Help Center/ System Permissions/ Service Authorization Reference/ Identity Policy–based Authorization/ Management & Governance/ Cloud Eye
Updated on 2025-12-12 GMT+08:00
View PDF
Share

Cloud Eye

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by Cloud Eye, see Resources.

  • Condition Key contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by Cloud Eye, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for identity policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for Cloud Eye.

Table 1 Actions supported by Cloud Eye

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

ces:alarms:create

Grants permission to create an alarm rule.

Write

-

-

ces:alarms:list

Grants permission to list alarm rules.

List

-

g:EnterpriseProjectId

-

ces:alarms:put

Grants permission to update an alarm rule.

Write

alarm *
  • ces:alarmsonoff:put

-

ces:alarms:putAction

Grants permission to enable or disable an alarm rule.

Write

alarm *
  • ces:alarms:put

ces:alarms:get

Grants permission to query an alarm rule.

Read

alarm *

g:EnterpriseProjectId
  • ces:alarms:list

ces:alarms:delete

Grants permission to delete an alarm rule.

Write

alarm *

-

ces:alarms:getInstanceStatus

Grants permission to query the instance alarm status.

Read

alarm *

g:EnterpriseProjectId
  • ces:alarmsInstanceStatus:get

ces:alarms:getClassInfo

Grants permission to query the number of alarm rules of different types.

Read

alarm *
  • ces:alarmClassInfo:get

ces:alarms:listNamespaces

Grants permission to list alarm namespaces.

List

-

g:EnterpriseProjectId
  • ces:alarmNamespaces:list

ces:alarms:listOneClickAlarms

Grants permission to list services and resources that support one-click monitoring.

List

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:list

ces:alarms:putOneClickAlarms

Grants permission to batch enable or disable one-click monitoring.

Write

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:put

ces:alarms:addResources

Grants permission to batch add resources to an alarm rule.

Write

alarm *
  • ces:alarms:put

ces:alarms:deleteResources

Grants permission to batch delete resources from an alarm rule.

Write

alarm *
  • ces:alarms:put

ces:alarms:getPolicies

Grants permission to query policies in an alarm rule.

Read

alarm *
  • ces:alarms:get

ces:alarms:getResources

Grants permission to list monitored resources in an alarm rule.

Read

alarm *
  • ces:alarms:list

ces:alarms:updatePolicies

Grants permission to update policies of an alarm rule.

Write

alarm *
  • ces:alarms:put

ces:alarms:putAlarmNotifications

Grants permission to modify alarm notification information in an alarm rule.

Write

alarm *
  • ces:alarms:put

ces:alarms:putNotificationMaskRules

Grants permission to configure alarm masking rules.

Write

-

g:EnterpriseProjectId
  • ces:notificationMasks:update

ces:alarms:listNotificationMaskResources

Grants permission to list resources for which alarm notifications have been masked.

List

-

g:EnterpriseProjectId
  • ces:notificationMasks:list

ces:alarms:deleteNotificationMaskRules

Grants permission to batch delete alarm notification masking rules.

Write

-

g:EnterpriseProjectId
  • ces:notificationMasks:delete

ces:alarms:listNotificationMaskRules

Grants permission to list alarm notification masking rules.

List

-

g:EnterpriseProjectId
  • ces:notificationMasks:list

ces:alarms:createOneClickAlarms

Grants permission to enable one-click monitoring.

Write

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:post

ces:alarms:putOneClickAlarmPolicies

Grants permission to batch enable or disable alarm policies in alarm rules for a service with one-click monitoring.

Write

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:put

ces:alarms:putOneClickAlarmNotifications

Grants permission to batch modify alarm notification rules of one-click monitoring for a service.

Write

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:updateNotifications

ces:alarms:deleteOneClickAlarms

Grants permission to batch disable one-click monitoring.

Write

-

g:EnterpriseProjectId
  • ces:oneClickAlarms:delete

ces:notificationGroup:delete

Grants permission to delete a notification group.

Write

-

-

-

ces:notificationGroup:convertObject

Grants permission to convert a recipient.

Write

-

-

-

ces:notificationGroup:listSubscriptions

Grants permission to list subscriptions of a notification group.

List

-

-

-

ces:widgets:put

Grants permission to batch update graphs.

Write

-

ces:namespace

-

ces:widgets:create

Grants permission to create a graph.

Write

-

ces:namespace

-

ces:widgets:delete

Grants permission to delete a graph.

Write

-

-

-

ces:dashboards:create

Grants permission to create a dashboard.

Write

dashboard *

-

-

-

g:EnterpriseProjectId

ces:dashboards:get

Grants permission to query details about a dashboard.

Read

dashboard *

-

-

-

g:EnterpriseProjectId

ces:dashboards:list

Grants permission to list dashboards.

List

dashboard *

-

-

-

g:EnterpriseProjectId

ces:dashboards:put

Grants permission to update a dashboard.

Write

dashboard *

g:EnterpriseProjectId

-

ces:widgets:list

Grants permission to query graphs added to a dashboard.

List

-

-

-

ces:dashboards:delete

Grants permission to batch delete dashboards.

Write

dashboard *

g:EnterpriseProjectId

-

ces:systemDashboard:get

Grants permission to batch query system dashboards.

Read

-

-

-

ces:systemDashboard:put

Grants permission to update a system dashboard.

Write

-

-
  • ces:systemDashboard:update

ces:widgets:get

Grants permission to query a graph.

Read

-

-

-

ces:dashboard:listServices

Grants permission to list cloud service dashboards.

List

-

-

-

ces:dashboard:listResourceStatistics

Grants permission to query resource statistics of a dimension on a cloud service dashboard.

List

-

-

-

ces:dashboard:listAlarmStatistics

Grants permission to query alarm statistics by severity on a cloud service dashboard.

List

-

-

-

ces:dashboard:listResourceGroupAlarmStatistics

Grants permission to query alarm statistics by severity for a resource group on a cloud service dashboard.

List

-

-

-

ces:dashboardGroups:delete

Grants permission to delete a graph group.

Write

-

-

-

ces:dashboardGroups:list

Grants permission to view a graph group.

List

-

-

-

ces:dashboardGroups:create

Grants permission to create a graph group.

Write

-

-

-

ces:dashboardGroups:update

Grants permission to batch update graph groups.

Write

-

-
  • ces:dashboardGroups:put

ces:metrics:list

Grants permission to list metrics.

List

-

-

-

ces:metricData:create

Grants permission to report metrics.

Write

-

-

-

ces:metricData:get

Grants permission to query data of a metric.

Read

-

-
  • ces:metricData:list

ces:metricData:list

Grants permission to batch query metric data.

List

-

-

-

ces:namespacesDimensions:listAgentDimensions

Grants permission to query Agent-related metrics of an instance.

List

-

-
  • ces:namespacesDimensions:list

ces:namespacesDimensions:list

Grants permission to batch query metric dimensions.

List

-

ces:namespace

-

ces:namespacesDimensions:get

Grants permission to batch query the dimension hierarchy of specified namespaces.

Read

-

ces:namespace
  • ces:namespacesDimensions:list

ces:agent:putHeartBeat

Grants permission to update the heartbeat status of a server.

Write

-

-
  • ces:heartbeat:post

ces:agent:putStatus

Grants permission to update the Agent status of an instance.

Write

-

-
  • ces:heartbeat:post

ces:agent:getStatus

Grants permission to query the Agent status of an instance.

Read

-

-
  • ces:agentStatus:get

ces:agent:listStatuses

Grants permission to batch query the Agent status of instances.

List

-

-
  • ces:agentStatus:get
  • ces:agentStatus:list

ces:agent:putVersion

Grants permission to update the Agent version of an instance.

Write

-

-
  • ces:agentUpgrade:post

ces:metrics:listSupported

Grants permission to batch query all supported metrics.

List

-

-
  • ces:currentRegionSupportedMetrics:list

ces:namespacesMetrics:list

Grants permission to batch query metrics.

List

-

-
  • ces:currentRegionSupportedMetrics:list

ces:ecsInstanceStatistics:get

Grants permission to batch query ECS CPU metric statistics.

Read

-

-

-

ces:evsInstanceStatistics:get

Grants permission to batch query EVS metric statistics.

Read

-

-

-

ces:namespacesDimensions:listInstances

Grants permission to batch query instances in a dimension.

List

-

ces:namespace
  • ces:namespacesDimensions:list

ces:metaData:get

Grants permission to batch query metadata of dimensions.

Read

-

ces:namespace
  • ces:metaData:list

ces:resourcesMetadata:list

Grants permission to batch query metadata of resources.

List

-

ces:namespace

-

ces:metrics:listStatistics

Grants permission to batch query dimensional metric statistics.

List

-

-
  • ces:metrics:list

ces:agent:listPrefixMetrics

Grants permission to batch query metrics with prefixes.

List

-

-
  • ces:prefixMetrics:list

ces:metricData:export

Grants permission to create a metric report.

Write

-

-

-

ces:sortedMetrics:list

Grants permission to batch query the metric order of specified dimensions.

List

-

-

-

ces:sortedMetrics:create

Grants permission to sort metrics for a specified dimension.

Write

-

-

-

ces:namespaces:list

Grants permission to batch query namespaces.

List

-

-

-

ces:vpcInstanceStatistics:get

Grants permission to query VPC metric statistics.

Read

-

-

-

ces:resourcesConsole:list

Grants permission to batch query resource data of a namespace on the console.

List

-

ces:namespace

-

ces:metricData:listPercentile

Grants permission to batch query metric percentages.

List

-

-
  • ces:percentileMetricData:get

ces:metrics:listKeyMetrics

Grants permission to query key metrics.

List

-

ces:namespace

-

ces:alarmHistoriesReportJob:create

Grants permission to batch create tasks for alarm record reporting.

Write

-

-

-

ces:alarmHistoriesReportJob:list

Grants permission to batch query tasks for alarm record reporting.

List

-

-
  • ces:metricReportJobs:list

ces:alarmHistoriesReportJob:delete

Grants permission to batch delete tasks for alarm record reporting.

Write

-

-

-

ces:alarmHistoriesReportJob:download

Grants permission to batch query resource data of a namespace on the console.

Read

-

-

-

ces:metricReportJob:download

Grants permission to download a metric report.

Read

-

-

-

ces:metricReportJobs:list

Grants permission to batch query metric reporting tasks.

List

-

-

-

ces:metricReportJob:create

Grants permission to batch create metric reporting tasks.

Write

-

-

-

ces:metricReportJobs:delete

Grants permission to batch delete metric reporting tasks.

Write

-

-

-

ces:quotas:get

Grants permission to query quotas.

Read

-

-

-

ces:i18n:list

Grants permission to obtain internationalization information.

List

-

-
  • ces:i18n:get

ces:resourcesStatistics:list

Grants permission to batch query resource statistics.

List

-

-
  • ces:resourcesStatistics:get

ces:supportedFeature:list

Grants permission to batch query supported features.

List

-

-

-

ces:asyncTasks:list

Grants permission to batch query asynchronous tasks.

List

-

-

-

ces:agent:getAgencySecurityInfo

Grants permission to query security information of an agency.

Read

-

-
  • ces:agency:get

ces:agent:putConfigStatus

Grants permission to update the configuration status of a server monitoring rule.

Write

-

-
  • ces:agentConfigStatus:put

ces:agent:getConfigStatus

Grants permission to query the configuration status of a server.

Read

-

-
  • ces:agentConfigStatus:get

ces:agent:listExtensionStatuses

Grants permission to batch query the extension status of specified servers.

List

-

-
  • ces:agentStatus:get

ces:agent:put

Grants permission to update the server monitoring metrics of a server.

Write

-

-
  • ces:agentClientMonitor:put

ces:agent:createProf

Grants permission to create a profile for a server.

Write

-

-
  • ces:agentClientProf:post

ces:agent:listProcesses

Grants permission to query the monitored process data of a server.

List

-

-
  • ces:agentProcessesMetricData:list
  • ces:agentProcesses:list

ces:agent:listPlugins

Grants permission to batch query the plug-in information of specified servers.

List

-

-
  • ces:agentClientPluginInfo:get

ces:agent:putPlugins

Grants permission to batch update the plug-in information of a server.

Write

-

-
  • ces:agentClientPluginInfo:put

ces:agent:putProcessActions

Grants permission to batch update process actions of a server.

Write

-

-
  • ces:agentProcesses:put

ces:agentProcesses:list

Grants permission to batch query process details of a server.

List

-

-

-

ces:agent:putProcesses

Grants permission to batch update process details of a server.

Write

-

-
  • ces:agentProcesses:create

ces:agent:createSpecifiedProcess

Grants permission to batch create process records of specified servers.

Write

-

-
  • ces:instanceSpecifiedProcesses:create

ces:agent:listSpecifiedProcess

Grants permission to batch query specified processes on a server.

List

-

-
  • ces:instanceSpecifiedProcesses:list

ces:agent:deleteSpecifiedProcess

Grants permission to batch delete specified processes on specified servers.

Write

-

-
  • ces:instanceSpecifiedProcesses:delete

ces:agent:listTaskInvoke

Grants permission to batch query tasks called by a server.

List

-

-
  • ces:agentTask:get

ces:agent:submitTaskResult

Grants permission to report task results of a server.

Write

-

-
  • ces:agentTask:post

ces:agent:listTelescopeConfigs

Grants permission to batch query nested configurations of a server.

List

-

-
  • ces:agentClientTelescopeConfigs:get

ces:agent:listConfChecks

Grants permission to batch query DNS records of a server.

List

-

-
  • ces:confChecks:get

ces:agent:listTaskInvocations

Grants permission to batch query Agent tasks of a server.

List

-

-
  • ces:taskInvocation:get

ces:agent:createAgentInvocations

Grants permission to batch create Agent tasks.

Write

-

-
  • ces:taskInvocation:post

ces:agent:listAgentInstallSteps

Grants permission to query the Agent installation step details.

List

-

-

-

ces:agent:listMetricData

Grants permission to batch query Agent-related metric details.

List

-

-
  • ces:agentmetricdata:list

ces:agent:listInstancesWithAgent

Grants permission to query Agent information of a server.

List

-

-

-

ces:agent:updateAgentAvailabilityTask

Grants permission to update an Agent availability task.

Write

-

-
  • ces:agentClientAvailabilityTask:put

ces:agent:getAgentAvailabilityTask

Grants permission to get Agent availability task details.

Read

-

-
  • ces:agentClientAvailabilityTask:get

ces:availabilityMonitorTask:create

Grants permission to batch create availability monitoring tasks.

Write

-

-

-

ces:availabilityMonitorTask:list

Grants permission to list availability monitoring tasks.

List

-

-

-

ces:availabilityMonitorTask:get

Grants permission to query details about an availability monitoring task.

Read

-

-

-

ces:availabilityMonitorTask:update

Grants permission to modify an availability monitoring task.

Write

-

-

-

ces:availabilityMonitorTask:delete

Grants permission to delete an availability monitoring task.

Write

-

-

-

ces:obsTransfers:create

Grants permission to configure an OBS dump rule.

Write

-

-

-

ces:obsTransfers:listBuckets

Grants permission to list OBS buckets.

List

-

-
  • ces:obsBuckets:list

ces:obsTransfers:put

Grants permission to modify a transfer object.

Write

-

-

-

ces:obsTransfers:get

Grants permission to query a transfer object.

Read

-

-

-

ces:obsTransfers:list

Grants permission to batch query OBS dump information.

List

-

-

-

ces:alarmHistory:list

Grants permission to list historical alarms.

List

-

g:EnterpriseProjectId

-

ces:alarmHistory:listNamespaces

Grants permission to list namespaces of alarm records.

List

-

g:EnterpriseProjectId
  • ces:alarmHistoryNamespaces:list

ces:alarmHistory:statistics

Grants permission to query alarm statistics.

List

-

g:EnterpriseProjectId
  • ces:alarmsStatistics:get

ces:customAlarmTemplates:create

Grants permission to create a custom alarm template.

