Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, Service Control Policies (SCPs) in Organizations can also use these actions to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the entity. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted IAM permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
For details about how to use these elements to edit a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify a URN in the Resource element of your statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by COC, see Resource Types (Resource).
The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by COC, see Conditions.
The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for COC.

**Table 1** Actions supported by COC
Action	Description	Access Level	Resource Type (*: Required)	Condition Key	Alias
coc:application:list	Provides the permission to query the application list.	List	application *	-	-
coc:application:create	Provides the permission to create an application.	Write	application *	-	-
coc:application:update	Provides the permission to modify an application.	Write	application *	-	-
coc:application:delete	Provides the permission to delete an application.	Write	application *	-	-
coc:application:createGroup	Provides the permission to create an application group.	Write	application *	-	-
coc:application:listGroups	Provides the permission to query a specified application group list.	List	application *	-	-
coc:application:updateGroup	Provides the permission to modify an application group.	Write	application *	-	-
coc:application:deleteGroup	Provides the permission to delete an application group.	Write	application *	-	-
coc:application:syncGroupResource	Provides the permissions to synchronize application group resources.	Write	application *	-	-
coc:application:updateResources	Provides the permission to modify application resources.	Write	application *	-	-
coc:application:addResources	Provides the permission to add resources to an application.	Write	application *	-	-
coc:application:removeResources	Provides the permission to remove application resources.	Write	application *	-	-
coc:application:listResources	Provides the permission to query the application resource list.	List	application *	-	-
coc:application:listResources		List	-	coc:ApplicationGroupCode	-
coc:application:countResourceRelations	Provides the permission to query the number of resource relationships.	List	application *	-	-
coc:application:getCapacity	Provides the permission to query resource capacities in an application.	List	application *	-	-
coc:application:getSortedCapacity	Provides the permission to query the capacities of ordered resources in an application.	List	application *	-	-
coc:application:listModel	Provides the permission to query application models.	List	application *	-	-
coc:vendorAccount:create	Provides the permission to add a cloud vendor account.	Write	-	-	-
coc:vendorAccount:list	Provides the permission to query a cloud vendor account.	List	-	-	-
coc:vendorAccount:update	Provides the permission to modify a cloud vendor account.	Write	-	-	-
coc:vendorAccount:delete	Provides the permission to delete a cloud vendor account.	Write	-	-	-
coc:resourceView:list	Provides the permission to query resource views.	List	-	-	-
coc:resourceView:create	Provides the permission to create a resource view.	Write	resourceView *	-	-
coc:resourceView:update	Provides the permission to update a resource view.	Write	resourceView *	-	-
coc:resourceView:delete	Provides the permission to delete a resource view.	Write	resourceView *	-	-
coc:resourceView:syncResources	Provides the permission to synchronize the resource list in a specific resource view.	Write	resourceView *	-	-
coc:resourceView:listResources	Provides the permission to query the resource list in a specific resource view.	List	resourceView *	-	-
coc:resourceView:countResources	Provides the permission to query the number of resources in a specific resource view.	List	-	-	-
coc:instance:listResources	Provides the permission to query the resource list.	List	-	-	-
coc:instance:syncResources	Provides the permission to synchronize the resource list.	Write	-	-	-
coc:instance:countOtherResources	Provides the permission to query the total number of offline resources (such as physical machine and middleware).	List	-	-	-
coc:instance:listTagsForResource	Provides the permission to query resource tags.	List	-	-	coc:instance:listResourceTags
coc:instance:addResourceToTags	Provides the permission to add resource tags.	Write	-	-	coc:instance:createResourceTags
coc:instance:countResources	Provides the permission to query the total number of resources.	List	-	-	-
coc::listEpsCollection	Provides the permission to query the favorited enterprise projects.	List	-	-	coc:enterpriseProject:listCollect
coc::updateEpsCollection	Provides the permission to modify the favorited enterprise projects.	Write	-	-	coc:enterpriseProject:updateCollect
coc::getLastSyncStatus	Provides the permission to query the latest synchronization status of an instance.	Read	-	-	coc:system:getLastSyncStatus
coc::getResourceSyncJobDetail	Provides the permission to query details about a resource synchronization task.	Read	-	-	coc:system:getResourceSyncJobDetail
coc:schedule:create	Provides the permission to create a scheduled task.	Write	schedule	g:EnterpriseProjectId	-
			instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId
			document	coc:DocumentRiskLevel g:EnterpriseProjectId
			-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled
coc:schedule:list	Provides the permission to query scheduled tasks.	List	-	g:EnterpriseProjectId	-
coc:schedule:update	Provides the permission to update scheduled tasks.	Write	schedule *	g:EnterpriseProjectId	-
			instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId
			document	coc:DocumentRiskLevel g:EnterpriseProjectId
coc:schedule:get	Provides the permission to query scheduled task details.	Read	schedule *	-	-
coc:schedule:get	Provides the permission to query scheduled task details.	Read	-	g:EnterpriseProjectId	-
coc:schedule:delete	Provides the permission to delete a scheduled task.	Write	schedule *	g:EnterpriseProjectId	-
coc:schedule:enable	Provides the permission to enable a scheduled task.	Write	schedule *	g:EnterpriseProjectId	-
coc:schedule:enable	Provides the permission to enable a scheduled task.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:schedule:disable	Provides the permission to disable a scheduled task.	Write	schedule*	g:EnterpriseProjectId	-
coc:schedule:getHistories	Provides the permission to query the execution history of a scheduled task.	Read	schedule*	g:EnterpriseProjectId	-
coc:instance:executeDocument	Provides the permission to execute documents on an ECS.	Write	instance *	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:executeDocument	Provides the permission to execute documents on an ECS.	Write	document *	g:EnterpriseProjectId coc:DocumentRiskLevel	-
coc:alarm:clear	Provides the permission to clear alarms.	Write	-	-	-
coc:alarm:createAlarmLinkedIncident	Provides the permission to create incidents that are associated with alarms.	Write	-	-	-
coc:alarm:listHandleHistories	Provides the permission to query the alarm handling history.	List	-	-	-
coc:alarm:get	Provides the permission to query alarm information.	Read	-	-	-
coc:ticket:list	Provides the permission to query incident tickets.	List	-	-	-
coc:ticket:create	Provides the permission to create incident tickets.	Write	-	-	-
coc:ticket:get	Provides the permission to query incident ticket details.	Read	-	-	-
coc:ticket:action	Provides the permission to process incident tickets.	Write	-	-	-
coc:ticket:delete	Provides the permission to delete incident tickets.	Write	-	-	-
coc:ticket:uploadFile	Provides the permission to upload attachments for incident tickets.	Write	-	-	-
coc:ticket:downloadFile	Provides the permission to download attachments for incident tickets.	Read	-	-	-
coc:ticket:listAuthorizable	Provides the permission to query authorized tickets.	List	-	-	-
coc:warroom:create	Provides the permission to create a war room.	Write	-	-	-
coc:ticket:update	Provides the permission to modify incident tickets.	Write	-	-	-
coc:ticket:getOperationHistories	Provides the permission to query the operation history of incident tickets.	List	-	-	-
coc:ticket:listActions	Provides the permission to query the list of operations that can be performed.	List	-	-	-
coc:warroom:list	Provides the permission to query the war room list.	List	-	-	-
coc:document:analyzeRisk	Provides the permission to analyze document risks.	Read	-	-	-
coc:document:get	Provides the permission to view document content.	Read	-	-	-
coc:document:getDocument	Provides the permission to query document details.	Read	document *	-	-
coc:document:create	Provides the permission to create a document.	Write	document *	-	-
coc:document:createDocument	Provides the permission to create a document.	Write	document *	-	-
coc:document:delete	Provides the permission to delete a document.	Write	document *	-	-
coc:document:deleteDocument	Provides the permission to delete a document.	Write	document *	-	-
coc:document:execute	Provides the permission to execute a document.	Write	document *	-	-
coc:document:update	Provides the permission to modify a document.	Write	document *	-	-
coc:document:updateDocument	Provides the permission to update a document.	Write	document *	-	-
coc:document:list	Provides the permission to query the document list.	List	document *	-	-
coc:document:listDocument	Provides the permission to query the document list.	List	-	-	-
coc:quota:get	Provides the permission to query quotas.	Read	-	-	-
coc:job:get	Provides the permission to query service ticket details.	Read	job *	-	-
coc:job:get	Provides the permission to query service ticket details.	Read	-	coc:JobType	-
coc:job:action	Provides the permission to perform operations on service tickets.	Write	job *	-	-
coc:job:action		Write	-	coc:JobType	-
coc:job:list	Provides the permission to query the service ticket list.	List -	job *	-	-
coc:job:list	Provides the permission to query the service ticket list.	List -	-	coc:JobType	-
coc:instance:autoBatchInstances	Provides the permission to automatically perform batch operations on instances.	Write	-	-	-
coc:documentAtomic:list	Provides the permission to query the atomic capability list of a document.	List	-	-	-
coc:documentAtomic:get	Provides the permission to query details about a document atomic capability.	Read	-	-	-
coc:execution:get	Provides the permission to execute service ticket details.	Read	-	-	-
coc:execution:listExecutionStep	Provides the permission to query the list of service ticket execution steps.	Read	-	-	-
coc:execution:list	Provides the permission to query the service ticket list.	List	-	-	-
coc:execution:listExecutionStepInstance	Provides the permission to query the list of service ticket execution steps.	Read	-	-	-
coc:execution:operate	Provides the permission to perform operations on a service ticket.	Write	-	-	-
coc:complianceReport:list	Provides the permission to query the compliance report list.	List	-	-	-
coc:complianceReport:get	Provides the permission to query compliance report details.	Read	-	-	-
coc:task:list	Provides the permission to query the O&M transaction list.	List	-	-	-
coc:task:count	Provides the permission to query the number of O&M transactions.	Read	-	-	-
coc:task:create	Provides the permission to create an O&M transaction.	Write	-	-	-
coc:task:get	Provides the permission to query the details of an O&M transaction.	Read	-	-	-
coc:task:accept	Provides the permission to accept an O&M transaction.	Write	-	-	-
coc:task:complete	Provides the permission to end an O&M transaction.	Write	-	-	-
coc:task:cancel	Provides the permission to cancel an O&M transaction.	Write	-	-	-
coc:tag:create	Provides the permission to create a tag.	Tagging	-	-	-
coc:tag:list	Provides the permission to query tags.	List	-	-	-
coc:instance:reinstallOS	Provides the permission to reinstall the ECS OS.	Write	instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:reinstallOS	Provides the permission to reinstall the ECS OS.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:changeOS	Provides the permission to change the OS of an ECS.	Write	instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:changeOS	Provides the permission to change the OS of an ECS.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:scanOSCompliance	Provides the permission to scan server OS patches.	Read	instance *	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:installPatches	Provides the permission to install patches on an ECS.	Write	instance *	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc::listSSHKeypairs	Provides the permission to query SSH key pairs.	List	-	-	coc:system:listSSHKeypair
coc:personnel:list	Provides the permission to query personnel.	List	-	-	-
coc:personnel:add	Provides the permission to add personnel.	Write	-	-	-
coc:personnel:update	Provides the permission to update personnel information.	Write	-	-	-
coc:personnel:remove	Provides the permission to remove personnel.	Write	-	-	-
coc:patchBaseline:create	Provides the permission to create a patch baseline.	Write	-	-	-
coc:patchBaseline:list	Provides the permission to query the patch baseline list.	List	-	-	-
coc:patchBaseline:get	Provides the permission to query patch baseline details.	Read	-	-	-
coc:patchBaseline:opsSystemGet	Provides the permission to obtain OS baselines.	Read	-	-	-
coc:patchBaseline:updateCustomBaseline	Provides the permission to update a custom baseline patch.	Write	-	-	-
coc:patchBaseline:delete	Provides the permission to delete a patch baseline.	Write	-	-	-
coc:patchBaseline:update	Provides the permission to update a patch baseline.	Write	-	-	-
coc:patchBaseline:registerDefault	Provides the permission to set the default patch baseline.	Write	-	-	-
coc:patchBaseline:getDefault	Provides the permission to query the default patch baseline.	Read	-	-	-
coc:document:listRunbookAtomics	Provides the permission to query the atomic capability list of custom jobs.	List	-	-	-
coc:document:getRunbookAtomicDetails	Provides the permission to query the atomic capability details of custom jobs.	Read	-	-	-
coc:biStatistic:list	Provides the permission to query BI metric results.	Read	-	-	-
coc:integration:list	Provides the permission to query the integration configuration list.	List	-	-	-
coc:integration:get	Provides the permission to query integration configuration details.	Read	-	-	-
coc:integration:update	Provides the permission to modify integration configurations.	Write	-	-	-
coc:integration:access	Provides the permission to access integration configurations.	Write	-	-	-
coc:integration:enable	Provides the permission to enable integration configurations.	Write	-	-	-
coc:integration:disable	Provides the permission to disable integration configurations.	Write	-	-	-
coc:integration:remove	Provides the permission to remove integration configurations.	Write	-	-	-
coc:integration:getHistory	Provides the permission to query historical incident messages of integration configurations.	Read	-	-	-
coc:ticket:getEnumTypes	Provides the permission to query incident ticket enumeration type details.	Read	-	-	-
coc:ticket:listEnumTypes	Provides the permission to query the list of incident ticket enumerated types.	List	-	-	-
coc:ticket:listEnumValues	Provides the permission to query the list of enumerated values for an incident ticket.	List	-	-	-
coc:ticket:getEnumValues	Provides the permission to query the details of enumerated values for an incident ticket.	Read	-	-	-
coc:oncall:listScenes	Provides the permission to view on-call shift scenarios.	List	-	-	-
coc:oncall:createScene	Provides the permission to create on-call shift scenarios.	Write	-	-	-
coc:oncall:updateScene	Provides the permission to update on-call shift scenarios.	Write	-	-	-
coc:oncall:deleteScene	Provides the permission to delete on-call shift scenarios.	Write	-	-	-
coc:oncall:listRoles	Provides the permission to query on-call shift roles.	List	-	-	-
coc:oncall:createRole	Provides the permission to create on-call shift roles.	Write	-	-	-
coc:oncall:updateRole	Provides the permission to update on-call shift roles.	Write	-	-	-
coc:oncall:deleteRole	Provides the permission to delete on-call shift roles.	Write	-	-	-
coc:oncall:listPersonnels	Provides the permission to query on-call shift personnel.	List	-	-	-
coc:oncall:updatePersonnels	Provides the permission to update on-call shift personnel.	Write	-	-	-
coc:oncall:addPersonnels	Provides the permission to add on-call shift personnel.	Write	-	-	-
coc:oncall:removePersonnels	Provides the permission to remove on-call shift personnel.	Write	-	-	-
coc:region:list	Provides the permission to query the region list.	List	-	-	-
coc:site:list	Provides the permission to query the site list.	List	-	-	-
coc:customApplication:list	Provides the permission to query the custom application list.	List	-	-	-
coc:customApplication:get	Provides the permission to query the details about a custom application.	Read	-	-	-
coc:notificationRule:list	Provides the permission to query the notification rule list.	List	-	-	-
coc:notificationRule:get	Provides the permission to query notification rule details.	Read	-	-	-
coc:notificationRule:create	Provides the permission to create a notification rule.	Write	-	-	-
coc:notificationRule:update	Provides the permission to update a notification rule.	Write	-	-	-
coc:notificationRule:delete	Provides the permission to delete a notification rule.	Write	-	-	-
coc:notificationRule:enable	Provides the permission to enable a notification rule.	Write	-	-	-
coc:notificationRule:disable	Provides the permission to disable a notification rule.	Write	-	-	-
coc:notificationRule:confirm	Provides the permission to confirm a notification rule.	Write	-	-	-
coc:notification:listTypes	Provides the permission to query a notification type.	List	-	-	-
coc:notification:listModes	Provides the permission to query a notification method.	List	-	-	-
coc:notification:listTemplates	Provides the permission to query the notification template list.	List	-	-	-
coc:transferRule:list	Provides the permission to query the conversion rule list.	List	-	-	-
coc:transferRule:create	Provides the permission to create a conversion rule.	Write	-	-	-
coc:transferRule:get	Provides the permission to query the conversion rule details.	Read	-	-	-
coc:transferRule:update	Provides the permission to update a conversion rule.	Write	-	-	-
coc:transferRule:delete	Provides the permission to delete a conversion rule.	Write	-	-	-
coc:transferRule:enable	Provides the permission to enable a conversion rule.	Write	-	-	-
coc:transferRule:getHistory	Provides the permission to query the messages about incidents transferred recently.	Read	-	-	-
coc:transferRule:disable	Provides the permission to disable a conversion rule.	Write	-	-	-
coc:warroomMeetingRule:create	Provides the permission to create war room startup rules.	Write	-	-	-
coc:warroomMeetingRule:update	Provides the permission to update war room startup rules.	Write	-	-	-
coc:warroomMeetingRule:delete	Provides the permission to delete war room startup rules.	Write	-	-	-
coc:warroomMeetingRule:list	Provides the permission to query the war room startup rule list.	List	-	-	-
coc:warroomMeetingRule:get	Provides the permission to query the war room startup rule.	Read	-	-	-
coc:warroom:delete	Provides the permission to delete a war room.	Write	-	-	-
coc:warroom:getOperationHistory	Provides the permission to query the operation history of a war room.	Read	-	-	-
coc:warroom:addAffectedApplications	Provides the permission to add affected applications for a war room.	Write	-	-	-
coc:warroom:updateAffectedApplications	Provides the permission to update affected applications for a war room.	Write	-	-	-
coc:warroom:removeAffectedApplications	Provides the permission to remove affected applications from a war room.	Write	-	-	-
coc:warroom:listAffectedApplications	Provides the permission to query the affected application list of a war room.	List	-	-	-
coc:warroom:listConfigurations	Provides the permission to query the public enumeration configurations of a war room.	List	-	-	-
coc:warroom:get	Provides the permission to query war room details.	Read	-	-	-
coc:warroom:modifyBasicInformation	Provides the permission to modify basic war room information.	Write	-	-	-
coc:warroom:sendNotification	Provides the permission to update or send notifications in a war room.	Write	-	-	-
coc:warroom:sendNotificationBriefing	Provides the permission to send notification briefings in a war room.	Write	-	-	-
coc:warroom:addPersonnels	Provides the permission to add personnel in a war room.	Write	-	-	-
coc:warroom:removePersonnels	Provides the permission to remove personnel from a war room.	Write	-	-	-
coc:warroom:listRoles	Provides the permission to query the war room role list.	List	-	-	-
coc:warroom:addRolePersonnels	Provides the permission to add a role to a war room.	Write	-	-	-
coc:warroom:listNotificationTemplates	Provides the permission to query the war room notification template list.	List	-	-	-
coc:warroom:listMeetings	Provides the permission to query the war room meeting list.	List	-	-	-
coc:schedule:count	Provides the permission to query the number of scheduled tasks.	Read	schedule *	-	-
coc:schedule:approve	Provides the permission to review scheduled tasks.	Write	schedule *	g:EnterpriseProjectId	-
coc:instance:stop	Provides the permission to stop ECSs.	Write	instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:stop	Provides the permission to stop ECSs.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:start	Provides the permission to start ECSs.	Write	instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:start	Provides the permission to start ECSs.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:reboot	Provides the permission to restart ECSs.	Write	instance	coc:ApplicationCode coc:ApplicationGroupCode g:EnterpriseProjectId	-
coc:instance:reboot	Provides the permission to restart ECSs.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:appkey:create	Provides the permission to create a mobile application key.	Write	-	-	-
coc:appkey:delete	Provides the permission to delete a mobile application key.	Write	-	-	-
coc:appkey:get	Provides the permission to view a mobile application key.	Read	-	-	-
coc:appkey:update	Provides the permission to update a mobile application key.	Write	-	-	-
coc:faultMode:create	Provides the permission to create a failure mode.	Write	faultMode *	-	-
coc:faultMode:update	Provides the permission to update a failure mode.	Write	faultMode *	coc:ApplicationCode coc:Creator	-
coc:faultMode:get	Provides the permission to query details of a failure mode.	Read	faultMode *	coc:ApplicationCode coc:Creator	-
coc:faultMode:delete	Provides the permission to delete a failure mode.	Write	faultMode *	coc:ApplicationCode coc:Creator	-
coc:faultMode:list	Provides the permission to query the failure mode list.	List	faultMode *	-	-
coc:application:CreateResourceTopo	Provides the permission to create an application resource topology.	Write	application *	-	-
coc:application:GetResourceTopo	Provides the permission to view an application resource topology.	Read	application *	-	-
coc:application:CreateDiagnosisTask	Provides the permission to create an application resource diagnosis task.	Write	application *	-	-
coc:application:GetDiagnosisTaskDetails	Provides the permission to query application resource diagnosis tasks.	Read	application *	-	-
coc:contingencyPlan:create	Provides the permission to create contingency plans.	Write	contingencyPlan *	-	-
coc:contingencyPlan:get	Provides the permission to query contingency plan details.	Read	contingencyPlan *	coc:ApplicationCode coc:Creator	-
coc:contingencyPlan:update	Provides the permission to modify contingency plans.	Write	contingencyPlan *	coc:ApplicationCode coc:Creator	-
coc:contingencyPlan:delete	Provides the permission to delete contingency plans.	Write	contingencyPlan *	coc:ApplicationCode coc:Creator	-
coc:contingencyPlan:list	Provides the permission to query contingency plans.	List	contingencyPlan *	-	-
coc:contingencyPlan:uploadFile	Provides the permission to upload attachments to contingency plans.	Write	-	-	-
coc:contingencyPlan:downloadFile	Provides the permission to download attachments from contingency plans.	Read	contingencyPlan *	coc:ApplicationCode coc:Creator	-
coc:attackTask:create	Provides the permission to create an attack task.	Write	attackTask *	coc:ApplicationCode coc:AttackTargetType	-
coc:attackTask:get	Provides the permission to view attack task details.	Read	attackTask *	coc:ApplicationCode coc:Creator	-
coc:attackTask:list	Provides the permission to view the attack task list.	List	attackTask *	-	-
coc:attackTask:deleteRelatedRecords	Provides the permission to delete attack task records.	Write	attackTask *	-	-
coc:attackRecord:list	Provides the permission to view the attack record list.	List	attackRecord *	-	-
coc:attackTargetRecord:list	Provides the permission to view the execution record list of a disruption target.	List	attackTargetRecord *	-	-
coc:attackTargetRecord:operate	Provides the permission to retry execution records of disruption target.	Write	attackTargetRecord *	coc:Creator	-
coc:drillTask:create	Provides the permission to create a drill task.	Write	drillTask *	coc:ApplicationCode	-
coc:drillTask:update	Provides the permission to modify a drill task.	Write	drillTask *	coc:ApplicationCode coc:Creator	-
coc:drillTask:list	Provides the permission to view the drill task list.	List	drillTask *	-	-
coc:drillTask:get	Provides the permission to query drill task details.	Read	drillTask *	coc:Creator	-
coc:drillTask:delete	Provides the permission to delete drill tasks.	Write	drillTask *	coc:Creator	-
coc:drillTask:deleteRelatedRecords	Provides the permission to delete drill task records.	Write	drillTask *	-	-
coc:drillRecord:create	Provides the permission to start a drill.	Write	drillRecord *	coc:Creator	-
coc:drillRecord:create	Provides the permission to start a drill.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:drillRecord:get	Provides the permission to query drill record details.	Read	drillRecord *	coc:Creator	-
coc:drillReport:create	Provides the permission to create a drill report.	Write	-	-	-
coc:drillReport:update	Provides the permission to update a drill report.	Write	-	-	-
coc:drillReport:get	Provides the permission to query drill report details.	Read	-	-	-
coc:improvementTask:create	Provides the permission to create improvement items.	Write	-	-	-
coc:improvementTask:update	Provides the permission to handle improvement items.	Write	-	-	-
coc:improvementTask:list	Provides the permission to query improvement items.	List	-	-	-
coc:improvementTask:get	Provides the permission to query improvement item details.	Read	-	-	-
coc:drillPlan:create	Provides the permission to create a drill plan.	Write	-	-	-
coc:drillPlan:update	Provides the permission to update a drill plan.	Write	drillPlan *	coc:Creator coc:Executor	-
coc:drillPlan:get	Provides the permission to query the details of a drill plan.	Read	drillPlan *	coc:Creator coc:Executor	-
coc:drillPlan:list	Provides the permission to query the drill plan list.	List	-	-	-
coc:drillPlan:listDelay	Provides the permission to query the drill plan extension list.	List	-	-	-
coc:drillPlan:countStatus	Provides the permission to query the number of drill plans in a specified status.	Read	-	-	-
coc:drillPlan:countDelay	Provides the permission to query the number of postponed drills of a specified drill plan.	Read	-	-	-
coc:attackTarget:listCceNamespaces	Provides the permission to query the namespace list of CCE disruption targets.	List	-	-	-
coc:attackTarget:listCceWorkloads	Provides the permission to query the workload list of CCE attack targets.	List	-	-	-
coc:attackTarget:listCcePods	Provides the permission to query the pod list of CCE disruption targets.	List	-	-	-
coc:monitorMetric:list	Provides the permission to query the monitoring metric list.	List	-	-	-
coc:monitorMetricRecord:list	Provides the permission to query the monitoring metric data list.	List	-	-	-
coc:attackRecord:changeMetricType	Provides the permission to modify metric types in an attack record.	Write	attackRecord *	-	-
coc:prrTemplate:create	Provides the permission to create a PRR template.	Write	-	-	-
coc:prrTemplate:update	Provides the permission to modify a PRR template.	Write	-	-	-
coc:prrTemplate:list	Provides the permission to view a PRR template list.	List	-	-	-
coc:prrTemplate:get	Provides the permission to query a PRR template details.	Read	-	-	-
coc:prrTemplate:delete	Provides the permission to delete a PRR template.	Write	-	-	-
coc::listPrrCheckItem	Provides the permission to view a PRR check item list.	List	-	-	coc:prrCheckItem:list
coc:prrReview:create	Provides the permission to start a PRR review.	Write	-	-	-
coc:prrReview:update	Provides the permission to continue to start a PRR review.	Write	-	-	-
coc:prrReview:list	Provides the permission to view a PRR review list.	List	-	-	-
coc:prrReview:get	Provides the permission to query a PRR review details.	Read	-	-	-
coc:prrReview:recordSummary	Provides the permission to input PRR review minutes.	Write	-	-	-
coc:prrReview:auditResult	Provides the permission to input PRR review conclusions.	Write	-	-	-
coc:prrReview:delete	Provides the permission to cancel a PRR review.	Write	-	-	-
coc:prrReview:addImprovementTask	Provides the permission to add PRR improvement items.	Write	-	-	-
coc:instance:listAlarms	Provides the permission to query the alarm list of all resources.	List	-	-	-
coc:instance:getAlarms	Provides the permission to view the alarm list of a resource.	Read	-	-	-
coc:alarm:list	Provides the permission to query the alarm list.	List	-	-	-
coc:alarm:count	Provides the permission to query the number of alarms.	Read	-	-	-
coc:slaTemplate:list	Provides the permission to query the SLA template list.	List	slaTemplate *	-	-
coc:slaTemplate:get	Provides the permission to query SLA template details.	Read	slaTemplate *	-	-
coc:slaTemplate:create	Provides the permission to create an SLA template.	Write	slaTemplate *	-	-
coc:slaTemplate:delete	Provides the permission to delete an SLA template.	Write	slaTemplate *	-	-
coc:slaTemplate:enable	Provides the permission to enable an SLA template.	Write	slaTemplate *	-	-
coc:slaTemplate:disable	Provides the permission to disable an SLA template.	Write	slaTemplate *	-	-
coc:slaTemplate:update	Provides the permission to modify an SLA template.	Write	slaTemplate *	-	-
coc:slaRecord:list	Provides the permission to query the SLA service ticket list.	List	-	-	-
coc:slaRecord:get	Provides the permission to query the SLA service ticket details.	Read	-	-	-
coc:customDashboard:get	Provides the permission to query the custom dashboard.	Read	-	-	-
coc:customDashboard:update	Provides the permission to modify the custom dashboard.	Write	-	-	-
coc:agency:get	Provides the permission to query agency information about a tenant.	Read	-	-	-
coc:agency:create	Provides the permission to create a tenant agency.	Write	-	-	-
coc:parameter:create	Provides the permission to create a parameter.	Write	parameter *	coc:Creator	-
coc:parameter:update	Provides the permission to update a parameter.	Write	parameter *	coc:Creator	-
coc:parameter:get	Provides the permission to query parameter details.	Read	parameter *	coc:Creator	-
coc:parameter:delete	Provides the permission to delete parameters.	Write	parameter *	coc:Creator	-
coc:parameter:list	Provides the permission to query the parameter list.	List	parameter *	coc:Creator	-
coc:accountBaseline:create	Provides the permission to create an account baseline.	Write	accountBaseline *	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:accountBaseline:list	Provides the permission to query the account baseline list.	List	accountBaseline *	-	-
coc:accountBaseline:listAccountList	Provides the permission to query the account list in the baseline.	List	accountBaseline *	-	-
coc:accountBaseline:deleteAccount	Provides the permission to delete accounts from a baseline.	Write	accountBaseline *	-	-
coc:accountBaseline:update	Provides the permission to modify account baselines.	Write	accountBaseline *	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:accountBaseline:delete	Provides the permission to delete account baselines.	Write	accountBaseline *	-	-
coc:instance:getAccount	Provides the permission to query the list of managed accounts on a host.	List	instance	-	-
coc:instance:syncAccount	Provides the permission to synchronize accounts of hosts.	Write	instance *	g:EnterpriseProjectId	-
coc:instance:resetPassword	Provides the permission to reset the password of a host account.	Write	instance	g:EnterpriseProjectId	-
coc:instance:resetAccountPassword	Provides the permission to reset the password of a host account.	Write	instance	g:EnterpriseProjectId	-
coc:instance:createPasswordChangePlan	Provides the permission to create a password change plan.	Write	instance	g:EnterpriseProjectId	-
coc:instance:updateAccountPassword	Provides the permission to write back the password change result.	Write	instance	g:EnterpriseProjectId	-
coc:instance:addAccount	Provides the permission to import accounts of hosts.	Write	instance	g:EnterpriseProjectId	-
coc:instance:getAccountPassword	Provides the permission to query the account and password of a host.	Read	instance	g:EnterpriseProjectId	-
coc:instance:getAccountPassword		Read	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:getHistoricalPassword	Provides the permission to query historical passwords of a host account.	Read	instance	g:EnterpriseProjectId	-
coc:instance:getHistoricalPassword		Read	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:getPasswordChangeRecords	Provides the permission to query the password change records of a host account.	Read	instance	g:EnterpriseProjectId	-
coc::getAccountManagedStatus	Provides the permission to query the management step status.	Read	-	-	coc:account:getManagedStatus
coc::addAutoManagementRelations	Provides the permission to enable automatic management by component.	Write	-	-	coc:accountAutoManagement:addRelations
coc::getAutoManagementRelations	Provides the permission to query information about components for which automatic management is enabled.	List	-	-	coc:accountAutoManagement:getRelations
coc::deleteAutoManagementRelations	Provides the permission to disable automatic management by component.	Write	-	-	coc:accountAutoManagement:deleteRelations
coc::getAutoManagementStatus	Provides the permission to query whether the automatic management function is enabled.	Read	-	-	coc:accountAutoManagement:getStatus
coc::updateAutoManagementStatus	Provides the permission to update the automatic management status.	Write	-	-	coc:accountAutoManagement:updateStatus
coc::addEncryptionKey	Provides the permission to add an encryption key.	Write	-	-	coc:accountEncryptionKey:add
coc::listDEWKeys	Provides the permission to query existing DEW keys.	List	-	-	coc:accountEncryptionKey:listDEWKeys
coc::listEncryptionKey	Provides the permission to query added DEW keys.	List	-	-	coc:accountEncryptionKey:list
coc::enablePasswordChangePolicy	Provides the permission to enable a key change policy.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	coc:accountPasswordChangePolicy:enable
coc::getPasswordChangePolicy	Provides the permission to query enabled password change policies.	List	-	-	coc:accountPasswordChangePolicy:get
coc:incident:create	Provides the permission to create incident tickets using COC.	Write	-	-	-
coc:incident:handle	Provides the permission to handle incident tickets using COC.	Write	-	-	-
coc:incident:detail	Provides the permission to obtain incident ticket details using COC.	Read	-	-	-
coc:session:start	Provides the permission to log in to an ECS without a password.	Write	instance	g:EnterpriseProjectId	-
coc:session:start		Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc::disablePasswordChangePolicy	Provides the permission to disable a key change policy.	Write	-	-	coc:accountPasswordChangePolicy:disable
coc::createOrders	Provides the permission to create COC orders.	Write	-	-	coc:orders:create
coc::changeOrders	Provides the permission to update COC orders.	Write	-	-	coc:orders:change
coc::listQuotas	Provides the permission to query the list of purchased quotas.	List	-	-	coc:quotas:list
coc:alarm:put	Provides the permission to report COC alarms.	Write	-	-	-
coc:application:AddComponentInvokingRelationships	Provides the permission to create component relationships.	Write	application *	-	-
coc:application:RemoveComponentInvokingRelationships	Provides the permission to delete component connections.	Write	application *	-	-
coc:application:ListComponentInvokingRelationships	Provides the permission to view component connections.	Read	application *	-	-
coc:instance:updateResources	Provides the permission to update resource information.	Write	-	-	-
coc:instance:restartRDSInstance	Provides the permission to reboot an RDS DB instance.	Write	instance	g:EnterpriseProjectId	-
coc:instance:restartRDSInstance	Provides the permission to reboot an RDS DB instance.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:startRDSInstance	Provides the permission to enable an RDS DB instance.	Write	instance	g:EnterpriseProjectId	-
coc:instance:startRDSInstance	Provides the permission to enable an RDS DB instance.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:instance:stopRDSInstance	Provides the permission to stop an RDS DB instance.	Write	instance	g:EnterpriseProjectId	-
coc:instance:stopRDSInstance	Provides the permission to stop an RDS DB instance.	Write	-	coc:TicketLevel coc:TicketScope coc:RequestScope coc:TicketCurrentHandlers coc:TicketStatus coc:TicketType coc:TicketBeginTime coc:TicketEndTime coc:RequestTarget coc:TicketTarget coc:OperatorName coc:EscapeSwitchIsEnabled	-
coc:systemConfig:create	Provides the permission to create a system configuration.	Write	-	-	-
coc:systemConfig:list	Provides the permission to query the system configuration list.	List	-	-	-
coc:systemConfig:update	Provides the permission to update system configurations.	Write	-	-	-
coc:systemConfig:get	Provides the permission to display system configurations.	Read	-	-	-
coc:hostAccount:add	Provides the permission to add a hosting account.	Write	-	-	-
coc:hostAccount:list	Provides the permission to query SRE hosting accounts.	List	-	-	-
coc:hostAccount:update	Provides the permission to edit SRE hosting accounts.	Write	-	-	-
coc:hostAccount:delete	Provides the permission to delete SRE hosting accounts.	Write	-	-	-
coc:hostAccount:describe	Grant an account to view its hosting account information.	Read	-	-	-
coc:hostAccount:enable	Grant an account to enable the hosting service.	Write	-	-	-
coc:hostAccount:disable	Grant an account to disable the hosting service.	Write	-	-	-
coc:slo:list	Provides the permission to query the SLO list.	List	-	-	-
coc:slo:createSloTarget	Provides the permission to create an SLO.	Write	-	-	-
coc:slo:deleteSloTarget	Provides the permission to delete an SLO.	Write	-	-	-
coc:slo:updateSloTarget	Provides the permission to update an SLO.	Write	-	-	-
coc:slo:getSloDetail	Provides the permission to query an SLO.	Read	-	-	-
coc:slo:listSli	Provides the permission to query the SLI list.	List	-	-	-
coc:slo:configureSli	Provides the permission to update the SLI list.	Write	-	-	-
coc:slo:createInterruptRecords	Provides the permission to create SLO interruption records.	Write	-	-	-
coc:slo:listInterruptRecords	Provides the permission to query SLO interruption records.	List	-	-	-
coc:slo:updateInterruptRecords	Provides the permission to update SLO interruption records.	Write	-	-	-
coc:slo:listInterruptRecordsChangeHistory	Provides the permission to query the change history of SLO interruption records.	List	-	-	-
coc:crossAccounts:authorize	Provides the permission to authorize cross-account management.	Write	-	-	-
coc:crossAccounts:listCrossAccounts	Provides the permission to query information about your own account in the cross-account management scenario.	List	-	-	-
coc:alarmRule:list	Provides the permission to query alarm rules.	List	-	-	-
coc:alarmRule:sync	Provides the permission to synchronize alarm rules.	Write	-	-	-
coc:alarmRule:put	Provides the permission to enable or disable alarm rules.	Write	-	-	-
coc:alarmRule:delete	Provides the permission to delete an alarm rule.	Write	-	-	-
coc:ticket:updateEnumValues	Provides the permission to update a child enumerated value.	Write	-	-	-
coc:ticket:createEnumValues	Provides the permission to create a child enumerated value.	Write	-	-	-
coc:ticket:deleteEnumValues	Provides the permission to delete a child enumerated value.	Write	-	-	-
coc:integration:create	Provides the permission to create integration configurations.	Write	-	-	-
coc:integration:downloadZabbixTemplate	Provides the permission to download the Zabbix template of an alarm source.	Read	-	-	-
coc:quickSetupConfigurations:create	Provides the permission to quickly configure global cloud service configuration scenarios.	Write	-	coc:QuickSetupType	-
coc::updateServiceConfigTask	Provides the permission to modify cloud service configuration tasks.	Write	-	-	coc:serviceConfigTask:update
coc::listServiceConfigTask	Provides the permission to query cloud service configuration tasks.	List	-	-	coc:serviceConfigTask:list
coc:instance:deleteResourceTags	Provides the permission to delete resource tags.	Write	-	-	-
coc::getBiSubscription	Provides the permission to query the BI subscription records.	Read	-	-	coc:biSubscription:get
coc::listBiSubscription	Provides the permission to query the BI subscription record list.	List	-	-	coc:biSubscription:list
coc::listBiSubscriptionHistory	Provides the permission to query the BI subscription history records.	List	-	-	coc:biSubscriptionHistory:list
coc::createBiSubscription	Provides the permission to create BI subscription records.	Write	-	-	coc:biSubscription:create
coc::deleteBiSubscription	Provides the permission to delete BI subscription records.	Write	-	-	coc:biSubscription:delete
coc::updateBiSubscription	Provides the permission to update BI subscription records.	Write	-	-	coc:biSubscription:update
coc:assessTask:list	Provides the permission to query the evaluation task list.	List	-	-	-
coc:assessTask:create	Provides the permission to create an evaluation task.	Write	-	coc:ApplicationCode	-
coc:assessTask:delete	Provides the permission to delete an evaluation task.	Write	-	-	-
coc:assessTask:countByStatus	Provides the permission to query the number of evaluation tasks by status.	Read	-	-	-
coc:assessTask:countReports	Provides the permission to view the number of evaluation reports of evaluation tasks.	Read	-	-	-
coc:assessTask:countDistributions	Provides the permission to view the distribution of evaluation tasks.	Read	-	-	-
coc:assessReport:delete	Provides the permission to delete an evaluation report.	Write	-	-	-
coc:assessReport:create	Provides the permission to create an evaluation report.	Write	-	-	-
coc:assessReport:get	Provides the permission to query evaluation report details.	Read	-	-	-
coc:assessReport:updateItemStatus	Provides the permission to modify the evaluation item status of an evaluation report.	Write	-	-	-
coc:assessReport:list	Provides the permission to query evaluation reports.	List	-	-	-
coc:product:list	Provides the permission to query the product list.	List	-	-	-
coc:product:get	Grants end users the permission to query product details.	Read	product *	-	-
coc:product:search	Provides the permission to query the product list.	List	-	-	-
coc:product:show	Provides the permission to query product details.	Read	product *	-	-
coc:product:create	Provides the permission to create a product.	Write	product *	-	-
coc:product:update	Provides the permission to update a product.	Write	product *	-	-
coc:product:delete	Provides the permission to delete a product.	Write	product *	-	-
coc:product:listVersions	Provides the permission to query product versions.	List	-	-	-
coc:product:getVersion	Provides the permission to query product version details.	Read	product *	-	-
coc:product:createVersion	Provides the permission to create a product version.	Write	product *	-	-
coc:product:updateVersion	Provides the permission to update a product version.	Write	product *	-	-
coc:product:deleteVersion	Provides the permission to delete a product version.	Write	product *	-	-
coc:portfolio:search	Provides the permission to query the list of product portfolios.	List	-	-	-
coc:portfolio:show	Provides the permission to query product portfolio details.	Read	portfolio *	-	-
coc:portfolio:create	Provides the permission to create a product portfolio.	Write	portfolio *	-	-
coc:portfolio:update	Provides the permission to update a product portfolio.	Write	portfolio *	-	-
coc:portfolio:delete	Provides the permission to delete a product portfolio.	Write	portfolio *	-	-
coc:portfolio:searchProductsForPortfolio	Provides the permission to query the relationship between a product portfolio and products.	List	-	-	-
coc:portfolio:associateProduct	Provides the permission to create relationships between product portfolios and products.	Write	portfolio *	-	-
coc:portfolio:disassociateProduct	Provides the permission to delete relationships between product portfolios and products.	Write	portfolio *	-	-
coc:portfolio:searchPrincipals	Provides the permission to query product portfolio authorization lists.	List	-	-	-
coc:portfolio:associatePrincipal	Provides the permission to associate a principal with a product portfolio.	Write	portfolio *	-	-
coc:portfolio:disassociatePrincipal	Provides the permission to disassociate a principal from a portfolio.	Write	portfolio *	-	-
coc:provisionedProduct:list	Provides the permission to query product instances.	List	-	-	-
coc:provisionedProduct:get	Provides the permission to query product instance details.	Read	provisionedProduct *	-	-
coc:provisionedProduct:listEvents	Provides the permission to query an incident resource stack of a product instance.	List	provisionedProduct *	-	-
coc:provisionedProduct:listResources	Provides the permission to query product instance resource stack resources.	List	provisionedProduct *	-	-
coc:provisionedProduct:create	Provides the permission to create a product instance.	Write	provisionedProduct *	-	-
coc:provisionedProduct:delete	Provides the permission to delete a product instance.	Write	provisionedProduct *	-	-
coc::getServiceCatalogRole	Provides the permission to verify a service catalog user role.	Read	-	-	coc:system:getServiceCatalogRole
coc::listQuickSetupConfiguration	Provides the permission to quickly obtain the configuration task list.	List	-	-	coc:system:listQuickSetupConfiguration
coc::getQuickSetupConfiguration	Provides the permission to quickly obtain the configuration task details.	Read	-	-	coc:system:getQuickSetupConfiguration
coc::createQuickSetupConfiguration	Provides the permission to quickly create configuration tasks.	Write	-	-	coc:system:createQuickSetupConfiguration
coc::listQuickSetupConfigurationTasks	Provides the permission to quickly obtain the subtask list of a task.	List	-	-	coc:system:listQuickSetupConfigurationTasks
coc::createNotificationGroup	Provides the permission to add a notification group.	Write	-	-	coc:system:createNotificationGroup
coc::updateNotificationGroup	Provides the permission to update a notification group.	Write	-	-	coc:system:updateNotificationGroup
coc::deleteNotificationGroup	Provides the permission to delete a notification group.	Write	-	-	coc:system:deleteNotificationGroup
coc::listNotificationGroup	Provides the permission to query a notification group.	List	-	-	coc:system:listNotificationGroup
coc::subscribeNotificationGroup	Provides the permission to subscribe to a notification group.	Write	-	-	coc:system:subscribeNotificationGroup
coc:product:createConstraint	Provides the permission to create a constraint.	Write	product *	-	coc:system:subscribeNotificationGroup
coc:product:deleteConstraint	Provides the permission to delete a constraint.	Write	product *	-	coc:system:subscribeNotificationGroup
coc:product:updateConstraint	Provides the permission to update a constraint.	Write	product *	-	coc:system:subscribeNotificationGroup
coc:product:getConstraint	Provides the permission to query constraint details.	Read	product *	-	coc:system:subscribeNotificationGroup
coc:product:listConstraint	Provides the permission to query the constraint list.	List	-	-	-
coc::getOSUpgradePath	Provides the permission to determine the upgrade configuration information based on the tenant upgrade path.	Read	-	-	coc:system:getOSUpgradePath
coc::getOSCustomScriptRuntimeParams	Provides the permission to obtain the custom script configuration information set by the tenant in the OS upgrade and rollback jobs.	Read	-	-	coc:system:getOSCustomScriptRuntimeParams
coc::updateOSCustomScriptRuntimeParams	Provides the permission to modify the custom script configuration information set by the tenant in the OS upgrade and rollback jobs.	Write	-	-	coc:system:updateOSCustomScriptRuntimeParams
coc:vm:upgradeOsVersion	Provides the permission to upgrade an OS version.	Write	instance	g:EnterpriseProjectId	coc:system:updateOSCustomScriptRuntimeParams
coc:vm:upgradeOsVersion	Provides the permission to upgrade an OS version.	Write	vm	-	coc:system:updateOSCustomScriptRuntimeParams
coc:vm:rollbackOsVersion	Provides the permission to roll back an OS version.	Write	instance	g:EnterpriseProjectId	coc:system:updateOSCustomScriptRuntimeParams
coc:vm:rollbackOsVersion	Provides the permission to roll back an OS version.	Write	vm	-	coc:system:updateOSCustomScriptRuntimeParams
coc:sloBasicData:list	Provides the permission to query the basic data list.	List	-	-	-
coc:sloBasicData:create	Provides the permission to add basic data.	Write	-	-	-
coc:sloBasicData:update	Provides the permission to modify basic data.	Write	-	-	-
coc:sloBasicData:delete	Provides the permission to delete basic data.	Write	-	-	-
coc:sloDiagram:get	Provides the permission to query diagram details.	Read	sloDiagram *	coc:Creator g:EnterpriseProjectId	-
coc:sloDiagram:create	Provides the permission to create a diagram.	Write	-	g:EnterpriseProjectId	-
coc:sloDiagram:list	Provides the permission to query diagram lists.	List	-	-	-
coc:sloDiagram:update	Provides the permission to modify diagrams.	Write	sloDiagram *	coc:Creator g:EnterpriseProjectId	-
coc:sloDiagram:delete	Provides the permission to delete diagrams.	Write	sloDiagram *	coc:Creator g:EnterpriseProjectId	-
coc::getTopology	Provides the permission to query topology details.	Read	-	-	coc:system:getTopology
coc::getTopologyDimension	Provides the permission to query topology dimension details.	Read	-	-	coc:system:getTopologyDimension
coc::getTopologyVertexDetails	Provides the permission to query historical metrics of vertices.	Read	-	-	coc:system:getTopologyVertexDetails
coc::getTopologyEdgeDetails	Provides the permission to query historical metrics of edges.	Read	-	-	coc:system:getTopologyEdgeDetails
coc::listTopologyConfigurations	Provides the permission to query topology configurations.	List	-	-	coc:system:listTopologyConfigurations
coc::createTopologyConfigurations	Provides the permission to create topology configurations.	Write	-	-	coc:system:createTopologyConfigurations
coc::updateTopologyConfigurations	Provides the permission to update topology configurations.	Write	-	-	coc:system:updateTopologyConfigurations
coc::listCrossAccountEnterpriseProjects	Provides the permission to query the enterprise project list of a specified tenant in cross-account scenarios.	List	-	-	coc:system:listCrossAccountEnterpriseProjects
