SCP Syntax
The following uses a custom policy for RAM as an example to describe the SCP syntax.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:create" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringNotEquals": { "g:RequestTag/owner": [ "Alice", "Jack" ] } } } ] }
Policy Structure
A policy consists of a version and a single statement or an array of individual statements, each indicating a different action.
Policy Elements
The following table describes the policy elements (Version and Statement).
Element |
Mandatory |
Description |
Value |
|
---|---|---|---|---|
Version |
Yes |
Policy version. |
5.0 (cannot be customized) |
|
Statement: Permissions defined by a policy |
Statement ID (Sid) |
No |
Identifier of a policy statement. You can assign a Sid value for each statement in a statement array. |
A user-defined character string |
Effect |
Yes |
Determines whether to allow or deny the operations defined in an action. |
NOTE:
|
|
Action |
Mandatory for Allow statements Either Action or NotAction for Deny statements |
Operations that the SCP allows or denies. |
Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options. The wildcard characters (*) and (?) in an element can be used only by itself or at the end of the string. They cannot be used at the beginning or middle of the string. For example, "obs:bucket:ListAllMybuckets" indicates the permission to list all OBS buckets. |
|
NotAction |
Not available for Allow statements. Either Action or NotAction for Deny statements. |
Operations or services that are exempt from the SCP. A Deny statement denies all operations except those in the NotAction list. |
In the same format as Action |
|
Condition |
Not available for Allow statements. |
Determines when a policy is in effect. A condition consists of a condition key and a condition operator. |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you configure multiple conditions, the policy can be applied only when all the conditions are met. Example: "StringEndWithIfExists":{"g:UserName":["specialCharactor"]}: This statement is valid for users whose names end with specialCharactor. |
|
Resource |
No If this element is not specified, * is used by default, indicating that the SCP applies to all resources. |
Resources that the SCP applies to. |
The value can only be * for Allow statements. The value can be either * or a specific resource for Deny statements. Format: Service name:Region:Domain ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources. Example:
|
The following elements are not supported in SCPs:
- Principal
- NotPrincipal
- NotResource
Condition Keys
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, Organizations automatically obtains user information and authenticates users. For details, see Table 2.
- Service-specific condition keys (with the abbreviation of a service name as the prefix, for example, ram:) apply only to operations of that service. For details, see the service-specific condition keys of each service in Actions Supported by SCP-based Authorization.
Global Condition Key |
Type |
Description |
---|---|---|
g:CalledVia |
String |
Used to control access across services. |
g:CalledViaFirst |
String |
The first element in the g:CalledVia key. |
g:CalledViaLast |
String |
The last element in the g:CalledVia key. |
g:CurrentTime |
Time |
Time when an authentication request was received. The time is in ISO 8601 format, for example, 2023-11-11T23:59:59Z. |
g:DomainName |
String |
Account name of the requester. |
g:DomainId |
String |
Account ID of the requester. |
g:MFAPresent |
Boolean |
Whether to use multi-factor authentication (MFA) to obtain a token |
g:MFAAge |
Numeric |
Validity period of the token obtained using MFA. This condition must be used together with g:MFAPresent. |
g:PrincipalAccount |
String |
Same attribute as g:DomainId. |
g:PrincipalUrn |
String |
URN of the requester. Different principals have different URN formats. IAM user: iam::<domain-id>:user:<user-name> IAM agency: sts::<domain-id>:assumed-agency:<agency-name>/<session-name> |
g:PrincipalIsRootUser |
Boolean |
Whether the requesting principal is a root user. This key is included in all requests. |
g:PrincipalIsService |
Boolean |
Whether the requesting principal is a cloud service. You can use this key to control whether only cloud services can access the specified APIs. |
g:PrincipalOrgId |
String |
ID of the organization to which the requesting principal belongs. You can use this key to specify that only requesting principals in the specified organization can access the specified APIs. |
g:PrincipalOrgManagementAccountId |
String |
Management account ID of the organization to which the requesting principal belongs. |
g:PrincipalOrgPath |
String |
Organization path for the requesting account. You can use this key to control that only accounts at specified levels in the organization can access the specified APIs. The format of an account's organization path is as follows: <organization-id>/<root-id>/(<ou-id>/)*<account-id> |
g:PrincipalServiceName |
String |
Name of the cloud service principal of the requester. |
g:PrincipalTag/tag-key |
String |
Tag attached to the requesting principal. Currently, only the session tag supported by STSToken can be used as this key. |
g:PrincipalType |
String |
Type of the requesting principal, either User or AssumedAgency. When a long-term IAM credential is used for access, the value of this key is User. When a temporary IAM credential is used for access, the value of this key is AssumedAgency. |
