Help Center/ Object Storage Migration Service/ API Reference/ Permissions and Supported Actions/ Actions Supported by Identity Policy-based Authorization
Updated on 2026-06-04 GMT+08:00

Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides service control policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see How IAM Is Different from Organizations for Access Control?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify a URN for the Resource element in your identity policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by OMS, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by OMS, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for OMS.

Table 1 Actions supported by OMS

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

oms:task:list

Grants permission to list migration tasks.

List

task

-

-

oms:task:create

Grants permission to create a migration task.

Write

task

-

-

oms:task:get

Grants permission to query details about a migration task.

Read

task

-

-

oms:task:delete

Grants permission to delete a migration task.

Write

task

-

-

oms:task:update

Grants permission to update a migration task.

Write

task

-

-

oms:synctask:list

Grants permission to list synchronization tasks.

List

synctask

-

-

oms:synctask:create

Grants permission to create a synchronization task.

Write

synctask

-

-

oms:synctask:get

Grants permission to query details about a synchronization task.

Read

synctask

-

-

oms:synctask:delete

Grants permission to delete a synchronization task.

Write

synctask

-

-

oms:synctask:statistics

Grants permission to query statistics about a synchronization task.

Read

synctask

-

-

oms:synctask:update

Grants permission to update a synchronization task.

Write

synctask

-

-

oms:synctask:createEvent

Grants permission to create a synchronization event.

Write

synctask

-

-

oms:taskgroup:create

Grants permission to create a migration task group.

Write

taskgroup

-

-

oms:taskgroup:list

Grants permission to list migration task groups.

List

taskgroup

-

-

oms:taskgroup:get

Grants permission to query details about a migration task group.

Read

taskgroup

-

-

oms:taskgroup:delete

Grants permission to delete a migration task group.

Write

taskgroup

-

-

oms:taskgroup:update

Grants permission to update a migration task group.

Write

taskgroup

-

-

oms::listObjects

Grants permission to list objects in a bucket.

List

-

-

-

oms::checkCdnInfo

Grants permission to check the connectivity between a bucket and CDN.

Read

-

-

-

oms::listBuckets

Grants permission to list buckets.

List

-

-

-

oms::listBucketRegions

Grants permission to query the region of a bucket.

List

-

-

-

oms::checkBucketPrefix

Grants permission to check whether a bucket has objects with a specified prefix.

Read

-

-

-

oms::listCloudRegions

Grants permission to query regions supported for a cloud vendor.

List

-

-

-

oms::listCloudTypes

Grants permission to list supported cloud vendors.

List

-

-

-

oms::agreePrivacyAgreement

Grants permission to agree to the privacy agreement.

Write

-

-

-

oms::checkUrlSourceListFileFormat

Grants permission to check the format of the URL list file.

Read

-

-

-

oms:workflowTask:create

Grants permission to create migration workflows.

Write

workflowTask

-

-

oms:workflowTask:list

Grants the permission to list migration workflows.

List

workflowTask

-

-

oms:workflowTask:get

Grants permission to query details about a specified task.

Read

workflowTask

-

-

oms:workflowTask:delete

Grants permission to delete migration workflows.

Write

workflowTask

-

-

oms:workflowTask:showMonitoring

Grants permission to query task monitoring data by ID.

Read

workflowTask

-

-

oms:workflowTask:pause

Grants permission to pause migration workflows.

Write

workflowTask

-

-

oms:workflowTask:start

Grants permission to resume migration workflows (resuming a paused workflow or restarting a failed workflow).

Write

workflowTask

-

-

oms:workflowTask:update

Grants permission to modify migration service configurations.

Write

workflowTask

-

-

oms:bucket:listBuckets

Grants permission to list buckets.

List

-

-

-

oms:bucket:listObjects

Grants permission to list objects in a bucket.

List

-

-

-

oms:bucket:showCdnInfo

Grants permission to check whether there is a CDN acceleration domain name.

Read

-

-

-

oms:cluster:create

Grants permission to create a cluster.

Write

cluster

-

-

oms:cluster:list

Grants permission to query list clusters.

List

cluster

-

-

oms:cluster:get

Grants permission to query the details about a cluster.

Read

cluster

-

-

oms:cluster:upgradeVersion

Grants permission to upgrade the service version.

Write

cluster

-

-

oms:cluster:updateBaseInfo

Grants permission to update basic information.

Write

cluster

-

-

oms:cluster:retry

Grants permission to retry cluster creation upon failure.

Write

cluster

-

-

oms:cluster:delete

Grants permission to delete a cluster.

Write

cluster

-

-

oms:cluster:updateExtendProperty

Grants permission to modify extended attributes of a cluster.

Write

cluster

-

-

oms:cluster:retryExtendProperty

Grants permission to retry extended attribute modification upon failure.

Write

cluster

-

-

oms:cluster:estimate

Grants permission to perform cluster assessment and recommendation.

Write

cluster

-

-

oms:node:extend

Grants permission to scale out a cluster.

Write

node

-

-

oms:node:retry

Grants permission to retry node installation upon failure.

Write

node

-

-

oms:node:reinstall

Grants permission to reinstall a node.

Write

node

-

-

oms:node:delete

Grants permission to delete nodes.

Write

node

-

-

oms:journey:save

Grants permission to save a journey.

Write

-

-

-

oms:journey:get

Grants permission to query the details about a journey.

Read

-

-

-

oms:journey:finish

Grants permission to end a journey.

Write

-

-

-

oms:credential:save

Grants permission to save credentials.

Write

-

-

-

oms:credential:list

Grants permission to query list credentials.

List

-

-

-

oms:task:listJourneySummary

Grants permission to query the task summary of a journey.

List

task

-

-

oms:task:listTaskJourneyReport

Grants permission to query the task report of a journey.

List

task

-

-

oms:workflowTask:listJourneySummary

Grants permission to query the workflow task summary of a journey.

List

workflowTask

-

-

oms:workflowTask:listTaskJourneyReport

Grants permission to query the workflow task report of a journey.

List

workflowTask

-

-

Each API of OMS usually supports one or more actions. Table 2 lists the actions and dependencies supported by OMS APIs.

Table 2 Actions and dependencies supported by OMS APIs

API

Action

Dependencies

POST /v2/{project_id}/tasks/batch-update

oms:task:update

-

GET /v2/{project_id}/tasks

oms:task:list

-

POST /v2/{project_id}/tasks

oms:task:create

-

GET /v2/{project_id}/tasks/{task_id}

oms:task:get

-

DELETE /v2/{project_id}/tasks/{task_id}

oms:task:delete

-

POST /v2/{project_id}/tasks/{task_id}/stop

oms:task:update

-

POST /v2/{project_id}/tasks/{task_id}/start

oms:task:update

-

PUT /v2/{project_id}/tasks/{task_id}/bandwidth-policy

oms:task:update

-

PUT /v2/{project_id}/tasks/{task_id}/access-keys

oms:task:update

-

GET /v2/{project_id}/sync-tasks

oms:synctask:list

-

POST /v2/{project_id}/sync-tasks

oms:synctask:create

-

GET /v2/{project_id}/sync-tasks/{sync_task_id}

oms:synctask:get

-

DELETE /v2/{project_id}/sync-tasks/{sync_task_id}

oms:synctask:delete

-

GET /v2/{project_id}/sync-tasks/{sync_task_id}/statistics

oms:synctask:statistics

-

POST /v2/{project_id}/sync-tasks/{sync_task_id}/stop

oms:synctask:update

-

POST /v2/{project_id}/sync-tasks/{sync_task_id}/start

oms:synctask:update

-

POST /v2/{project_id}/sync-tasks/{sync_task_id}/events

oms:synctask:createEvent

-

POST /v2/{project_id}/taskgroups

oms:taskgroup:create

-

GET /v2/{project_id}/taskgroups

oms:taskgroup:list

-

GET /v2/{project_id}/taskgroups/{group_id}

oms:taskgroup:get

-

DELETE /v2/{project_id}/taskgroups/{group_id}

oms:taskgroup:delete

-

PUT /v2/{project_id}/taskgroups/{group_id}/stop

oms:taskgroup:update

-

PUT /v2/{project_id}/taskgroups/{group_id}/start

oms:taskgroup:update

-

PUT /v2/{project_id}/taskgroups/{group_id}/retry

oms:taskgroup:update

-

PUT /v2/{project_id}/taskgroups/{group_id}/update

oms:taskgroup:update

-

POST /v2/{project_id}/objectstorage/buckets/objects

oms::listObjects

-

POST /v2/{project_id}/objectstorage/buckets/cdn-info

oms::checkCdnInfo

-

POST /v2/{project_id}/objectstorage/buckets

oms::listBuckets

-

POST /v2/{project_id}/objectstorage/buckets/regions

oms::listBucketRegions

-

POST /v2/{project_id}/objectstorage/buckets/prefix

oms::checkBucketPrefix

-

GET /v2/{project_id}/objectstorage/data-center

oms::listCloudRegions

-

GET /v2/{project_id}/objectstorage/cloud-type

oms::listCloudTypes

-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, a resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to the resource. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in a policy to define resource types.

The following table lists the resource types that you can specify in identity policy statements for OMS.

Table 3 Resource types supported by OMS

Resource Type

URN

Task

oms:<region>:<account-id>:task:*

oms:<region>:<account-id>:task:<task-id>

SyncTask

oms:<region>:<account-id>:synctask:*

oms:<region>:<account-id>:synctask:<synctask-id>

TaskGroup

oms:<region>:<account-id>:taskgroup:*

oms:<region>:<account-id>:taskgroup:*

APIs related to synchronization tasks are available only in CN North-Beijing4, CN East-Shanghai1, and CN Southwest-Guiyang1.

Conditions

OMS does not support service-specific condition keys in identity policies.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.