Write

-

g:EnterpriseProjectId

-

ces:customAlarmTemplates:delete

Grants permission to delete a custom alarm template.

Write

-

g:EnterpriseProjectId

-

ces:customAlarmTemplates:get

Grants permission to query a custom alarm template.

Read

-

g:EnterpriseProjectId
  • ces:customAlarmTemplates:list

ces:customAlarmTemplates:list

Grants permission to list custom alarm templates.

List

-

g:EnterpriseProjectId

-

ces:customAlarmTemplates:listAssociatedAlarms

Grants permission to list alarm rules associated with a custom alarm template.

List

-

g:EnterpriseProjectId

-

ces:customAlarmTemplates:put

Grants permission to update a custom alarm template.

Write

-

g:EnterpriseProjectId

-

ces:customAlarmTemplates:associateResourceGroup

Grants permission to modify the configurations for asynchronously associating an alarm template with resource groups.

Write

-

g:EnterpriseProjectId
  • ces:customAlarmTemplates:put

ces:customAlarmTemplates:disassociateResourceGroup

Grants permission to disassociate an alarm template from resource groups.

Write

-

g:EnterpriseProjectId
  • ces:customAlarmTemplates:create

ces:alarmsContacts:list

Grants permission to list contacts.

List

-

g:EnterpriseProjectId

-

ces:alarmsContacts:get

Grants permission to query a contact.

Read

-

g:EnterpriseProjectId

-

ces:notificationGroup:create

Grants permission to create a notification group.

Write

-

g:EnterpriseProjectId

-

ces:notificationObject:list

Grants permission to list recipients.

List

-

g:EnterpriseProjectId

-

ces:notificationObject:create

Grants permission to create a recipient.

Write

-

g:EnterpriseProjectId

-

ces:notificationObject:delete

Grants permission to batch delete recipients.

Write

-

g:EnterpriseProjectId

-

ces::listNotificationSubscriptions

Grants permission to list notification subscriptions.

List

-

-
  • ces:alarms:listNotificationSubscriptions

ces::batchCreateNotificationSubscriptions

Grants permission to batch create notification subscriptions.

Write

-

-
  • ces:alarms:batchCreateNotificationSubscriptions

ces:alarms:listNotificationTemplates

Grants permission to list custom notification templates.

List

-

-

-

ces:alarms:createNotificationTemplate

Grants permission to add a custom notification template.

Write

-

-

-

ces:alarms:batchDeleteNotificationTemplates

Grants permission to delete a custom notification template.

Write

-

-

-

ces:alarms:updateNotificationTemplate

Grants permission to modify a custom notification template.

Write

-

-

-

ces:alarms:listPresetNotificationTemplates

Grants permission to obtain the fields and field locations of preset templates.

List

-

-

-

ces:alarms:listNotificationTemplateAssociationAlarms

Grants permission to list alarms associated with a notification template.

List

-

-

-

ces:events:post

Grants permission to report an event.

Write

-

-

-

ces:events:get

Grants permission to query details about an event.

Read

-

-

-

ces:events:list

Grants permission to list events.

List

-

-

-

ces:events:listEventStatistics

Grants permission to batch query event statistics.

List

-

-
  • ces:eventData:list
  • ces:eventsStatistics:get

ces:events:listSystemEventNames

Grants permission to batch query system event data.

List

-

-
  • ces:sysEventsNames:list

ces:events:listCustomEventNames

Grants permission to batch query custom event data.

List

-

-
  • ces:customEventsNames:list

ces:events:createSubscription

Grants permission to create an event alarm.

Write

-

-
  • ces:eventSubscription:create

ces:events:listSystemEvents

Grants permission to list system events.

List

-

-
  • ces:systemEvents:list

ces:events:listSystemEventMeta

Grants permission to query the system event whitelist.

List

-

-
  • ces:sysEventsNames:list

ces:eventData:get

Grants permission to query server configurations.

Read

-

-
  • ces:sapEventData:list

ces:dataShareJob:list

Grants permission to list data dump tasks.

List

-

-

-

ces:dataShareJob:create

Grants permission to create a data dump task.

Write

-

-

-

ces:dataShareJob:delete

Grants permission to delete a data dump task.

Write

-

-

-

ces:dataShareJob:get

Grants permission to query details about a data dump task.

Read

-

-

-

ces:dataShareJob:put

Grants permission to modify the status for a data dump task.

Write

-

-
  • ces:dataShareJob:action

ces:resourceGroups:addResources

Grants permission to batch add resources to a resource group.

Write

-

g:EnterpriseProjectId
  • ces:resourceGroups:put

ces:resourceGroups:create

Grants permission to create a resource group.

Write

-

g:EnterpriseProjectId

-

ces:resourceGroups:delete

Grants permission to delete a resource group.

Write

-

g:EnterpriseProjectId

-

ces:resourceGroups:deleteResources

Grants permission to batch delete resources from a resource group.

Write

-

g:EnterpriseProjectId
  • ces:resourceGroups:put

ces:resourceGroups:get

Grants permission to query a resource group.

Read

-

g:EnterpriseProjectId

-

ces:resourceGroups:getServiceResources

Grants permission to query resources of a dimension and service type in a resource group.

Read

-

g:EnterpriseProjectId
  • ces:resourceGroups:get

ces:resourceGroups:list

Grants permission to list all resource groups.

List

-

g:EnterpriseProjectId
  • ces:resourceGroups:get

ces:resourceGroups:put

Grants permission to update a resource group.

