Cloud Services that Support Resource-Level Authorization Using IAM

If you want to grant permissions to an IAM user for specific resources, create a custom policy that contains permissions for the resources, and attach the policy to the user. The user then only has the permissions for the specified resources. For example, to grant permissions to an IAM user for buckets whose names start with TestBucket, create a custom policy, specify the resource path as OBS:*:*:bucket:TestBucket*, and attach the policy to the user.

The following table lists the cloud services that support resource-level authorization and the supported resource types.

**Table 1** Cloud services that support resource-level authorization and the supported resource types
Service	Resource Type	Resource Name
Open API platform SaaS (Apiexplorer-saas)	product	Product
Open API platform SaaS (Apiexplorer-saas)	portal	Portal
Cloud Bastion Host (CBH)	instanceId	Instance ID
Cloud Container Engine (CCE)	cluster	Cluster
Cloud Operations Center (COC)	schedule	Scheduled O&M
	document	Document
	drillPlan	Drill plan
	attackTask	Attack task
	contingencyPlan	Contingency plan
	drillTask	Drill task
	accountBaseline	Account baseline
	faultMode	Fault mode
	drillRecord	Drill record
	job	Task
	slaTemplate	SLA template
	attackTargetRecord	Attack target record of an attack task
	parameter	Configuration parameter
Cloud Secret Management Service (CSMS)	secretName	Secret name
DataArts Insight	workspace	Workspace
Distributed Cache Service (DCS)	instance	Instance
Document Database Service (DDS)	instanceName	Instance name
Data Lake Insight (DLI)	queue	DLI queue
	database	DLI database
	table	DLI table
	column	DLI column
	datasourceauth	DLI security authentication information
	jobs	DLI job
	resource	Resource package
	elasticresourcepool	Elastic resource pool
	group	Resource package group
	variable	Global variable
Distributed Message Service (DMS)	rabbitmq	RabbitMQ instance
	kafka	Kafka instance
	rocketmq	RocketMQ instance
GaussDB(DWS)	cluster	Cluster
Elastic Cloud Server (ECS)	instance	ECS
Elastic Volume Service (EVS)	volume	EVS disk
FunctionGraph	function	Function
FunctionGraph	trigger	Trigger
Graph Engine Service (GES)	graphName	GES graph name
	backupName	GES backup name
	metadataName	Metadata name
Intelligent EdgeFabric (IEF)	product	Product
	node	Edge node
	group	Edge node group
	deployment	Deployment
	batchjob	Batch job
	application	Application template
	appVersion	Application template version
	IEFInstance	IEF instance
Data Encryption Workshop (DEW)	KeyId	Key ID
MapReduce Service (MRS)	cluster	Cluster
Object Storage Service (OBS)	bucket	Bucket
Object Storage Service (OBS)	object	Object
Relational Database Service (RDS)	instance	RDS instance
Resource Formation Service (RFS)	privateModule	Private module
	stack	Stack
	stackSet	Stack set
	privateTemplate	Private template
	privateProvider	Private provider
ROMA Connect	graph	Business flow diagram ID
SSL Certificate Manager (SCM)	cert	Certificate ID
SecMaster	alert	Alarm
	search	Query
	playbook	Playbook
	workflow	Workflow
	subscription	Subscription
	indicator	Threat intelligence
	alertRule	Alert model
	connection	Asset connection
	mapping	Categorical mapping
	dataclass	Data class
	report	Report
	searchCondition	Retrieval criteria
	agency	Agency
	resource	Resource
	layout	Layout
	dataobject	Data object
	emergencyVulnerability	Emergency vulnerability
	workspace	Workspace
	metric	Metric
	dataspace	Data space
	catalogue	Directory
	task	To-do task
	alertRuleTemplate	Alarm template
	pipe	Data pipeline
	incident	Incident
	table	Table
	vulnerability	Vulnerability
Software Repository for Container (SWR)	chart	Chart
	repository	Repository
	instance	Enterprise edition instance
Virtual Private Cloud (VPC)	publicip	EIP