g:Referer |
String |
HTTP referer header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests. |
g:RequestedRegion |
String |
Region that was called in a request. If the target cloud service is a global service, set this parameter to NULL. If the target cloud service is a regional service, set this parameter to the ID of the regionfor example, cn-north-4. |
g:RequestTag/tag-key |
String |
Tag that was passed in a request. |
g:ResourceAccount |
String |
Account ID of the requested resource owner. |
g:ResourceOrgId |
String |
ID of the organization to which the requested resource account belongs. |
g:ResourceOrgPath |
String |
Path in the organization to which the requested resource account belongs. |
g:ResourceTag/tag-key |
String |
Tag attached to the requested resource. You can use this key to control that only resources with specified tags can be accessed. |
g:SecureTransport |
Boolean |
Whether the request was sent using SSL. |
g:SourceAccount |
String |
Account of the resource making a service-to-service request. |
g:SourceUrn |
String |
URN of the resource making a service-to-service request. |
g:SourceIdentity |
String |
The source_identity field that was set in the temporary IAM credential STSToken. The source_identity field is specified when a user obtains a temporary IAM credential for the first time through the AssumeAgency API of STS and cannot be changed in subsequent agency switching. |
g:SourceIp |
IP |
Source request IP address from the public network. If the request was initiated from an ECS in a VPC through the VPC endpoint, g:VpcSourceIp instead of g:SourceIp is used. |
g:SourceVpc |
String |
ID of the VPC from which the request was sent. |
g:SourceVpce |
String |
ID of the VPC endpoint used to initiate the request. |
g:TagKeys |
String |
List of tag keys in a request. |
g:TokenIssueTime |
Time |
Time when the STSToken in the access credentials was issued. |
g:UserAgent |
String |
HTTP User-Agent header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests. |
g:PrincipalId |
String |
ID of the requesting principal. Different principals have different ID formats. IAM user: <user-id> IAM agency: <agency-id>:<session-name> |
g:UserName |
String |
Name of an IAM user. |
g:UserId |
String |
ID of an IAM user. |
g:ViaService |
Boolean |
Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string. |
g:VpcSourceIp |
IP |
Source IP address of a request initiated in a VPC. |
g:EnterpriseProjectId |
String |
ID of the enterprise project for the request or the requested resource. |
- Multivalued condition keys
- ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
- ForAnyValue: Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. The condition returns false if there are no matching keys in the request, or if the key value resolves to an empty data set.
Condition OperatorsFigure 2 Condition operators
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
For condition operators that contain Not (such as StringNotEquals), the request value cannot match any of the condition values.
- The AND operation is used between different condition keys of the same operator. It is also used between different operators.
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
Operators
A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. The operator suffix IfExists indicates that a policy is applied if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy is applied if a request value is empty or equal to the specified condition value. Operators are string operators. They are not case-sensitive unless otherwise specified.
- String
Table 3 String condition operators Type
Operator
Description
String
StringEquals
Exact matching, case sensitive
StringNotEquals
Negated matching, case sensitive
StringEqualsIgnoreCase
Exact matching, ignoring case
StringNotEqualsIgnoreCase
Negated matching, ignoring case
StringMatch
Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
StringNotMatch
Negated case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
- Numeric
Table 4 Numeric condition operators Type
Operator
Description
Numeric
NumberEquals
Matching
NumberNotEquals
Negated matching
NumberLessThan
"Less than" matching
NumberLessThanEquals
"Less than or equals" matching
NumberGreaterThan
"Greater than" matching
NumberGreaterThanEquals
"Greater than or equals" matching
- Date
Table 5 Date condition operators Type
Operator
Description
Date
DateLessThan
Matching before a specific date and time
DateLessThanEquals
Matching at or before a specific date and time
DateGreaterThan
Matching after a specific date and time
DateGreaterThanEquals
Matching at or after a specific date and time
- Boolean
Table 6 Boolean condition operators Type
Operator
Description
Bool
Bool
Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."
- Null
Table 7 Null condition operators Type
Operator
Description
Null
Null
You can use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, you can use either "true" (the key does not exist or is null) or "false" (the key exists and its value is not null).
- IP
Table 8 IP condition operators Type
Operator
Description
IP
IpAddress
IP address or IP address range
NotIpAddress
All IP addresses beyond a specific IP address or IP address range
- IfExists operator suffix
You can add "IfExists" to the end of any condition operator name except the "Null condition", for example, StringEqualsIfExists. If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot