What Can I Do If I Cannot Find the Action in an Error Message During Enterprise Project Authorization?

Symptom

If you only used enterprise project authorization and tried to perform an operation, the system displayed an error message showing you the action you need to obtain permissions for. However, this action cannot be found during policy authorization.

Possible Causes

The API for querying the resources bound to all enterprise projects is explicitly denied by an identity policy or a mandatory access control policy (such as an SCP). In this case, the system shows only the denied identity policy action instead of the denied policy action. The following is an example:

An IAM user was not granted the policy action ces:siteMonitorRule:list permission on the new IAM console. When the user calls the API requiring this permission, the system displays "Policy doesn't allow ces:remoteChecks:list to be performed". The system prompt only shows ces:remoteChecks:list, instead of the identity policy action ces:siteMonitorRule:list.

Solutions

• If you use enterprise project authorization, go the old IAM console and grant required permissions in the enterprise project view.
• If you do not need enterprise project authorization:
  • Go the new IAM console and create identity policies.
  • Go the old IAM console and create policies in the IAM project view.