- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Copied.
What Should I Do When Encountering SCP Errors?
Service control policies (SCPs) in Organizations use a similar syntax to that used by Identity and Access Management (IAM) policies. They both use the JSON syntax. For details, see SCP Syntax.
You may encounter the following errors when creating SCPs:
- More Than One Policy Object
- More Than One Statement Element
- Policy Document Exceeding the Maximum Size
More Than One Policy Object
An SCP must consist of one and only one JSON object. You denote an object by placing braces ({}) around it. Although you can nest other objects within a JSON object by embedding additional braces ({}), a policy can contain only one outermost pair of braces ({}). The following example is incorrect because it contains two JSON objects, with two outermost pairs of braces ({}):
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*:*" ], "Resource": [ "*" ] } ] } { "Statement": [ { "Effect": "Deny", "Action": [ "vpc:*:*" ], "Resource": [ "*" ] } ] }
To meet the intention of this example, you can use correct policy syntax. Instead of including two complete policy objects, each with its own Statement element, you can combine the two blocks into a single Statement element. The Statement element has an array of two objects as its value, as shown in the following example:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*:*" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "vpc:*:*" ], "Resource": [ "*" ] } ] }
This example cannot be further compressed into a Statement with one element because the two elements have different effects. Generally, you can combine statements only when the Effect and Resource elements in each statement are identical.
More Than One Statement Element
This error might at first appear to be a variation on the error in the preceding example. However, syntactically it is a different type of error. In the following example, there is only one policy object as denoted by a single outermost pair of braces ({}). However, that object contains two Statement elements within it.
An SCP must contain only one Statement element. The value of a Statement element must be an object, denoted by braces ({}), containing one Effect element, one Action element, one Resource element, and one optional Condition element. The following example is incorrect because it contains two Statement elements in the policy object:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*:*" ], "Resource": [ "*" ] }, "Statement": [ { "Effect": "Deny", "Action": [ "vpc:*:*" ], "Resource": [ "*" ] } ] }
The value of the Statement element must be an object, and a value object can be an array of multiple value objects. You can solve this problem by combining the two Statement elements into one element with an object array, as illustrated in the following example. In the example, the value of the Statement element is an object array. The array consists of two objects, each of which is a correct value for a Statement element. Each object in the array is separated by commas.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*:*" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "vpc:*:*" ], "Resource": [ "*" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot