Cloud Application Engine

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by CAE, see Resources.
The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by CAE, see Conditions.

The following table lists the actions that you can define in SCP statements for CAE.

**Table 1** Actions supported by CAE
Action	Description	Access Level	Resource Type (*: required)	Condition Key	Alias
cae:environment:listEnvironments	Grant permission to query all environments.	List	environment *	-	cae:environment:list
cae:environment:createEnvironment	Grant permission to create an environment.	Write	environment *	-	cae:environment:create
cae:environment:createEnvironment	Grant permission to create an environment.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteEnvironment	Grant permission to delete an environment.	Write	environment *	-	cae:environment:delete
cae:environment:deleteEnvironment	Grant permission to delete an environment.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:getEnvironment	Grant permission to query an environment.	Read	environment *	-	cae:environment:get
cae:environment:getEnvironment	Grant permission to query an environment.	Read	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:listCloudVolumes	Grant permission to query all cloud storage.	List	environment *	-	cae:environment:list
cae:environment:listCloudVolumes	Grant permission to query all cloud storage.	List	-	g:EnterpriseProjectId	cae:environment:list
cae:environment:createCloudVolume	Grant permission to authorize cloud storage.	Write	environment *	-	cae:environment:create
cae:environment:createCloudVolume	Grant permission to authorize cloud storage.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteCloudVolume	Grant permission to unbind cloud storage.	Write	environment *	-	cae:environment:delete
cae:environment:deleteCloudVolume	Grant permission to unbind cloud storage.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:listDomains	Grant permission to query all domain names.	List	environment *	-	cae:environment:get
cae:environment:listDomains	Grant permission to query all domain names.	List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:createDomain	Grant permission to create a domain name.	Write	environment *	-	cae:environment:create
cae:environment:createDomain	Grant permission to create a domain name.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteDomain	Grant permission to delete a domain name.	Write	environment *	-	cae:environment:delete
cae:environment:deleteDomain	Grant permission to delete a domain name.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:listCertificates	Grant permission to query all certificates.	List	environment *	-	cae:environment:get
cae:environment:listCertificates	Grant permission to query all certificates.	List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:createCertificate	Grant permission to create a certificate.	Write	environment *	-	cae:environment:create
cae:environment:createCertificate	Grant permission to create a certificate.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteCertificate	Grant permission to delete a certificate.	Write	environment *	-	cae:environment:delete
cae:environment:deleteCertificate	Grant permission to delete a certificate.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:updateCertificate	Grant permission to update a certificate.	Write	environment *	-	cae:environment:update
cae:environment:updateCertificate	Grant permission to update a certificate.	Write	-	g:EnterpriseProjectId	cae:environment:update
cae:environment:listTimerRules	Grant permission to query all start/stop rules.	List	environment *	-	cae:environment:get
cae:environment:listTimerRules	Grant permission to query all start/stop rules.	List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:createTimerRule	Grant permission to create a start/stop rule.	Write	environment *	-	cae:environment:create
cae:environment:createTimerRule	Grant permission to create a start/stop rule.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteTimerRule	Grant permission to delete a start/stop rule.	Write	environment *	-	cae:environment:delete
cae:environment:deleteTimerRule	Grant permission to delete a start/stop rule.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:updateTimerRule	Grant permission to update a start/stop rule.	Write	environment *	-	cae:environment:update
cae:environment:updateTimerRule	Grant permission to update a start/stop rule.	Write	-	g:EnterpriseProjectId	cae:environment:update
cae:environment:getTimerRule	Grant permission to query a start/stop rule.	Read	environment *	-	cae:environment:get
cae:environment:getTimerRule	Grant permission to query a start/stop rule.	Read	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:listEips	Grant permission to view all EIPs (inter-access between the environment and public network).	List	environment *	-	cae:environment:get
cae:environment:listEips		List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:updateEip	Grant permission to update an EIP (inter-access between the environment and public network).	Write	environment *	-	cae:environment:update
cae:environment:updateEip		Write	-	g:EnterpriseProjectId	cae:environment:update
cae:environment:listVpcEgresses	Grant permission to view all VPC egresses.	List	environment *	-	cae:environment:get
cae:environment:listVpcEgresses	Grant permission to view all VPC egresses.	List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:createVpcEgress	Grant permission to create a VPC egress.	Write	environment *	-	cae:environment:create
cae:environment:createVpcEgress	Grant permission to create a VPC egress.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteVpcEgress	Grant permission to delete a VPC egress.	Write	environment *	-	cae:environment:delete
cae:environment:deleteVpcEgress	Grant permission to delete a VPC egress.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:listVpcIngresses	Grant permission to view all VPC ingresses.	List	environment *	-	cae:environment:get
cae:environment:listVpcIngresses	Grant permission to view all VPC ingresses.	List	-	g:EnterpriseProjectId	cae:environment:get
cae:environment:createVpcIngress	Grant permission to create a VPC ingress.	Write	environment *	-	cae:environment:create
cae:environment:createVpcIngress	Grant permission to create a VPC ingress.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:deleteVpcIngress	Grant permission to delete a VPC ingress.	Write	environment *	-	cae:environment:delete
cae:environment:deleteVpcIngress	Grant permission to delete a VPC ingress.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae:environment:createMonitorSystem	Grant permission to create a monitoring system.	Write	environment *	-	cae:environment:create
cae:environment:createMonitorSystem	Grant permission to create a monitoring system.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae:environment:updateMonitorSystem	Grant permission to update a monitoring system.	Write	environment *	-	cae:environment:update
cae:environment:updateMonitorSystem	Grant permission to update a monitoring system.	Write	-	g:EnterpriseProjectId	cae:environment:update
cae:environment:getMonitorSystem	Grant permission to query a monitoring system.	Read	environment *	-	cae:environment:get
cae:environment:getMonitorSystem	Grant permission to query a monitoring system.	Read	-	g:EnterpriseProjectId	cae:environment:get
cae:application:listApplications	Grant permission to query all applications.	List	application *	-	cae:application:list
cae:application:createApplication	Grant permission to create an application.	Write	application *	-	cae:application:create
cae:application:createApplication	Grant permission to create an application.	Write	-	g:EnterpriseProjectId	cae:application:create
cae:application:deleteApplication	Grant permission to delete an application.	Write	application *	-	cae:application:delete
cae:application:deleteApplication	Grant permission to delete an application.	Write	-	g:EnterpriseProjectId	cae:application:delete
cae:component:listComponents	Grant permission to query all components.	List	component *	-	cae:application:list
cae:component:listComponents	Grant permission to query all components.	List	-	g:EnterpriseProjectId	cae:application:list
cae:component:createComponent	Grant permission to create a component.	Write	component *	-	cae:application:create
cae:component:createComponent	Grant permission to create a component.	Write	-	g:EnterpriseProjectId	cae:application:create
cae:component:deleteComponent	Grant permission to delete a component.	Write	component *	-	cae:application:delete
cae:component:deleteComponent	Grant permission to delete a component.	Write	-	g:EnterpriseProjectId	cae:application:delete
cae:component:updateComponent	Grant permission to update a component.	Write	component *	-	cae:application:modify
cae:component:updateComponent	Grant permission to update a component.	Write	-	g:EnterpriseProjectId	cae:application:modify
cae:component:getComponent	Grant permission to query a component.	Read	component *	-	cae:application:get
cae:component:getComponent	Grant permission to query a component.	Read	-	g:EnterpriseProjectId	cae:application:get
cae:component:createWithConfigComponent	Grant permission to create, validate, and deploy a component.	Write	component *	-	cae:application:create
cae:component:createWithConfigComponent		Write	-	g:EnterpriseProjectId	cae:application:create
cae:component:operateComponent	Grant permission to deploy, scale, upgrade, roll back, start, stop, restart, and configure a component.	Write	component *	-	cae:application:modify
cae:component:operateComponent		Write	-	g:EnterpriseProjectId	cae:application:modify
cae:component:listConfigurations	Grant permission to query all component configurations.	List	component *	-	cae:application:get
cae:component:listConfigurations	Grant permission to query all component configurations.	List	-	g:EnterpriseProjectId	cae:application:get
cae:component:createConfiguration	Grant permission to create or update component configurations.	Write	component *	-	cae:application:create
cae:component:createConfiguration		Write	-	g:EnterpriseProjectId	cae:application:create
cae:component:deleteConfiguration	Grant permission to delete or cancel component configurations.	Write	component *	-	cae:application:delete
cae:component:deleteConfiguration		Write	-	g:EnterpriseProjectId	cae:application:delete
cae:component:getConfiguration	Grant permission to query component configurations.	Read	component *	-	cae:application:list
cae:component:getConfiguration	Grant permission to query component configurations.	Read	-	g:EnterpriseProjectId	cae:application:list
cae:component:createInstanceWebShell	Grant permission to create a remote login.	Write	component *	-	cae:application:createConsole
cae:component:createInstanceWebShell	Grant permission to create a remote login.	Write	-	g:EnterpriseProjectId	cae:application:createConsole
cae::listNoticeRules	Grant permission to query all event notification rules.	List	-	g:EnterpriseProjectId	cae:environment:get
cae::createNoticeRule	Grant permission to create an event notification rule.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae::deleteNoticeRule	Grant permission to delete an event notification rule.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae::updateNoticeRule	Grant permission to update an event notification rule.	Write	-	g:EnterpriseProjectId	cae:environment:update
cae::getNoticeRule	Grant permission to query an event notification rule.	Read	-	g:EnterpriseProjectId	cae:environment:get
cae::listDewSecrets	Grant permission to query all secrets.	List	-	g:EnterpriseProjectId	cae:environment:get
cae::createDewSecret	Grant permission to create a secret.	Write	-	g:EnterpriseProjectId	cae:environment:create
cae::deleteDewSecret	Grant permission to delete a secret.	Write	-	g:EnterpriseProjectId	cae:environment:delete
cae::updateDewSecret	Grant permission to update a secret.	Write	-	g:EnterpriseProjectId	cae:environment:update
cae::getDewSecret	Grant permission to query a secret.	Read	-	g:EnterpriseProjectId	cae:environment:get
cae::buyPackage	Grant permission to purchase a pay-per-use package.	Write	-	g:EnterpriseProjectId	cae:environment:create

Each API of CAE usually supports one or more actions. Table 2 lists the supported actions and dependencies.

**Table 2** Actions and dependencies supported by CAE APIs
API	Action	Dependencies

Resources

A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements for CAE.

**Table 3** Resource types supported by CAE
Resource Type	URN
component	cae:<region>:<account-id>:component:<application-id>/<component-id>
environment	cae:<region>:<account-id>:environment:<environment-id>
application	cae:<region>:<account-id>:application:<application-id>

Conditions

CAE does not support service-specific condition keys in policies. CAE can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent topic: Developer Services

Previous topic: CodeArts Wiki

Next topic: Business Applications