Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ API Reference/ API/ Access Analyzer/ Policy Validation/ Checking Whether a Policy Has New Access
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Checking Whether a Policy Has New Access

Function

This API is used to check whether a policy has new access.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the following required identity policy-based permissions. For details about the required permissions, see Permissions Policies and Supported Actions.

Action

Access Level

Resource Type (*: required)

Condition Key

Alias

Dependencies

AccessAnalyzer::checkNoNewAccess

Read

-

-

-

-

URI

POST /v5/policies/check-no-new-access

Request Parameters

Table 1 Request body parameters

Parameter

Mandatory

Type

Description

existing_policy_document

Yes

String

JSON policy document.

new_policy_document

Yes

String

JSON policy document.

policy_type

Yes

String

Type of the policy to be validated.

  • identity_policy: identity policy

  • agency_trust_policy: agency trust policy

  • bucket_policy: bucket policy

Response Parameters

Status code: 200

Table 2 Response body parameters

Parameter

Type

Description

message

String

Whether the updated policy allows new access.

check_result

String

Findings generated for the new access.

  • pass: There are no new access permissions.

  • fail: New access permissions are added.

reasons

Array of CheckNoNewAccessReason objects

Statement description of a new action.
Table 3 CheckNoNewAccessReason

Parameter

Type

Description

description

String

Description of the inference on the check findings.

statement_id

String

SID of the new permission statement.

statement_index

Integer

Index of the new permission statement, starting from 0.

Minimum: 0

Example Requests

Checking whether a policy has new access

POST https://{hostname}/v5/policies/check-no-new-access

{
  "existing_policy_document" : "{\\\"Version\\\":\\\"5.0\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":[\\\"iam:users:createUserV5\\\"]}]}",
  "new_policy_document" : "{\\\"Version\\\":\\\"5.0\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":[\\\"iam:users:createUserV5\\\",\\\"obs:bucket:createBucket\\\"]}]}",
  "policy_type" : "identity_policy"
}

Example Responses

Status code: 200

OK

{
  "check_result" : "fail",
  "message" : "The modified permissions grant new access compared to your existing policy.",
  "reasons" : [ {
    "description" : "New access in the statement with sid: {statement_sid}.",
    "statement_index" : 0,
    "statement_id" : "{statement_sid}"
  } ]
}

Status Codes

Status Code

Description

200

OK

Error Codes

See Error Codes.

Parent topic: Policy Validation