Actions Supported by Policy-based Authorization
This section describes the actions supported policy-based authorization for EdgeSec.
Supported Actions
EdgeSec provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The common concepts related to policies are as follows:
- Permissions: statements that allow or deny specific operations on specified resources under specific conditions.
- APIs: APIs that can be called by a custom policy
- Actions: specific operations that are allowed or denied.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.
Table 1 describes the custom policy authorization items supported by EdgeSec.
Lifecycle Management
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Querying the list of DDoS attack logs |
GET /v1/edgesec/log/ddos-attack-logs |
edgesec:log:get |
√ |
× |
|
Querying the list of protected domain names |
GET /v1/edgesec/configuration/domains |
edgesec:wafDomain:list |
√ |
√ |
|
Creating a domain name to be protected |
POST /v1/edgesec/configuration/domains |
edgesec:wafDomain:create |
√ |
√ |
|
Updating a protected domain name |
PUT /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:put |
√ |
√ |
|
Deleting a protected domain |
DELETE /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:delete |
√ |
√ |
|
Querying details about a protected domain name |
GET /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:get |
√ |
√ |
|
Querying precise protection rules |
GET /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule |
edgesec:wafCustomRule:list |
√ |
× |
|
Creating a precise protection rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule |
edgesec:wafCustomRule:create |
√ |
× |
|
Updating precise protection rules in batches |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/batch-update |
edgesec:wafCustomRule:put |
√ |
× |
|
Querying a precise protection rule |
GET /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:get |
√ |
× |
|
Updating a precise protection rule |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:put |
√ |
× |
|
Deleting a precise protection rule |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:delete |
√ |
× |
|
Querying the IP address blacklist and whitelist rules |
GET /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule |
edgesec:wafWhiteBlackIpRule:list |
√ |
× |
|
Adding an IP address blacklist or whitelist rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule |
edgesec:wafWhiteBlackIpRule:create |
√ |
× |
|
Querying the IP address blacklist or whitelist rules |
GET /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:get |
√ |
× |
|
Updating an IP address blacklist or whitelist rule |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:put |
√ |
× |
|
Deleting an IP address blacklist or whitelist rule |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:delete |
√ |
× |
|
Querying the CC attack protection rule list |
GET /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule |
edgesec:wafCcRule:list |
√ |
× |
|
Creating a CC attack protection rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule |
edgesec:wafCcRule:create |
√ |
× |
|
Updating CC attack protection rules in batches |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/batch-update |
edgesec:wafCcRule:put |
√ |
× |
|
Querying a CC attack protection rule |
GET /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:get |
√ |
× |
|
Updating a CC attack protection rule |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:put |
√ |
× |
|
Deleting a CC attack protection rule |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:delete |
√ |
× |
|
Querying false alarm masking rules |
GET /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule |
edgesec:wafIgnoreRule:list |
√ |
× |
|
Creating a false alarm masking rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule |
edgesec:wafIgnoreRule:create |
√ |
× |
|
Querying a false alarm masking rule |
GET /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:get |
√ |
× |
|
Updating a false alarm masking rule |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:put |
√ |
× |
|
Deleting a false alarm masking rule |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:delete |
√ |
× |
|
Resetting a false alarm masking rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id}/recount |
edgesec:wafIgnoreRule:recount |
√ |
× |
|
Querying protection policies |
GET /v1/edgesec/configuration/http/policies |
edgesec:wafPolicy:list |
√ |
× |
|
Creating a protection policy |
POST /v1/edgesec/configuration/http/policies |
edgesec:wafPolicy:create |
√ |
× |
|
Querying a protection policy |
GET /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:get |
√ |
× |
|
Updating a protection policy |
PUT /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:put |
√ |
× |
|
Deleting a protection policy |
DELETE /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:delete |
√ |
× |
|
Updating the domain names to which a protection policy applies |
POST /v1/edgesec/configuration/http/policies/{policy_id}/hosts |
edgesec:wafPolicyDomain:put |
√ |
× |
|
Updating the protection policy rule switch |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/{rule_type}/{rule_id}/status |
edgesec:wafPolicyRuleStatus:put |
√ |
× |
|
Querying the list of known attack source rules |
GET /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule |
edgesec:wafPunishmentRule:list |
√ |
× |
|
Creating a known attack source rule |
POST /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule |
edgesec:wafPunishmentRule:create |
√ |
× |
|
Querying a known attack source rule |
GET /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:get |
√ |
× |
|
Updating a known attack source rule |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:put |
√ |
× |
|
Deleting a known attack source rule |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:delete |
√ |
× |
|
Querying the IP address group list |
GET /v1/edgesec/configuration/http/ip-groups |
edgesec:wafIpGroup:list |
√ |
× |
|
Creating an IP address group |
POST /v1/edgesec/configuration/http/ip-groups |
edgesec:wafIpGroup:create |
√ |
× |
|
Querying IP address groups |
GET /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:get |
√ |
× |
|
Updating an IP address group |
PUT /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:put |
√ |
× |
|
Deleting an IP address group |
DELETE /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:delete |
√ |
× |
|
Querying the reference table list |
GET /v1/edgesec/configuration/http/reference-table |
edgesec:wafValueList:list |
√ |
× |
|
Creating a reference table |
POST /v1/edgesec/configuration/http/reference-table |
edgesec:wafValueList:create |
√ |
× |
|
Querying the reference table list |
GET /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:get |
√ |
× |
|
Updating a reference table |
PUT /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:put |
√ |
× |
|
Deleting a reference table |
DELETE /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:delete |
√ |
× |
|
Querying HTTP attack distribution |
GET /v1/edgesec/stat/http-attack-distribution |
edgesec:statistics:get |
√ |
√ |
|
Querying the HTTP attack timeline |
GET /v1/edgesec/stat/http-attack-timelines |
edgesec:statistics:get |
√ |
√ |
|
Querying HTTP top N statistics |
GET /v1/edgesec/stat/http-attack-top |
edgesec:statistics:get |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
