Creating Permissions Policies for ABAC
Overview
After you add tags to resources and enable and configure access control attributes in IAM Identity Center, you need to add attribute-based access control rules to custom identity policies of the permission set. With the PrincipalTag conditional key, you can create access control rules using access control attributes in a permission set. That is, enter g:ResourceTag/tag-key": "${g:PrincipalTag/tag-key} in the Condition element of the policy statement.
- g:ResourceTag/tag-key: Global condition key, which specifies the resource tag key. After tagging a resource, you need to enter the resource tag key in this condition key, that is, replace tag-key with a specific resource tag key.
- g:PrincipalTag/tag-key: Global condition key, which specifies the attribute key of an access control attribute. After enabling and adding access control attributes, you need to enter the attribute key of an access control attribute in the condition key, that is, replace tag-key with a specific attribute key.
After the preceding access control rules are configured, the permissions policy verifies the resource tag value and attribute value based on the specified resource tag key and attribute key. Only users whose resource tag value matches the attribute value can obtain the resource access permissions defined in the permission set.
Example Policies
For details about how to create a permission set, see Creating a Permission Set. The following describes how to add attribute-based access control rules to custom identity policies in permission sets and gives some example policies.
For example, if you select the OrganizationsFullAccessPolicy system policy when creating a permission set, users associated with the permission set have all permissions of Organizations. If you do not want some users to have permission to delete a specified organization unit (OU), you can add the following policy content to custom identity policies of the permission set to prevent these users from deleting the specified OUs.
The condition key determines the users and resources on which the custom identity policy takes effect. In the example, the condition key indicates that the resource tag key is orgtag1 and the access control attribute key is User_A. During policy evaluation, the tag value of orgtag1 is matched with the attribute value of User_A. For example, if you set the tag value of orgtag1 to test1 and the attribute value of User_A to ${user:name}, only the user test1 can obtain the permissions defined in this policy.
For complex authorization scenarios, such as multi-user and multi-resource authorization, refer to the following:
- If you want to use this policy to grant a user the permissions needed to access multiple resources, you only need to attach the same tag to these resources.
- If you want to use this policy to control multiple users' access to a resource, you can attach multiple tags to the resource and enter multiple condition keys in the custom identity policy of the permission set to map the attributes of multiple users.
- If you want to use this policy to control multiple users' access to multiple resources, you can add tags with the same tag key but different tag values to multiple resources to map the attributes of multiple users.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:ous:delete"
],
"Condition": {
"StringEquals": {
"g:ResourceTag/orgtag1": "${g:PrincipalTag/User_A}"
}
}
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