Write

-

g:EnterpriseProjectId

-

ces:resourceGroups:putAssociationAlarmTemplate

Grants permission to modify the configurations for associating an alarm template with resource groups.

Write

-

g:EnterpriseProjectId
  • ces:resourceGroups:put

ces:resourceGroups:listServices

Grants permission to batch query service categories of a resource group.

List

-

g:EnterpriseProjectId
  • ces:resourceGroups:get
  • ces:resourceGroupsServices:list

ces:tags:create

Grants permission to batch create tags of a type.

Write

-
  • ces:tags:action

ces:tags:list

Grants permission to list Cloud Eye tags.

List

-

-
  • ces:projecttags:list

ces:tags:listByResource

Grants permission to list resource tags.

List

-

-

-

ces:tags:listResources

Grants permission to list resources by tag.

List

-
  • ces:resourceinstances:list

ces:agency:get

Grants permission to query agencies and roles.

Read

-

-

-

ces:agency:post

Grants permission to create agencies and roles.

Write

-

-

-

ces:monitorOverview:listServiceResources

Grants permission to list resources under a cloud service in Overview.

List

-

ces:namespace

-

ces:monitorOverview:updateFavorite

Grants permission to batch add or remove items from favorites.

Write

-

-

-

ces:monitorOverview:listServiceResourceGroups

Grants permission to list resource groups in Overview.

List

-

-

-

ces:monitorOverview:updateKeyMetrics

Grants permission to batch set key metrics.

Write

-

-

-

ces:monitorOverview:listSiteMonitorStatistics

Grants permission to query website monitoring statistics.

List

-

-

-

ces:siteMonitorRule:list

Grants permission to batch query website monitors.

List

-

g:EnterpriseProjectId
  • ces:remoteChecks:list

ces:siteMonitorRule:listDetectResults

Grants permission to batch query website monitoring results.

List

-

-
  • ces:siteMonitorDetectResult:get

ces:siteMonitorRule:listSites

Grants permission to list all website monitors.

List

-

-
  • ces:remoteCheckSites:list

ces:siteMonitorRule:delete

Grants permission to batch delete website monitors.

Write

-

g:EnterpriseProjectId

-

ces:siteMonitorRule:create

Grants permission to create a website monitor.

Write

-

g:EnterpriseProjectId
  • ces:remoteChecks:create

ces:siteMonitorRule:put

Grants permission to update a website monitor.

Write

-

g:EnterpriseProjectId

-

ces:siteMonitorRule:get

Grants permission to query a website monitoring rule.

Read

-

g:EnterpriseProjectId

-

ces:siteMonitorRule:listDefaultSites

Grants permission to batch query checkpoints supported by the system.

List

-

-
  • ces:remoteCheckSites:list

ces:siteMonitorRule:getStatistic

Grants permission to query website monitoring statistics.

Read

-

-
  • ces:statisticsSiteMonitor:get

ces:siteMonitorRuleDataCenter:put

Grants permission to update a website monitoring data center.

Write

-

-
  • ces:siteMonitorRuleDataCenter:update

ces:siteMonitorRuleDataCenter:get

Grants permission to query a website monitoring data center.

Read

-

-

-

ces:siteMonitorRule:showHealthCheck

Grants permission to query website monitoring health check results.

Read

-

-
  • ces:siteMonitorHealthCheck:get

ces:siteMonitorRule:createHealthCheck

Grants permission to create a website monitoring health check rule.

Write

-

-
  • ces:siteMonitorHealthCheck:create

ces:netTopology:listRegion

Grants permission to query the region where a tenant VPC is located.

List

-

-

-

ces:netTopology:listVpc

Grants permission to query the details of a tenant VPC in a region.

List

-

-

-

ces:netTopology:getVpcTopology

Grants permission to query the topology of a tenant VPC.

Read

-

-

-

ces:netTopology:listRouteTableResource

Grants permission to query resources associated with a route table.

List

-

-

-

ces:qualityMonitor:listProbes

Grants permission to list quality monitoring checkpoints.

List

-

-

-

ces:qualityMonitor:create

Grants permission to create a quality monitoring task.

Write

-

-

-

ces:qualityMonitor:delete

Grants permission to delete a quality monitoring task.

Write

-

-

-

ces:qualityMonitor:update

Grants permission to modify a quality monitoring task.

Write

-

-

-

ces:qualityMonitor:get

Grants permission to query details about a quality monitoring task.

Read

-

-

-

ces:qualityMonitor:list

Grants permission to list quality monitoring tasks.

List

-

-

-

ces:qualityMonitor:listStatistics

Grants permission to query quality monitoring statistics.

List

-

-

-

ces:qualityMonitor:queryMapStatus

Grants permission to query map details.

List

-

-

-

ces:qualityMonitor:queryMapThresholdConfig

Grants permission to query map thresholds.

List

-

-

-

ces:qualityMonitor:updateMapThresholdConfig

Grants permission to update thresholds of the quality monitoring map.

Write

-

-

-

ces:qualityMonitor:getDetectRecordDetail

Grants permission to query a detection record.

Read

-

-

-

ces:qualityMonitor:listDetectGroups

Grants permission to list carriers or city groups.

List

-

-

-

ces:qualityMonitor:listDetectRecords

Grants permission to list detection records of quality monitoring.

List

-

-

-

ces:paidContent:update

Grants permission to enable or disable commercial Cloud Eye functions.

Write

-

-

-

ces:paidContent:list

Grants permission to list enabled commercial Cloud Eye functions.

List

-

-

-

ces:notificationObject:update

Grants permission to modify a recipient.

Write

-

-

-

ces:notificationPolicy:create

Grants permission to create a notification policy.

Write

-

-

-

ces:notificationPolicy:update

Grants permission to update a notification policy.

Write

-

-

-

ces:notificationPolicy:get

Grants permission to query a notification policy.

Read

-

-

-

ces:notificationPolicy:list

Grants permission to list notification policies.

List

-

-

-

ces:notificationPolicy:delete

Grants permission to delete a notification policy.

Write

-

-

-

ces:notificationPolicy:updateAlarmRelations

Grants permission to update the association between a notification policy and an alarm rule.

Write

-

-

-

ces:dashboard:listServiceResourcesStatistics

Grants permission to query resource statistics on a cloud service dashboard.

List

-

ces:namespace

-

ces:serviceProducts:list

Grants permission to batch query cloud service products.

List

-

-

-

ces:dashboard:listCloudServiceResources

Grants permission to list resources on a cloud service dashboard.

List

-

ces:namespace

-

ces:metric:createGroups

Grants permission to create a metric group.

Write

-

-

-

ces:metric:listGroups

Grants permission to view a metric group.

List

-

-

-

ces:metric:deleteGroups

Grants permission to delete a metric group.

Write

-

-

-

ces:metric:updateGroups

Grants permission to update a metric group.

Write

-

-

-

ces:metric:listConfig

Grants permission to obtain metric configurations.

List

-

-

-

ces:metric:createConfig

Grants permission to set metric configurations.

Write

-

-

-

ces:alarms:publishNotification

Grants permission to test alarm notifications.

Write

-

-

-

ces:resourcesReportJob:create

Grants permission to create a resource reporting task.

Write

-

-

-

ces:resourcesReportJob:list

Grants permission to batch query resource reporting tasks.

List

-

-

-

ces:resourcesReportJob:delete

Grants permission to batch delete resource reporting tasks.

Write

-

-

-

ces:resourcesReportJob:download

Grants permission to download a resource report.

Read

-

-

-

ces:agent:listSpecifiedProcResources

Grants permission to query custom process metrics.

List

-

-

-

ces:dashboard:listAlarmingResources

Grants permission to query details about monitored resources on a cloud service dashboard.

List

-

-

-

ces:alarmHistory:update

Grants permission to modify a historical alarm.

Write

-

-

-

ces:alarmRulesReportJob:create

Grants permission to batch create tasks for downloading alarm rules.

Write

-

-

-

ces:alarmRulesReportJob:list

Grants permission to batch query tasks for downloading alarm rules.

List

-

-

-

ces:alarmRulesReportJob:delete

Grants permission to batch delete tasks for downloading alarm rules.

Write

-

-

-

ces:alarmRulesReportJob:download

Grants permission to download the alarm rule list.

Read

-

-

-

ces:qualityMonitor:createQuickDetectTask

Grants permission to create an immediate detection task for quality monitoring.

Write

-

-

-

ces:qualityMonitor:listQuickDetectTasks

Grants permission to list immediate detection tasks of quality monitoring.

List

-

-

-

ces:qualityMonitor:showQuickDetectTaskDetail

Grants permission to query details about a single detection record in an immediate detection task of quality monitoring.

List

-

-

-

ces:qualityMonitor:showQuickDetectTask

Grants permission to query details about an immediate detection task of quality monitoring.

List

-

-

-

ces::listServiceResources

Grants permission to list cloud service resources.

List

-

-
  • ces:serviceResources:list

ces:alarmTemplates:list

Grants permission to batch query alarm templates.

List

-

-

-

ces:eventsBlackWhiteList:list

Grants permission to query the event blacklist and whitelist.

List

-

-

-

ces:eventsBlackWhiteList:update

Grants permission to update the event blacklist and whitelist.

Write

-

-

-

ces:metric:listMetaData

Grants permission to query metric metadata.

List

-

-

-

ces:dataShareJob:listAgencyProjects

Grants permission to list projects of a data dump delegator.

List

-

-

-

ces:dataShareJob:listDmsInstancesByAgency

Grants permission to list DMS instances of a delegator.

List

-

-

-

ces:dataShareJob:listDmsTopicsByAgency

Grants permission to list DMS topics of a delegator.

List

-

-

-

ces:processMonitorTasks:list

Grants permission to list process monitoring tasks.

List

-

-

-

ces:processMonitorTasks:create

Grants permission to create a process monitoring task.

Write

-

-

-

ces:processMonitorTasks:get

Grants permission to query a process monitoring task.

Read

-

-

-

ces:processMonitorTasks:put

Grants permission to update a process monitoring task.

Write

-

-

-

ces:processMonitorTasks:delete

Grants permission to delete a process monitoring task.

Write

-

-

-

ces:dashboard:createMonitorDashboards

Grants permission to create a dashboard.

Write

-

-

-

ces:dashboard:listMonitorDashboards

Grants permission to list dashboard templates.

List

-

-

-

ces:wecom:create

Grants permission to create a WeCom application.

Write

-

-

-

ces:wecom:update

Grants permission to update a WeCom application.

Write

-

-

-

ces:wecom:delete

Grants permission to delete a WeCom application.

Write

-

-

-

ces:wecom:list

Grants permission to list WeCom applications.

List

-

-

-

ces:wecom:get

Grants permission to query a WeCom application.

Read

-

-

-

ces:netTopology:listTenantEps

Grants permission to query enterprise projects associated with a tenant.

List

-

-

-

ces:netTopology:listGlobalTopology

Grants permission to query the global topology of a tenant.

List

-

-

-

ces:netDetection:listDetectRecords

Grants permission to query a tenant detection record.

List

-

-

-

ces:netDetection:createDetectCase

Grants permission to add a tenant detection case.

Write

-

-

-

ces:netDetection:listDetectCases

Grants permission to query a tenant detection case.

List

-

-

-

ces:netDetection:updateDetectCase

Grants permission to update a tenant detection case.

Write

-

-

-

ces:netDetection:deleteDetectCase

Grants permission to delete a tenant detection case.

Write

-

-

-

ces:netDetection:listDetectCaseReports

Grants permission to query a tenant detection case report.

List

-

-

-

ces:netDetection:listAndCreateUploadCode

Grants permission to query and create an upload code.

List

-

-

-

ces:smartReportTask:create

Grants permission to create an intelligent reporting task.

Write

-

-

-

ces:smartReportTask:list

Grants permission to query an intelligent reporting task.

List

-

-

-

ces:smartReportTask:update

Grants permission to update an intelligent reporting task.

Write

-

-

-

ces:smartReportTask:delete

Grants permission to batch delete intelligent reporting tasks.

Write

-

-

-

ces:smartReportTask:changeStatus

Grants permission to batch enable or disable intelligent reporting tasks.

Write

-

-

-

ces:smartReportTask:listExecuteHistory

Grants permission to query execution records of an intelligent reporting task.

List

-

-

-

ces:smartReportTask:downloadReportJob

Grants permission to download an intelligent report.

Read

-

-

-

ces:smartReportTask:listSupportedServices

Grants permission to query cloud products supported by an intelligent reporting task.

List

-

-

-

ces:smartReportJob:listResources

Grants permission to list resources of an intelligent reporting task.

List

-

-

-

ces:smartReportJob:show

Grants permission to query details about an intelligent reporting task.

Read

-

-

-

Each API of Cloud Eye usually supports one or more actions. en-us_topic_0000001604910018.html#EN-US_TOPIC_0000001604910018__api_relation_table lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by Cloud Eye APIs

API

Action

Dependencies

POST /v2/{project_id}/alarms

ces:alarms:create

-

POST /v2/{project_id}/alarms/batch-delete

ces:alarms:delete

-

POST /v2/{project_id}/alarms/action

ces:alarms:putAction

-

GET /v2/{project_id}/alarms

ces:alarms:list

-

POST /v2/{project_id}/alarms/{alarm_id}/resources/batch-create

ces:alarms:addResources

-

POST /v2/{project_id}/alarms/{alarm_id}/resources/batch-delete

ces:alarms:deleteResources

-

GET /v2/{project_id}/alarms/{alarm_id}/resources

ces:alarms:getResources

-

PUT /v2/{project_id}/alarms/{alarm_id}/policies

ces:alarms:updatePolicies

-

GET /v2/{project_id}/alarms/{alarm_id}/policies

ces:alarms:getPolicies

-

PUT /v2/{project_id}/alarms/{alarm_id}/notifications

ces:alarms:putAlarmNotifications

-

GET /v2/{project_id}/alarm-histories

ces:alarmHistory:list

-

POST /v2/{project_id}/alarm-templates

ces:customAlarmTemplates:create

-

POST /v2/{project_id}/alarm-templates/batch-delete

ces:customAlarmTemplates:delete

-

PUT /v2/{project_id}/alarm-templates/{template_id}

ces:customAlarmTemplates:put

-

GET /v2/{project_id}/alarm-templates

ces:customAlarmTemplates:list

-

GET /v2/{project_id}/alarm-templates/{template_id}

ces:customAlarmTemplates:get

-

GET /v2/{project_id}/alarm-templates/{template_id}/association-alarms

ces:customAlarmTemplates:listAssociatedAlarms

-

POST /v2/{project_id}/resource-groups

ces:resourceGroups:create

-

POST /v2/{project_id}/resource-groups/batch-delete

ces:resourceGroups:delete

-

PUT /v2/{project_id}/resource-groups/{group_id}

ces:resourceGroups:put

-

GET /v2/{project_id}/resource-groups/{group_id}

ces:resourceGroups:get

-

GET /v2/{project_id}/resource-groups

ces:resourceGroups:list

-

PUT /v2/{project_id}/resource-groups/{group_id}/alarm-templates/async-association

ces:resourceGroups:putAssociationAlarmTemplate

-

POST /v2/{project_id}/resource-groups/{group_id}/resources/batch-create

ces:resourceGroups:addResources

-

POST /v2/{project_id}/resource-groups/{group_id}/resources/batch-delete

ces:resourceGroups:deleteResources

-

GET /v2/{project_id}/resource-groups/{group_id}/services/{service}/resources

ces:resourceGroups:getServiceResources

-

POST /v2/{project_id}/one-click-alarms

ces:alarms:createOneClickAlarms

-

GET /v2/{project_id}/one-click-alarms

ces:alarms:listOneClickAlarms

-

GET /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarms

ces:alarms:listOneClickAlarms

-

PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarm-rules/action

ces:alarms:putOneClickAlarms

-

POST /v2/{project_id}/one-click-alarms/batch-delete

ces:alarms:deleteOneClickAlarms

-

PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/notifications

ces:alarms:putOneClickAlarmNotifications

-

PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarms/{alarm_id}/policies/action

ces:alarms:putOneClickAlarmPolicies

-

PUT /v2/{project_id}/notification-masks

ces:alarms:putNotificationMaskRules

-

POST /v2/{project_id}/notification-masks/batch-update

ces:alarms:putNotificationMaskRules

-

PUT /v2/{project_id}/notification-masks/{notification_mask_id}

ces:alarms:putNotificationMaskRules

-

POST /v2/{project_id}/notification-masks/batch-delete

ces:alarms:deleteNotificationMaskRules

-

POST /v2/{project_id}/notification-masks/batch-query

ces:alarms:listNotificationMaskRules

-

GET /v2/{project_id}/notification-masks/{notification_mask_id}/resources

ces:alarms:listNotificationMaskResources

-

POST /v2/{project_id}/dashboards

ces:dashboards:create

-

GET /v2/{project_id}/dashboards

ces:dashboards:list

-

PUT /v2/{project_id}/dashboards/{dashboard_id}

ces:dashboards:put

-

POST /v2/{project_id}/dashboards/batch-delete

ces:dashboards:delete

-

POST /v2/{project_id}/dashboards/{dashboard_id}/widgets

ces:widgets:create

-

GET /v2/{project_id}/dashboards/{dashboard_id}/widgets

ces:widgets:list

-

GET /v2/{project_id}/widgets/{widget_id}

ces:widgets:get

-

DELETE /v2/{project_id}/widgets/{widget_id}

ces:widgets:delete

-

POST /v2/{project_id}/widgets/batch-update

ces:widgets:put

-

GET /v2/{project_id}/{resource_type}/tags

ces:tags:list

-

GET /v2/{project_id}/instances/{instance_id}/agent-dimensions

ces:namespacesDimensions:listAgentDimensions

-

POST /v2/{project_id}/batch-query-metric-data

ces:metricData:list

-

POST /V1.0/{project_id}/alarms

ces:alarms:create

-

PUT /V1.0/{project_id}/alarms/{alarm_id}

ces:alarms:put

-

PUT /V1.0/{project_id}/alarms/{alarm_id}/action

ces:alarms:putAction

-

DELETE /V1.0/{project_id}/alarms/{alarm_id}

ces:alarms:delete

-

GET /V1.0/{project_id}/alarms/{alarm_id}

ces:alarms:get

-

GET /V1.0/{project_id}/alarms

ces:alarms:list

-

GET /V1.0/{project_id}/alarm-histories

ces:alarmHistory:list

-

POST /V1.0/{project_id}/events

ces:events:post

-

GET /V1.0/{project_id}/events

ces:events:list

-

GET /V1.0/{project_id}/event/{event_name}

ces:events:get

-

GET /V1.0/{project_id}/metrics

ces:metrics:list

-

POST /V1.0/{project_id}/batch-query-metric-data

ces:metricData:list

-

GET /V1.0/{project_id}/event-data

ces:eventData:get

-

GET /V1.0/{project_id}/metric-data

ces:metricData:get

-

POST /V1.0/{project_id}/metric-data

ces:metricData:create

-

GET /V1.0/{project_id}/quotas

ces:quotas:get

-

GET /V1.0/{project_id}/resource-groups/{group_id}

ces:resourceGroups:get

-

PUT /V1.0/{project_id}/resource-groups/{group_id}

ces:resourceGroups:put

-

DELETE /V1.0/{project_id}/resource-groups/{group_id}

ces:resourceGroups:delete

-

POST /V1.0/{project_id}/resource-groups

ces:resourceGroups:create

-

GET /V1.0/{project_id}/resource-groups

ces:resourceGroups:list

-

POST /V1.0/{project_id}/alarm-template

ces:customAlarmTemplates:create

-

PUT /V1.0/{project_id}/alarm-template/{template_id}

ces:customAlarmTemplates:put

-

DELETE /V1.0/{project_id}/alarm-template/{template_id}

ces:customAlarmTemplates:delete

-

GET /V1.0/{project_id}/alarm-template

ces:customAlarmTemplates:list

-

POST /v3/{project_id}/agent-status/batch-query

ces:agent:listStatuses

-

GET /v3/{project_id}/agent-invocations

ces:agent:listTaskInvocations

-

POST /v3/{project_id}/agent-invocations/batch-create

ces:agent:createAgentInvocations

-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in 3, a resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to the resource. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for Cloud Eye.

Table 3 Resource types supported by Cloud Eye

Resource Type

URN

alarm

ces:<region>:<account-id>:alarm:<alarm-id>

dashboard

ces:<region>:<account-id>:dashboard:<dashboard-id>

Conditions

About condition keys

A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. It uses global condition keys applicable to all services but excludes g:RequestedRegion. For details, see Global Condition Keys.

      Cloud Eye provides global capabilities (such as Alarm Notifications and Task Center). As a result, it functions as a global-level service and does not support the global condition key g:RequestedRegion.

    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, ces:) apply only to operations of EVS. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

Service-specific condition keys supported by Cloud Eye

The following table lists the condition keys that you can define in custom identity policies for Cloud Eye. You can include these condition keys to specify conditions for when your identity policy is in effect.

Table 4 Service-specific condition keys supported by Cloud Eye

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

ces:namespace

string

Multi-value

Filters access requests based on the namespace specified in the request parameter. For details, see Granting Permissions by Cloud Service.
Parent topic: Management & Governance