coc::getUserIdentity	Provides the permission to query the identity of a login user.	Read	-	-	coc:system:getUserIdentit
coc:template:list	Provides the permission to query the template list.	List	-	-	-
coc:template:get	Provides the permission to query template details.	Read	template *	-	-
coc:template:create	Provides the permission to create a template.	Write	-	-	-
coc:template:update	Provides the permission to update a template.	Write	template *	-	-
coc:template:delete	Provides the permission to delete a template.	Write	template *	-	-
coc:template:listVersions	Provides the permission to query the template version list.	List	-	-	-
coc:template:getVersion	Provides the permission to query the template version details.	Read	template *	-	-
coc:template:searchAuthorizations	Provides the permission to query the template authorization list.	List	-	-	-
coc:template:createAuthorization	Provides the permission to add template authorization.	Write	template *	-	-
coc:template:deleteAuthorization	Provides the permission to delete template authorization.	Write	template *	-	-
coc:template:listConstraint	Provides the permission to query the template constraint list.	List	-	-	-
coc:template:createConstraint	Provides the permission to create a template constraint.	Write	template *	-	-
coc:template:updateConstraint	Provides the permission to update a template constraint.	Write	template *	-	-
coc:template:deleteConstraint	Provides the permission to delete a template constraint.	Write	template *	-	-
coc:templateInstance:create	Provides the permission to create a template instance.	Write	-	-	-
coc:templateInstance:list	Provides the permission to query the template instance list.	List	-	-	-
coc:templateInstance:get	Provides the permission to query the template instance details.	Read	templateInstance *	-	-
coc:templateInstance:listEvents	Provides the permission to query the incident list of a template instance.	List	templateInstance *	-	-
coc:templateInstance:listResources	Provides the permission to query the resource list of a template instance.	List	templateInstance *	-	-
coc:templateInstance:delete	Provides the permission to delete a template instance.	Write	templateInstance *	-	-
coc:templateInstance:createRetry	Provides the permission to retry template instance creation.	Write	-	-	-
coc::getBiBackboneNetworkTopo	Provides the permission to query the BI backbone network topology.	Read	-	-	coc:system:getBiBackboneNetworkTopo
coc::updateBiBackboneNetworkTopo	Provides the permission to modify the BI backbone network topology.	Write	-	-	coc:system:updateBiBackboneNetworkTopo
coc::getBiBackboneNetworkTraffic	Provides the permission to obtain backbone network traffic data.	Read	-	-	coc:system:getBiBackboneNetworkTraffic
coc::refreshBiBackboneNetworkTopo	Provides the permission to refresh the backbone network topology.	Write	-	-	coc:system:refreshBiBackboneNetworkTopo
coc::getBiBackboneNetworkMetrics	Provides the permission to obtain backbone network bandwidth data.	Read	-	-	coc:system:getBiBackboneNetworkMetrics
coc::getBiScreenConfig	Provides the permission to obtain BI dashboard configuration parameters.	Read	-	-	coc:system:getBiScreenConfig
coc::updateBiScreenConfig	Provides the permission to modify BI dashboard configurations.	Write	-	-	coc:system:updateBiScreenConfig
coc::getBiResourceAlarmResourceInfos	Provides the permission to obtain resource information from the resource alarm dashboard.	Read	-	-	coc:system:getBiResourceAlarmResourceInfos
coc::getBiResourceAlarmAlarmInfos	Provides the permission to obtain alarm information from the resource alarm dashboard.	Read	-	-	coc:system:getBiResourceAlarmAlarmInfos
coc::createAlarmFilterTemplate	Provides the permission to create an original alarm filter template.	Write	-	-	coc:system:createAlarmFilterTemplate
coc::deleteAlarmFilterTemplate	Provides the permission to delete an original alarm filter template.	Write	-	-	coc:system:deleteAlarmFilterTemplate
coc::listAlarmFilterTemplate	Provides the permission to query the original alarm filter template list.	List	-	-	coc:system:listAlarmFilterTemplate
coc::getResourceTopology	Provides the permission to query resource topology details.	Read	-	-	coc:system:getResourceTopology
coc::listConfigurationItem	Provides the permission to view the configuration item list.	List	-	-	coc:system:listConfigurationItem
coc:ciRelationshipBaseline:create	Provides the permission to create a new configuration item relationship baseline.	Write	-	-	-
coc:ciRelationshipBaseline:delete	Provides the permission to delete an existing configuration item relationship baseline.	Write	ciRelationshipBaseline *	-	-
coc:ciRelationshipBaseline:get	Provides the permission to view the details of a configuration item relationship baseline.	Read	ciRelationshipBaseline *	-	-
coc:ciRelationshipBaseline:list	Provides the permission to view the list of configuration item relationship baselines.	List	-	-	-
coc:ciRelationshipBaseline:update	Provides the permission to update an existing configuration item relationship baseline.	Write	ciRelationshipBaseline *	-	-

Each API of COC usually supports one or more actions. Table 2 lists the supported actions and dependencies.

**Table 2** Actions and dependencies supported by APIs
API	Action	Related Action
GET /v1/resources/count	coc:instance:countResources	-
GET /v1/applications	coc:application:list	-
POST /v1/applications	coc:application:create	-
PUT /v1/applications/{id}	coc:application:update	-
DELETE /v1/applications/{id}	coc:application:delete	-
POST /v1/groups	coc:application:createGroup	-
GET /v1/groups	coc:application:listGroups	-
PUT /v1/groups/{id}	coc:application:updateGroup	-
DELETE /v1/groups/{id}	coc:application:deleteGroup	-
POST /v1/groups/{id}/sync	coc:application:syncGroupResource	-
PUT /v1/group-resource-relations	coc:application:updateResources	-
POST /v1/group-resource-relations	coc:application:addResources	-
DELETE /v1/group-resource-relations	coc:application:removeResources	-
GET /v1/group-resource-relations	coc:application:listResources	-
GET /v1/group-resource-relations/count	coc:application:countResourceRelations	-
POST /v1/other-resources/import	coc:instance:syncResources	-
POST /v1/components	coc:application:create	-
GET /v1/components	coc:application:list	-
PUT /v1/components/{id}	coc:application:update	-
DELETE /v1/components/{id}	coc:application:delete	-
GET /v1/application-view/search	coc:application:list	-
POST /v1/capacity	coc:application:getCapacity	-
GET /v1/capacity/order	coc:application:getSortedCapacity	-
POST /v1/vendor-account	coc:vendorAccount:create	-
GET /v1/vendor-account	coc:vendorAccount:list	-
PUT /v1/vendor-account	coc:vendorAccount:update	-
DELETE /v1/vendor-account	coc:vendorAccount:delete	-
GET /v1/multicloud-resources/count	coc:instance:countResources	-
POST /v1/multicloud-resources/sync	coc:instance:syncResources	-
GET /v1/resource/views	coc:resourceView:list	-
POST /v1/resource/views	coc:resourceView:create	-
PUT /v1/resource/views/{id}	coc:resourceView:update	-
DELETE /v1/resource/views/{id}	coc:resourceView:delete	-
POST /v1/resource/views/{id}/sync	coc:resourceView:syncResources	-
GET /v1/resource/views/resources	coc:resourceView:listResources	-
GET /v1/resource/views/resources/count	coc:resourceView:countResources	-
GET /v1/other-resources	coc:instance:listResources	-
DELETE /v1/other-resources	coc:instance:syncResources	-
PUT /v1/other-resources/{id}	coc:instance:syncResources	-
GET /v1/other-resources/count	coc:instance:countOtherResources	-
GET /v1/resources/{resource_id}/tags	coc:instance:listTagsForResource	-
POST /v1/resources/{resource_id}/tags	coc:instance:addResourceToTags	-
POST /v1/resources/uniagent/sync	coc:instance:syncResources	-
POST /v1/other-resources/uniagent/sync	coc:instance:syncResources	-
GET /v1/enterprise-project-collect	coc::listEpsCollection	-
PUT /v1/enterprise-project-collect	coc::updateEpsCollection	-
GET /v1/multicloud-resources/last-sync-status	coc::getLastSyncStatus	-
GET /v1/jobs/{job_id}	coc::getResourceSyncJobDetail	-
GET /v1/multicloud-resources	coc:instance:listResources	-
GET /v1/application-model/next	coc:application:listModel	-
POST /v1/application-view/batch-create	coc:application:create	-
GET /v1/resources	coc:instance:listResources	-
GET /v1/resources/multi-count	coc:instance:countResources	-
POST /v1/schedule/task	coc:schedule:create	iam:agencies:pass (Provides the permission to pass an agency to a cloud service.)
GET /v1/schedule/task	coc:schedule:list	-
PUT /v1/schedule/task/{task_id}	coc:schedule:update	iam:agencies:pass (Provides the permission to pass an agency to a cloud service.)
GET /v1/schedule/task/{task_id}	coc:schedule:get	-
DELETE /v1/schedule/task/{task_id}	coc:schedule:delete	-
POST /v1/schedule/task/{task_id}/enable	coc:schedule:enable	-
POST /v1/schedule/task/{task_id}/disable	coc:schedule:disable	-
GET /v1/schedule/task/history	coc:schedule:getHistories	-
POST /v1/alarm-mgmt/alarm/{alarm_id}/auto-process	coc:instance:executeDocument	-
POST /v1/alarm-mgmt/alarms/cancel	coc:alarm:clear	-
POST /v1/alarm-mgmt/alarms-linked-incident	coc:alarm:createAlarmLinkedIncident	-
GET /v1/alarm-mgmt/alarm/{alarm_id}/handle-histories	coc:alarm:listHandleHistories	-
GET /v1/alarm-mgmt/alarm/{alarm_id}	coc:alarm:get	-
POST /v2/incidents/{incident_id}/actions	coc:ticket:action	-
POST /v2/incidents/list	coc:ticket:list	-
POST /v2/incidents/{incident_id}/histories	coc:ticket:getOperationHistories	-
GET /v2/incidents/{incident_id}/tasks	coc:ticket:listActions	-
POST /v1/external/incident/create	coc:ticket:create	-
POST /v1/external/incident/attachments	coc:ticket:uploadFile	-
POST /v1/external/incident/handle	coc:ticket:action	-
POST /v1/external/{ticket_type}/list-histories	coc:ticket:getOperationHistories	-
POST /v1/external/list/authorizable-tickets	coc:ticket:listAuthorizable	-
GET /v1/incident-tickets	coc:ticket:list	-
GET /v1/external/incident/{incident_num}	coc:ticket:get	-
POST /v1/external/issues/create	coc:ticket:create	-
GET /v1/external/issues/{ticket_id}	coc:ticket:get	-
POST /v1/external/warrooms	coc:warroom:create	-
POST /v1/external/warrooms/list	coc:warroom:list	-
POST /v1/instances/batches	coc:instance:autoBatchInstances	-
POST /v1/job/analyze-job	coc:document:analyzeRisk	-
POST /v1/job/scripts/{script_uuid}	coc:instance:executeDocument	-
POST /v1/job/public-scripts/{script_uuid}	coc:instance:executeDocument	-
GET /v1/job/scripts	coc:document:list	-
GET /v1/job/scripts/{script_uuid}	coc:document:get	-
POST /v1/job/scripts	coc:document:create	-
PUT /v1/job/scripts/{script_uuid}	coc:document:update	-
DELETE /v1/job/scripts/{script_uuid}	coc:document:delete	-
POST /v1/job/scripts/{script_uuid}/action	coc:document:update	-
GET /v1/job/public-scripts	coc:document:list	-
GET /v1/job/public-scripts/{script_uuid}	coc:document:get	-
GET /v1/job/script/orders	coc:job:list	-
GET /v1/job/script/orders/{execute_uuid}	coc:job:get	-
GET /v1/job/script/orders/{execute_uuid}/batches/{batch_index}	coc:job:get	-
GET /v1/job/script/orders/{execute_uuid}/batches	coc:job:get	-
GET /v1/job/script/orders/{execute_uuid}/statistics	coc:job:get	-
PUT /v1/job/script/orders/{execute_uuid}/operation	coc:job:action	-
GET /v1/documents	coc:document:createDocument	-
POST /v1/documents	coc:document:listDocument	-
GET /v1/atomics	coc:documentAtomic:list	-
GET /v1/atomics/{atomic_unique_key}	coc:documentAtomic:get	-
PUT /v1/documents/{document_id}	coc:document:updateDocument	-
POST /v1/documents/{document_id}	coc:document:execute	-
GET /v1/documents/{document_id}	coc:document:getDocument	-
DELETE /v1/documents/{document_id}	coc:document:deleteDocument	-
GET /v1/executions/{execution_id}	coc:execution:get	-
GET /v1/executions/{execution_id}/steps	coc:execution:listExecutionStep	-
GET /v1/executions	coc:execution:list	-
GET /v1/executions/instances	coc:execution:listExecutionStepInstance	-
POST /v1/executions	coc:execution:operate	-
GET /v1/patch/instance/compliant	coc:complianceReport:list	-
GET /v1/patch/instance/compliant/{instance_compliant_id}	coc:complianceReport:get	-

Resource Types (Resource)

A resource type indicates the resource to which a policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in a policy to define resource types.

The following table lists the resource types that you can define in policy statements for COC.

**Table 3** Resource types supported by COC
Resource Type	URN
instance	ecs:<region>:<account-id>:instance:<server-id> bms:<region>:<account-id>:instance:<server-id> rds:<region>:<account-id>:instance:<server-id> gaussdb:<region>:<account-id>:instance:<server-id>
document	coc::<account-id>:document:<document-name>
application	coc::<account-id>:application:<application-code>
resourceView	coc::<account-id>:resourceView:<resourceViewId>
schedule	coc::<account-id>:schedule:<schedule-id>
job	coc::<account-id>:job:<job-id>
faultMode	coc::<account-id>:faultMode:<fault-mode-id>
contingencyPlan	coc::<account-id>:contingencyPlan:<contingency-plan-id>
attackTask	coc::<account-id>:attackTask:<attack-task-name>
attackRecord	coc::<account-id>:attackRecord:<attack-record-id>
drillTask	coc::<account-id>:drillTask:<drill-task-id>
attackTargetRecord	coc::<account-id>:attackTargetRecord:<attack-target-record-id>
drillRecord	coc::<account-id>:drillRecord:<drill-record-id>
drillPlan	coc::<account-id>:drillPlan:<drill-plan-id>
slaTemplate	coc::<account-id>:slaTemplate:<sla_template-id>
parameter	coc:<region>:<account-id>:parameter:<parameter-name>
accountBaseline	coc::<account-id>:accountBaseline:<account_baseline_id>
provisionedProduct	coc::<account-id>:provisionedProduct:<provisioned-product-id>
product	coc::<account-id>:product:<product-id>
portfolio	coc::<account-id>:portfolio:<portfolio-id>
sloDiagram	coc::<account-id>:sloDiagram:<diagram-id>
template	coc::<account-id>:template:<template-id>
templateInstance	coc::<account-id>:templateInstance:<template-instance-id>
vm	coc::<account-id>:vm:<supplier>/<resource-id>
ciRelationshipBaseline	coc::<account-id>:ciRelationshipBaseline:<template-instance-id>

Conditions

A condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

The condition key that you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, bms:) only apply to operations of the COC service. For details, see Table 4.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For details about supported operators, see Condition operators.

The following table lists the condition keys that you can define in identity policies for COC. You can include these condition keys to specify conditions for when your identity policy is in effect.

**Table 4** Service-specific condition keys supported by COC
Service-specific condition key	Type	Single-valued/Multivalued	Description
coc:TicketLevel	String	Single-valued	Filters access based on the ticket level in the request parameter.
coc:TicketCurrentHandlers	String	Multivalued	Filters access based on the ticket operator in the request parameter.
coc:TicketStatus	String	Single-valued	Filters access based on the ticket status in the request parameter.
coc:TicketType	String	Single-valued	Filters access based on the ticket type in the request parameter.
coc:TicketBeginTime	date	Single-valued	Filters access based on the ticket start time in the request parameter.
coc:TicketEndTime	date	Single-valued	Filters access based on the ticket end time in the request parameter.
coc:OperatorName	String	Single-valued	Filters access based on the operator in the request parameter.
coc:RequestTarget	String	Single-valued	Filters access based on the privilege escalation application in the request parameter.
coc:TicketTarget	String	Multivalued	Filters access based on the ticket application in the request parameter.
coc:TicketScope	String	Multivalued	Filters access based on the ticket scope in the request parameter.
coc:RequestScope	String	Single-valued	Filters access based on the privilege escalation scope in the request.
coc:EscapeSwitchIsEnabled	boolean	Single valued	Filters access based on the escape feature in the request parameter.
coc:Creator	String	Single-valued	Filters access based on the creator of resource in COC.
coc:Executor	String	Single-valued	Filters access based on the executor specified by the service ticket in COC.
coc:DocumentRiskLevel	String	Single-valued	Filters access based on the document risk level specified in the request parameter.
coc:JobType	String	Single-valued	Filters access based on the service ticket type specified in the request parameter.
coc:ApplicationCode	String	Multivalued	Filters access based on the application code specified in the request parameter.
coc:ApplicationGroupCode	String	Single-valued	Filters access based on the application group code specified in the request parameter.
coc:AttackTargetType	String	Single-valued	Filters access based on the attack target type specified in the request parameter.
coc:QuickSetupType	String	Single-valued	Filters access based on the request configuration type specified in the request parameter.