Help Center/ DataArts Insight/ User Guide/ Permissions Management/ Creating a Custom Policy
Updated on 2025-02-25 GMT+08:00
View PDF
Share

Creating a Custom Policy

You can create custom policies to supplement the system-defined policies of DataArts Insight. You can add actions to custom policies.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common DataArts Insight custom policies.

Policy Fields

In the following example, an IAM user is granted the permission to create tables across all databases in all regions.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dataartsinsight:datasource:get"
            ],
            "Resource": [
                "DataArtsInsight:*:*:workspace:*"
            ]
        }
    ]
}
  • Version

    1.1 indicates a fine-grained permission policy that defines permissions required to perform operations on specific cloud resources under certain conditions.

  • Effect

    The value can be Allow and Deny. If both Allow and Deny are found in statements, the Deny overrides the Allow.

  • Action

    Specific operation on a resource. A maximum of 100 actions are allowed.

    Figure 1 DataArts Insight actions
    • The format is Service name:Resource type:Action, for example, dataartsinsight:datasource:get.
    • Service name: product name, such as dataartsinsight, evs, or vpc. Only lowercase letters are allowed. Resource types and actions are not case-sensitive. You can use an asterisk (*) to represent all actions.
    • Action: action registered with IAM.
  • Condition

    Determines when a policy is in effect. A condition consists of a condition key and a condition operator.

    A key in the Condition element of a statement. There are global and service-specific condition keys.

    • Global-level condition key: The prefix is g:, which applies to all actions. For details, see the condition key description in Policy Syntax.
    • Service-level condition key: applies only to actions of the specific service.

    An operator must be used together with a condition key to form a complete condition statement. For details, see Table 1.

    DataArts Insight provides a set of predefined condition keys, as listed below.

    Table 1 DataArts Insight request conditions

    DataArts Insight Condition Key

    Type

    Operator

    Description

    g:CurrentTime

    Global

    Date and time

    Time when an authentication request is received

    NOTE:

    The time is expressed in the format defined by ISO 8601, for example, 2012-11-11T23:59:59Z.

    g:MFAPresent

    Global

    Boolean

    Whether multi-factor authentication is used during user login

    g:UserId

    Global

    String

    ID of the current login user

    g:UserName

    Global

    String

    Current login username

    g:ProjectName

    Global

    String

    Project that you have logged in to

    g:DomainName

    Global

    String

    Domain that you have logged in to

    g:ResourceTag

    Global

    StringEquals

    Resource tag key value
  • Resource

    Format: Service name:Region:Account ID:Resource type:Resource path. An asterisk (*) means all based on its position in the resource path.

    Example:

    "DataArtsInsight:*:*:workspace:*": All workspaces

Creating a DataArts Insight Custom Policy

You can set actions and resources at varying levels based on scenarios.

  1. Define an action.

    The format is Service name:Resource type:Action. You can use wildcards *. For example:

    Table 2 Actions

    Action

    Description

    dataartsinsight:datasource:get

    Obtains details about a data source.

    dataartsinsight:dataset:preview

    Previews a dataset.

    dataartsinsight:screen:view

    Previews a large screen.
  2. Define a resource.

    The format is Service name:Region:Domain ID:Resource type:Resource path. The wildcard (*) indicates all resources. You have the flexibility to set these five fields. The Resource path field can be set with varying levels of access control based on the specific scenario. If you need to set permissions for all resources under this service, you can leave this field unspecified. For details about how to define a resource, see Table 3.

    Table 3 Resource

    Resource

    Description

    dataartsnsight:*:*:workspace:*

    All workspaces
    • Specific resources:
      Figure 2 Specific resources
    • All resources: all resources of the service
      Figure 3 All resources
  3. Combine all of the preceding fields into a JSON string to create a complete policy. You can set multiple actions and resources, and you also have the option to create policies through the IAM console.
Parent topic: Permissions Management