- What's New
- Service Overview
- Getting Started
- User Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
- Instance Management
- Access Control Attribute Management
-
Permission Set Management
- Adding a System-defined Identity Policy
- Deleting a Permission Set
- Querying Permission Set Details
- Updating a Permission Set
- Deleting a System-defined Identity Policy
- Querying Details About a Custom Identity Policy
- Adding a Custom Identity Policy
- Deleting a Custom Identity Policy
- Listing Accounts Associated with a Permission Set
- Listing System-defined Identity Policies
- Listing Pre-provisioning Statuses of Permission Sets
- Listing Permission Sets
- Creating a Permission Set
- Listing Permission Sets Provisioned to an Account
- Pre-provisioning a Permission Set
- Querying Pre-attachment Status Details of a Permission Set
- Adding a System-defined Policy
- Deleting a System-defined Policy
- Listing System-defined Policies
-
Account Assignment Management
- Removing Account Assignments
- Querying Details about the Account Assignment Creation Status
- Listing Account Assignment Creation Statuses
- Listing Account Assignment Deletion Statuses
- Listing Users or Groups Associated with an Account and a Permission Set
- Creating Account Assignments
- Querying Details about the Account Assignment Deletion Status
- Tag Management
- User Management
- Group Management
- Group Membership Management
- SCIM User Management
- SCIM Group Management
- Service Provider (SP) Management
- Client Management
- Token Management
- Device Authorization Management
- Authorization Management
- Account Management
- Agency Management
- Credentials Management
- Appendixes
- Change History
- General Reference
Show all
Copied.
Creating IAM Custom Policies for IAM Identity Center
You can create custom policies to supplement the system-defined policies of IAM Identity Center.
To create a custom policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common IAM Identity Center custom policies.
Example Custom Policies
- Example 1: Grant permission to create a permission set.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "IdentityCenter:permissionSet:create" ] }, { "Effect": "Allow", "Action": [ "organizations:delegatedAdministrators:list" ] } ] }
- Example 2: Grant permission to deny permission set deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the IdentityCenter FullAccess policy to a user but want to prevent them from deleting permission sets. You can create a custom policy for denying permission set deletion, and attach this policy together with the IdentityCenter FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations in IAM Identity Center excepting deleting permission sets.
Example policy denying permission set deletion:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "IdentityCenter:permissionSet:delete" ] } ] }
- Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).
Example policy containing multiple actions:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "IdentityCenter:permissionSet:delete", "IdentityCenter:user:create", "IdentityCenter:permissionSet:create" ] }, { "Effect": "Allow", "Action": [ "organizations:delegatedAdministrators:list" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot