Help Center> Graph Engine Service> User Guide> Permissions Management> Policy Permissions> Custom Policies
Updated on 2023-08-04 GMT+08:00
View PDF

Custom Policies

In addition to the system-defined policies of GES, you can also create your own custom policies. For the actions supported for custom policies, see Permissions Policies and Supported Actions.

You can create custom policies using the visual editor or by editing a JSON file:

  • Visual editor: Just select the relevant cloud services, actions, resources, and request conditions. You do not need to understand policy syntax.
  • JSON: You can create a policy using a JSON file or edit the JSON file for an existing policy.

For details, see Creating a Custom Policy.

Examples

  • Example 1: Allowing users to query and operate graphs
    { 
    "Version": "1.1", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                     "ges:*:get*",
                     "ges:*:list*",
                     "ges:graph:operate"
            ] 
        } 
    ] 
}
  • Example 2: Preventing graph deletion

    A deny policy must be used in conjunction with other policies to take effect. If the policies assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    If you need to assign the GES FullAccess policy to a user but also forbid that user from deleting graphs, you can create a custom policy that blocks graph deletion, and then assign both policies to the group the user belongs to. The user will be granted full access based on the system policy, but the custom policy will then override the permission allowing graph deletion. The following is an example of a deny policy:

    { 
      "Version": "1.1", 
      "Statement": [ 
            { 
		  "Effect": "Deny", 
                  "Action": [ 
                        "ges:graph:delete" 
                  ] 
            } 
      ] 
}
  • Example 3: Authorizing users to perform operations on graphs whose name prefix is ges_project (ges_project names are case insensitive) and access the graph list
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ges:graph:create",
                "ges:graph:delete",
                "ges:graph:access",
                "ges:graph:getDetail"
            ],
            "Resource": [
                "ges:*:*:graphName:ges_project*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ges:graph:list"
            ]
        }
    ]
}
  • Example 4: Authorizing users to operate only some graph resources, but allowing them to view all resources

    The policy consists of the following two parts:

    • Part 1: Authorizing users to perform operations on resources whose name prefix is ges_project. The resources include graphs and backups.
    • Part 2: Authorizing users to query the graph, backups, tasks, and metadata lists, and view job details
    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "ges:backup:delete",
                "ges:graph:access",
                "ges:graph:operate",
                "ges:graph:delete",
                "ges:graph:create",
                "ges:backup:create",
                "ges:graph:getDetail"
            ],
            "Resource": [
                "ges:*:*:backupName:ges_project*",
                "ges:*:*:graphName:ges_project*" 
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ges:graph:list",
                "ges:backup:list",
                "ges:jobs:list",
                "ges:metadata:list",
                "ges:jobs:getDetail"
            ],
            "Effect": "Allow"
        }
    ]
}
Parent topic: Policy Permissions