource list.
tag_key_logic	No	String	The logical relationship when parameter tags takes multiple values, for example: When the tags is "tags.1.key":"a", "tags.1.values":"a", "tags.2.key":"b", "tags.2.values":"b", if this parameter is set to AND, it means that the rule only applies to resources bound with both tags a:a and b:b. If not specified, the default logic is OR. Default: OR
tags	No	Array of FilterTagDetail objects	Tags.
exclude_tag_key_logic	No	String	The logical relationship when parameter exclude_tags takes multiple values, for example: When the exclude_tags is "exclude_tags.1.key":"a", "exclude_tags.1.values":"a", "exclude_tags.2.key":"b", "exclude_tags.2.values":"b", if this parameter is set to AND, it means that the rule excludes resources that are bound with the tags a:a and b:b. If not specified, the default logic is OR. Default: OR
exclude_tags	No	Array of FilterTagDetail objects	Exclude Tags.

**Table 8** FilterTagDetail
Parameter	Mandatory	Type	Description
key	No	String	Specifies the tag key.
values	No	Array of strings	Specifies tag values.

Response Parameters

Status code: 200

**Table 9** Response body parameters
Parameter	Type	Description
owner_id	String	Specifies the organization rule creator.
organization_id	String	Specifies the organization ID.
organization_policy_assignment_urn	String	Specifies the unique ID of the organization rule.
organization_policy_assignment_id	String	Specifies the organization rule ID.
organization_policy_assignment_name	String	Specifies the organization rule name.
description	String	Specifies the description information.
period	String	Specifies the trigger period.
policy_filter	PolicyFilterDefinition object	Specifies the policy filter of a rule.
policy_filter_v2	PolicyFilterDefinitionV2 object	Specifies the policy filter of a rule.
parameters	Map<String,PolicyParameterValue>	Specifies the rule parameters.
policy_definition_id	String	Specifies the policy ID.
created_at	String	Specifies the creation time.
updated_at	String	Specifies the update time.

**Table 10** PolicyFilterDefinition
Parameter	Type	Description
region_id	String	Specifies the region ID. Maximum: 128
resource_provider	String	Specifies the cloud service name. Maximum: 128
resource_type	String	Specifies the resource type. Maximum: 128
resource_id	String	Specifies the resource ID. Maximum: 512
tag_key	String	Specifies the tag key. Maximum: 128
tag_value	String	Specifies the tag value. Maximum: 256

**Table 11** PolicyFilterDefinitionV2
Parameter	Type	Description
region_ids	Array of strings	Specifies the region IDs.
resource_types	Array of strings	Specifies the cloud services.
resource_ids	Array of strings	Specifies the resource list.
tag_key_logic	String	The logical relationship when parameter tags takes multiple values, for example: When the tags is "tags.1.key":"a", "tags.1.values":"a", "tags.2.key":"b", "tags.2.values":"b", if this parameter is set to AND, it means that the rule only applies to resources bound with both tags a:a and b:b. If not specified, the default logic is OR. Default: OR
tags	Array of FilterTagDetail objects	Tags.
exclude_tag_key_logic	String	The logical relationship when parameter exclude_tags takes multiple values, for example: When the exclude_tags is "exclude_tags.1.key":"a", "exclude_tags.1.values":"a", "exclude_tags.2.key":"b", "exclude_tags.2.values":"b", if this parameter is set to AND, it means that the rule excludes resources that are bound with the tags a:a and b:b. If not specified, the default logic is OR. Default: OR
exclude_tags	Array of FilterTagDetail objects	Exclude Tags.

**Table 12** FilterTagDetail
Parameter	Type	Description
key	String	Specifies the tag key.
values	Array of strings	Specifies tag values.

**Table 13** PolicyParameterValue
Parameter	Type	Description
value	Object	Specifies the value of the rule parameter.

Status code: 400

**Table 14** Response body parameters
Parameter	Type	Description
error_code	String	Specifies the error code.
error_msg	String	Specifies the error message.

Status code: 403

**Table 15** Response body parameters
Parameter	Type	Description
error_code	String	Specifies the error code.
error_msg	String	Specifies the error message.

Status code: 500

**Table 16** Response body parameters
Parameter	Type	Description
error_code	String	Specifies the error code.
error_msg	String	Specifies the error message.

Example Requests

Updating an Organization Rule

PUT https://{endpoint}/v1/resource-manager/organizations/{organization_id}/policy-assignments/{organization_policy_assignment_id}

{
  "organization_policy_assignment_name" : "allowed-images-by-id",
  "managed_policy_assignment_metadata" : {
    "description" : "The ECS resource is non-compliant if the image it used is not in the allowed list.",
    "parameters" : {
      "listOfAllowedImages" : {
        "value" : [ "ea0d6e0e-99c3-406d-a873-3bb45462b624" ]
      }
    },
    "policy_filter" : {
      "resource_provider" : "ecs",
      "resource_type" : "cloudservers"
    },
    "policy_definition_id" : "5fa265c0aa1e6afc05a0ff07"
  }
}

Example Responses

Status code: 200

Operation succeeded.

{
  "owner_id" : "e74e043fab784a45ad88f5ef6a4bcffc",
  "organization_id" : "o-doxbpkzqsdd51ti1k27w2y8fitakrknp",
  "organization_policy_assignment_urn" : "rms::e74e043fab784a45ad88f5ef6a4bcffc:organizationPolicyAssignment:o-doxbpkzqsdd51ti1k27w2y8fitakrknp/d02b7fa9d5a74e638c1402d0868f71fd",
  "organization_policy_assignment_id" : "d02b7fa9d5a74e638c1402d0868f71fd",
  "organization_policy_assignment_name" : "allowed-images-by-id",
  "description" : "The ECS resource is non-compliant if the image it used is not in the allowed list.",
  "period" : null,
  "policy_filter" : {
    "region_id" : null,
    "resource_provider" : "evs",
    "resource_type" : "volumes",
    "resource_id" : null,
    "tag_key" : null,
    "tag_value" : null
  },
  "policy_definition_id" : "5fa265c0aa1e6afc05a0ff07",
  "parameters" : { },
  "created_at" : "2022-01-18T06:37:54.432Z",
  "updated_at" : "2022-01-18T06:37:54.432Z"
}

SDK Sample Code

The SDK sample code is as follows.

Updating an Organization Rule

     package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.config.v1.region.ConfigRegion;
import com.huaweicloud.sdk.config.v1.*;
import com.huaweicloud.sdk.config.v1.model.*;

import java.util.Map;
import java.util.HashMap;

public class UpdateOrganizationPolicyAssignmentSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new GlobalCredentials()
                .withAk(ak)
                .withSk(sk);

        ConfigClient client = ConfigClient.newBuilder()
                .withCredential(auth)
                .withRegion(ConfigRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateOrganizationPolicyAssignmentRequest request = new UpdateOrganizationPolicyAssignmentRequest();
        request.withOrganizationId("{organization_id}");
        request.withOrganizationPolicyAssignmentId("{organization_policy_assignment_id}");
        OrganizationPolicyAssignmentRequest body = new OrganizationPolicyAssignmentRequest();
        PolicyFilterDefinition policyFilterManagedPolicyAssignmentMetadata = new PolicyFilterDefinition();
        policyFilterManagedPolicyAssignmentMetadata.withResourceProvider("ecs")
            .withResourceType("cloudservers");
        PolicyParameterValue parametersParameters = new PolicyParameterValue();
        parametersParameters.withValue("[ea0d6e0e-99c3-406d-a873-3bb45462b624]");
        Map<String, PolicyParameterValue> listManagedPolicyAssignmentMetadataParameters = new HashMap<>();
        listManagedPolicyAssignmentMetadataParameters.put("listOfAllowedImages", parametersParameters);
        ManagedPolicyAssignmentMetadata managedPolicyAssignmentMetadatabody = new ManagedPolicyAssignmentMetadata();
        managedPolicyAssignmentMetadatabody.withDescription("The ECS resource is non-compliant if the image it used is not in the allowed list.")
            .withParameters(listManagedPolicyAssignmentMetadataParameters)
            .withPolicyFilter(policyFilterManagedPolicyAssignmentMetadata)
            .withPolicyDefinitionId("5fa265c0aa1e6afc05a0ff07");
        body.withManagedPolicyAssignmentMetadata(managedPolicyAssignmentMetadatabody);
        body.withOrganizationPolicyAssignmentName("allowed-images-by-id");
        request.withBody(body);
        try {
            UpdateOrganizationPolicyAssignmentResponse response = client.updateOrganizationPolicyAssignment(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 
 
  

Updating an Organization Rule

     # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkconfig.v1.region.config_region import ConfigRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkconfig.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = GlobalCredentials(ak, sk)

    client = ConfigClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(ConfigRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateOrganizationPolicyAssignmentRequest()
        request.organization_id = "{organization_id}"
        request.organization_policy_assignment_id = "{organization_policy_assignment_id}"
        policyFilterManagedPolicyAssignmentMetadata = PolicyFilterDefinition(
            resource_provider="ecs",
            resource_type="cloudservers"
        )
        parametersParameters = PolicyParameterValue(
            value="[ea0d6e0e-99c3-406d-a873-3bb45462b624]"
        )
        listParametersManagedPolicyAssignmentMetadata = {
            "listOfAllowedImages": parametersParameters
        }
        managedPolicyAssignmentMetadatabody = ManagedPolicyAssignmentMetadata(
            description="The ECS resource is non-compliant if the image it used is not in the allowed list.",
            parameters=listParametersManagedPolicyAssignmentMetadata,
            policy_filter=policyFilterManagedPolicyAssignmentMetadata,
            policy_definition_id="5fa265c0aa1e6afc05a0ff07"
        )
        request.body = OrganizationPolicyAssignmentRequest(
            managed_policy_assignment_metadata=managedPolicyAssignmentMetadatabody,
            organization_policy_assignment_name="allowed-images-by-id"
        )
        response = client.update_organization_policy_assignment(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 
 
  

Updating an Organization Rule

     package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
    config "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/config/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/config/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/config/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := global.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := config.NewConfigClient(
        config.ConfigClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateOrganizationPolicyAssignmentRequest{}
	request.OrganizationId = "{organization_id}"
	request.OrganizationPolicyAssignmentId = "{organization_policy_assignment_id}"
	resourceProviderPolicyFilter:= "ecs"
	resourceTypePolicyFilter:= "cloudservers"
	policyFilterManagedPolicyAssignmentMetadata := &model.PolicyFilterDefinition{
		ResourceProvider: &resourceProviderPolicyFilter,
		ResourceType: &resourceTypePolicyFilter,
	}
	var valueParameters interface{} = "[ea0d6e0e-99c3-406d-a873-3bb45462b624]"
	parametersParameters := model.PolicyParameterValue{
		Value: &valueParameters,
	}
	var listParametersManagedPolicyAssignmentMetadata = map[string](model.PolicyParameterValue){
        "listOfAllowedImages": parametersParameters,
    }
	descriptionManagedPolicyAssignmentMetadata:= "The ECS resource is non-compliant if the image it used is not in the allowed list."
	managedPolicyAssignmentMetadatabody := &model.ManagedPolicyAssignmentMetadata{
		Description: &descriptionManagedPolicyAssignmentMetadata,
		Parameters: listParametersManagedPolicyAssignmentMetadata,
		PolicyFilter: policyFilterManagedPolicyAssignmentMetadata,
		PolicyDefinitionId: "5fa265c0aa1e6afc05a0ff07",
	}
	request.Body = &model.OrganizationPolicyAssignmentRequest{
		ManagedPolicyAssignmentMetadata: managedPolicyAssignmentMetadatabody,
		OrganizationPolicyAssignmentName: "allowed-images-by-id",
	}
	response, err := client.UpdateOrganizationPolicyAssignment(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}
 
 
  

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
200	Operation succeeded.
400	Invalid parameters.
403	Authentication failed or you do not have the operation permissions.
500	Server error.

Error Codes

See Error Codes.

Parent Topic: Compliance

Previous topic: Deleting an Organization Rule

Next topic: Querying the Deployment Status of an Organization Rule

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot