Actions Supported by Policy-based Authorization

This section describes the actions supported by policy-based authorization through BSS.

Supported Actions

xx (cloud service name) provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

Permissions: Statements in a policy that allow or deny certain operations.
APIs: APIs that can be called in a custom policy.
Actions: specific operations that are allowed or denied in a custom policy.
Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.

BSS supports the following actions in custom policies:

For APIs not listed in the table, fine-grained permission verification is not required and all customer accounts can access them.
The bss:discount:view action only affects the discount information returned in the response. If this permission is not assigned, the API can still be called, but the response does not contain discount information.
Authentication of system-defined roles is not supported, but policy authentication is. For details about the configuration guide, see Creating a User Group and Assigning Permissions.

Scenario	Sub-scenario	API	API URL	Action	Action Name	IAM Project	Enterprise Project
Managing Products	Querying product price	Querying pay-per-use product price	POST /v2/bills/ratings/on-demand-resources	bss:discount:view	View discount and price information.	√	×
		Querying yearly/monthly product price	POST /v2/bills/ratings/period-resources/subscribe-rate	bss:discount:view	View discount and price information.	√	×
		Querying the renewal price of yearly/monthly resources	POST /v2/bills/ratings/period-resources/renew-rate	bss:discount:view	View discount and price information.	√	×
Managing Accounts	Managing accounts	Querying account balance	GET /v2/accounts/customer-accounts/balances	bss:balance:view	View account information.	√	×
Managing Accounts	Managing accounts	Querying consumption quota	GET /v2/accounts/customer-accounts/expenditure-quota	bss:balance:view	View account information.	√	×
Managing Transactions	Managing coupons	Listing coupons	GET /v2/promotions/benefits/coupons	bss:coupon:view	View discount, cash, and flexi-purchase coupons.	√	×
	Managing yearly/monthly orders	Listing orders	GET /v2/orders/customer-orders	bss:order:view	View order information.	√	×
		Querying order details	GET /v2/orders/customer-orders/details/{order_id}	bss:order:view	View order information.	√	×
		Canceling orders in the pending payment status	PUT /v2/orders/customer-orders/cancel	bss:order:update	Place orders, cancel orders, and modify delivery addresses.	√	×
		Querying available discounts	GET /v2/orders/customer-orders/order-discounts	bss:discount:view	Viewing discount and price information	√	×
		Paying yearly/monthly orders	POST /v3/orders/customer-orders/pay	bss:order:pay	Pay for orders.	√	×
		Querying order refund amount	GET /v2/orders/customer-orders/refund-orders	bss:order:view	View order information.	√	×
	Managing Yearly/Monthly Resources	Listing yearly/monthly resources	POST /v2/orders/suscriptions/resources/query	bss:renewal:view bss:order:view (to be brought offline)	View order information.	√	×
		Renewing subscriptions to yearly/monthly resources	POST /v2/orders/subscriptions/resources/renew	bss:renewal:update	Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources.	√	×
		Unsubscribing from yearly/monthly resources	POST /v2/orders/subscriptions/resources/unsubscribe	bss:unsubscribe:update bss:order:update (to be brought offline)	View resources that can be or has been unsubscribed from, cancel delivery, and return or replace hardware.	√	×
		Enabling automatic renewal for yearly/monthly resources	POST /v2/orders/subscriptions/resources/autorenew/{resource_id}	bss:renewal:update	Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources.	√	×
		Disabling automatic renewal for yearly/monthly resources	DELETE /v2/orders/subscriptions/resources/autorenew/{resource_id}	bss:renewal:update	Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources.	√	×
		Enabling/Canceling the change from yearly/monthly to pay-per-use upon expiration	POST /v2/orders/subscriptions/resources/to-on-demand	bss:renewal:update	Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources.	√	×
		Setting a deduction date for auto-renewal of yearly/monthly resources and a same expiration date for renewed resources	POST /v2/orders/subscriptions/resources/renew/config	bss:renewal:update	Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources.	√	×
	Managing Resource Packages	Listing resource packages	POST /v3/payments/free-resources/query	bss:bill:view	View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.	√	×
		Querying resource package usage details	GET /v2/bills/customer-bills/free-resources-usage-records	bss:bill:view bss:billDetail:view (to be brought offline)	View expenditure details, resource expenditures, bill analysis, and historical payments.	√	×
		Querying resource package usage	POST /v2/payments/free-resources/usages/details/query	bss:bill:view	View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.	√	×
Managing Bills	Managing bills	Viewing bill details	POST /v2/bills/customer-bills/res-records/query	bss:billDetail:view	View expenditure details, resource expenditures, bill analysis, and historical payments.	√	×
		Querying bill summary	GET /v2/bills/customer-bills/monthly-sum	bss:bill:view	View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.	√	×
		Querying expenditure records	GET /v2/bills/customer-bills/res-fee-records	bss:billDetail:view bss:bill:view (to be brought offline)	View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.	√	×
Managing Costs	Managing costs	Querying cost data	POST /v4/costs/cost-analysed-bills/query	bss:costanalysis:view	View cost analysis.	√	×
Managing an Enterprise	Managing enterprise projects	Enabling the enterprise project management service	POST /v2/enterprises/enterprise-projects/authority	bss:enterpriseProjectFunction:update	Enable the enterprise project management service.	√	×
Managing an Enterprise	Managing enterprise accounts	Querying enterprise member accounts	GET /v2/enterprises/multi-accounts/sub-customers	bss:enterpriseOrganization:view	View organizations and accounts in the Enterprise Center.	√	×
Managing Invoices	Managing invoices	Listing invoices	GET /v1.0/{domain_id}/payments/intl-invoices	bss:invoice:update	Request invoices and view invoice information.	√	×