Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define common actions supported by cloud services. MRS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control.

In addition to IAM, the Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create an IAM custom identity policy, see Creating a Custom Identity Policy.
For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in a policy.
The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by MRS, see Resources.
Condition Key contains keys that you can specify in the Condition element of an identity policy statement for MRS.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by MRS, see Conditions.
The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in policy statements for MRS.

**Table 1** Actions supported by MRS
Action	Description	Access Level	Resource Type (*: required)	Condition Key	Alias
mrs:cluster:createCluster	Grants permissions to create a cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:RequestTag/<tag-key> g:TagKeys g:EnterpriseProjectId	mrs:cluster:create
mrs:cluster:deleteCluster	Grants the permission to delete a cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:delete
mrs:cluster:listHosts	Grants permissions to query nodes in the cluster.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:host:list
mrs:cluster:listFiles	Grants permissions to query the file list in the cluster.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:file:list
mrs:cluster:createJob	Grants permissions to execute jobs in the cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:job:submit
mrs:cluster:list	Grants permissions to query the cluster list.	list	-	g:RequestTag/<tag-key> g:TagKeys g:EnterpriseProjectId	-
mrs:cluster:listJobs	Grants permissions to query the job list of the cluster.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:job:list
mrs:cluster:getJob	Grants permissions to query job details in the cluster.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:job:get
mrs:cluster:getCluster	Grants permissions to query cluster details.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	-	mrs:cluster:get
mrs:cluster:resizeNodes	Grants permissions to adjust cluster nodes.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:resize
mrs:cluster:updateClusterName	Grants permissions to rename a cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	-
mrs:cluster:listTags	Grants permissions to query cluster tags.	list	-	g:EnterpriseProjectId	mrs:tag:list
mrs:cluster:updateTags	Grants permissions to add or delete cluster tags.	tagging	-	g:RequestTag/<tag-key> g:TagKeys g:EnterpriseProjectId	mrs:tag:create mrs:tag:delete mrs:tag:batchOperate
mrs:cluster:listClustersByTag	Grants permissions to query the list of clusters with specific tags.	list	-	g:RequestTag/<tag-key>,g:TagKeys	mrs:tag:listResource
mrs:cluster:stopJob	Grants permissions to stop cluster jobs.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:job:stop
mrs:cluster:deleteJobs	Grants permissions to delete cluster jobs in batches.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:job:batchDelete
mrs:cluster:stopSql	Grants permissions to cancel SQL execution.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:sql:cancel
mrs:cluster:createSql	Grants permissions to submit a SQL statement for execution.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:sql:execute mrs:job:checkSql
mrs:cluster:listPolicies	Grants permissions to obtain all auto scaling policies in a cluster.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:policy
mrs:cluster:updatePolicies	Grants permissions to modify auto scaling policies of a cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:policy
mrs:cluster:getAgencyMapping	Grants permissions to obtain user agent information.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	-
mrs:cluster:updateAgencyMapping	Grants permissions to update user agent information.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:syncUser
mrs:cluster:getSql	Grants permissions to obtain the SQL execution result.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:sql:get
mrs:cluster:getSubscription	Grants permission to obtain subscription information.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:get
mrs:cluster:getOps	Grants permission to query O&M logs and O&M status.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:get
mrs:cluster:getEip	Grants permission to query the floating IP address status of a cluster.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:get
mrs:dataConnector:getInstance	Grants permission to query data connection details.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:list
mrs:cluster:getUsers	Grants permission to obtain users that can be synchronized to a cluster.	read	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:syncUser
mrs:cluster:updateSubscription	Grants permission to update subscription information.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:alarm:subscribe
mrs:cluster:updateOps	Grants permission to update the O&M status.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:ops:grant
mrs:cluster:updateEip	Grants permission to modify the floating IP addresses and security group rules of the cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:resize
mrs:cluster:updatePatch	Grants permission to update cluster patches.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:patch:install
mrs:dataConnector:updateInstance	Grants permission to create and modify data connections.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:create mrs:cluster:delete
mrs:cluster:updateDataConnector	Grants permission to create and modify cluster data connections.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:create mrs:cluster:resize
mrs:cluster:updateScripts	Grant permission to update cluster scripts.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:bootstrap:update mrs:bootstrap:delete mrs:script:add mrs:script:update mrs:script:delete
mrs:cluster:updateComponent	Grants permission to update services in a cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:resize
mrs:cluster:updateUsers	Grants permission to synchronize users to the cluster.	write	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:syncUser
mrs:cluster:listPatch	Grant permission to query the cluster patch status.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:patch:list
mrs:dataConnector:listInstance	Grants permission to query data connections.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:list
mrs:cluster:listDataConnector	Grants permission to query available data connections in a cluster.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:cluster:get
mrs:cluster:listScripts	Grants permission to query cluster scripts.	list	mrs:<region>:<account-id>:cluster:<cluster-id>	g:EnterpriseProjectId	mrs:bootstrap:list mrs:script:get mrs:cluster:policy

Resources

A resource type (Resource) defines the scope of resources to which an identity policy applies. As shown in Table 2, if a specific resource type has been designated for an operation supported by MRS, then when you select and fill in the corresponding resource URN in the identity policy statement that includes this operation, the identity policy will only take effect on that specified resource. If the corresponding resource URN is not filled in, the identity policy will apply to all resources under the specified resource type. If no resource type is specified, the default value of Resource is *, and the identity policy will apply to all resources. Additionally, you can set conditions in the identity policy to further refine the resource type.

The following table lists the resource types that you can define in identity policy statements for MRS.

**Table 2** Resource types supported by MRS
Resource Type	URN
cluster	mrs:<region>:<account-id>:cluster:<cluster-id>

Conditions

MRS does not support service-specific condition keys in identity policies.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent topic: Permissions and Supported Actions

Previous topic: Actions Supported by Policy-based Authorization

Next topic: Appendix

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot