Help Center> Organizations> User Guide> Managing SCPs> Overview of an SCP> SCP Syntax
Updated on 2024-04-09 GMT+08:00
View PDF

SCP Syntax

The following uses a custom policy for RAM as an example to describe the SCP syntax.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ram:resourceShares:create"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
       "ForAnyValue:StringNotEquals": {
          "g:RequestTag/owner": [
            "Alice",
            "Jack"
          ]
        }
      }
    }
  ]
}

Policy Structure

A policy consists of a version and a single statement or an array of individual statements, each indicating a different action.

Figure 1 Policy structure

Policy Elements

The following table describes the policy elements (Version and Statement).

Table 1 Policy elements

Element

Mandatory

Description

Value

Version

Yes

Policy version.

5.0 (cannot be customized)

Statement:

Permissions defined by a policy

Statement ID (Sid)

No

Identifier of a policy statement. You can assign a Sid value for each statement in a statement array.

A user-defined character string

Effect

Yes

Determines whether to allow or deny the operations defined in an action.
  • Allow
  • Deny
NOTE:
  • If an action has both Allow and Deny effects, the Deny effect takes precedence.
  • If an action has the Allow effect, the Condition element is not allowed.

Action

Mandatory for Allow statements

Either Action or NotAction for Deny statements

Operations that the SCP allows or denies.

Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options.

The wildcard characters (*) and (?) in an element can be used only by itself or at the end of the string. They cannot be used at the beginning or middle of the string.

For example, "obs:bucket:ListAllMybuckets" indicates the permission to list all OBS buckets.

NotAction

Not available for Allow statements.

Either Action or NotAction for Deny statements.

Operations or services that are exempt from the SCP. A Deny statement denies all operations except those in the NotAction list.

In the same format as Action

Condition

Not available for Allow statements.

Determines when a policy is in effect. A condition consists of a condition key and a condition operator.

Format: "Condition operator:{Condition key:[Value 1,Value 2]}"

If you configure multiple conditions, the policy can be applied only when all the conditions are met.

Example:

"StringEndWithIfExists":{"g:UserName":["specialCharactor"]}: This statement is valid for users whose names end with specialCharactor.

Resource

No

If this element is not specified, * is used by default, indicating that the SCP applies to all resources.

Resources that the SCP applies to.

The value can only be * for Allow statements.

The value can be either * or a specific resource for Deny statements. Format: Service name:Region:Domain ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources.

Example:

  • obs:*:*:bucket:*: All OBS buckets
  • obs:*:*:object:my-bucket/my-object/*: All objects in the my-object directory of the my-bucket bucket

The following elements are not supported in SCPs:

  • Principal
  • NotPrincipal
  • NotResource

Condition Keys

A condition key is a key in the Condition element of a statement. The condition key that you specify can be a global condition key or a service-specific condition key.
  • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, Organizations automatically obtains user information and authenticates users. For details, see Table 2.
  • Service-specific condition keys (with the abbreviation of a service name as the prefix, for example, ram:) apply only to operations of that service. For details, see the service-specific condition keys of each service in Actions Supported by SCP-based Authorization.
Table 2 Common global condition keys

Global Condition Key

Type

Description

g:CalledVia

String

Used to control access across services.

g:CalledViaFirst

String

The first element in the g:CalledVia key.

g:CalledViaLast

String

The last element in the g:CalledVia key.

g:CurrentTime

Time

Time when an authentication request was received. The time is in ISO 8601 format, for example, 2023-11-11T23:59:59Z.

g:DomainName

String

Account name of the requester.

g:DomainId

String

Account ID of the requester.

g:MFAPresent

Boolean

Whether to use multi-factor authentication (MFA) to obtain a token

g:MFAAge

Numeric

Validity period of the token obtained using MFA. This condition must be used together with g:MFAPresent.

g:PrincipalAccount

String

Same attribute as g:DomainId.

g:PrincipalUrn

String

URN of the requester. Different principals have different URN formats.

IAM user: iam::<domain-id>:user:<user-name>

IAM agency: sts::<domain-id>:assumed-agency:<agency-name>/<session-name>

g:PrincipalIsRootUser

Boolean

Whether the requesting principal is a root user. This key is included in all requests.

g:PrincipalIsService

Boolean

Whether the requesting principal is a cloud service. You can use this key to control whether only cloud services can access the specified APIs.

g:PrincipalOrgId

String

ID of the organization to which the requesting principal belongs. You can use this key to specify that only requesting principals in the specified organization can access the specified APIs.

g:PrincipalOrgManagementAccountId

String

Management account ID of the organization to which the requesting principal belongs.

g:PrincipalOrgPath

String

Organization path for the requesting account. You can use this key to control that only accounts at specified levels in the organization can access the specified APIs. The format of an account's organization path is as follows:

<organization-id>/<root-id>/(<ou-id>/)*<account-id>

g:PrincipalServiceName

String

Name of the cloud service principal of the requester.

g:PrincipalTag/tag-key

String

Tag attached to the requesting principal. Currently, only the session tag supported by STSToken can be used as this key.

g:PrincipalType

String

Type of the requesting principal, either User or AssumedAgency. When a long-term IAM credential is used for access, the value of this key is User. When a temporary IAM credential is used for access, the value of this key is AssumedAgency.

g:Referer

String

HTTP referer header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.

g:RequestedRegion

String

Region that was called in a request. If the target cloud service is a global service, set this parameter to NULL. If the target cloud service is a regional service, set this parameter to the ID of the regionfor example, cn-north-4.

g:RequestTag/tag-key

String

Tag that was passed in a request.

g:ResourceAccount

String

Account ID of the requested resource owner.

g:ResourceOrgId

String

ID of the organization to which the requested resource account belongs.

g:ResourceOrgPath

String

Path in the organization to which the requested resource account belongs.

g:ResourceTag/tag-key

String

Tag attached to the requested resource. You can use this key to control that only resources with specified tags can be accessed.

g:SecureTransport

Boolean

Whether the request was sent using SSL.

g:SourceAccount

String

Account of the resource making a service-to-service request.

g:SourceUrn

String

URN of the resource making a service-to-service request.

g:SourceIdentity

String

The source_identity field that was set in the temporary IAM credential STSToken. The source_identity field is specified when a user obtains a temporary IAM credential for the first time through the AssumeAgency API of STS and cannot be changed in subsequent agency switching.

g:SourceIp

IP

Source request IP address from the public network. If the request was initiated from an ECS in a VPC through the VPC endpoint, g:VpcSourceIp instead of g:SourceIp is used.

g:SourceVpc

String

ID of the VPC from which the request was sent.

g:SourceVpce

String

ID of the VPC endpoint used to initiate the request.

g:TagKeys

String

List of tag keys in a request.

g:TokenIssueTime

Time

Time when the STSToken in the access credentials was issued.

g:UserAgent

String

HTTP User-Agent header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.

g:PrincipalId

String

ID of the requesting principal. Different principals have different ID formats.

IAM user: <user-id>

IAM agency: <agency-id>:<session-name>

g:UserName

String

Name of an IAM user.

g:UserId

String

ID of an IAM user.

g:ViaService

Boolean

Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string.

g:VpcSourceIp

IP

Source IP address of a request initiated in a VPC.

g:EnterpriseProjectId

String

ID of the enterprise project for the request or the requested resource.
  • Multivalued condition keys
    1. ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
    2. ForAnyValue: Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. The condition returns false if there are no matching keys in the request, or if the key value resolves to an empty data set.
      Condition Operators
      Figure 2 Condition operators
      1. If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.

        For condition operators that contain Not (such as StringNotEquals), the request value cannot match any of the condition values.

      2. The AND operation is used between different condition keys of the same operator. It is also used between different operators.

Operators

A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. The operator suffix IfExists indicates that a policy is applied if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy is applied if a request value is empty or equal to the specified condition value. Operators are string operators. They are not case-sensitive unless otherwise specified.

  • String
    Table 3 String condition operators

    Type

    Operator

    Description

    String

    StringEquals

    Exact matching, case sensitive

    StringNotEquals

    Negated matching, case sensitive

    StringEqualsIgnoreCase

    Exact matching, ignoring case

    StringNotEqualsIgnoreCase

    Negated matching, ignoring case

    StringMatch

    Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.

    StringNotMatch

    Negated case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
  • Numeric
    Table 4 Numeric condition operators

    Type

    Operator

    Description

    Numeric

    NumberEquals

    Matching

    NumberNotEquals

    Negated matching

    NumberLessThan

    "Less than" matching

    NumberLessThanEquals

    "Less than or equals" matching

    NumberGreaterThan

    "Greater than" matching

    NumberGreaterThanEquals

    "Greater than or equals" matching
  • Date
    Table 5 Date condition operators

    Type

    Operator

    Description

    Date

    DateLessThan

    Matching before a specific date and time

    DateLessThanEquals

    Matching at or before a specific date and time

    DateGreaterThan

    Matching after a specific date and time

    DateGreaterThanEquals

    Matching at or after a specific date and time
  • Boolean
    Table 6 Boolean condition operators

    Type

    Operator

    Description

    Bool

    Bool

    Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."
  • Null
    Table 7 Null condition operators

    Type

    Operator

    Description

    Null

    Null

    You can use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, you can use either "true" (the key does not exist or is null) or "false" (the key exists and its value is not null).
  • IP
    Table 8 IP condition operators

    Type

    Operator

    Description

    IP

    IpAddress

    IP address or IP address range

    NotIpAddress

    All IP addresses beyond a specific IP address or IP address range
  • IfExists operator suffix

    You can add "IfExists" to the end of any condition operator name except the "Null condition", for example, StringEqualsIfExists. If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true.

Parent topic: Overview of an SCP