- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Copied.
SCP Introduction
Definition
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. The organization management account can use SCPs to limit which permissions can be assigned to member accounts to ensure that they stay within your organization's access control guidelines. SCPs can be attached to an organization, OUs, and member accounts. Any SCP attached to an organization or OU affects all the accounts within the organization or under the OU.
Helpful links:
- SCP Principles: SCP types, how SCPs work, inheritance of SCPs, and relationship between SCPs and IAM policies
- SCP Syntax: SCP structure and parameters
Testing SCP Effects
Before applying an SCP to your production environment, it is strongly recommended that you use test accounts in a test environment first to perform thorough system design and testing. This helps avoid any unpleasant surprises in the production environment. After the SCP has been fully verified in the test environment, you can create an OU and move one or a few accounts into it at a time, to ensure that the use of resources is not inadvertently interrupted.
Do not detach the system-defined SCP FullAccess unless you replace it with a custom policy with allowed actions. If you detach FullAccess and configure a custom policy with allowed actions, you must configure actions required by services as well as iamToken::* and signin::*.
- If you detach the FullAccess SCP from the root OU, the operations for all accounts in the organization will fail. Exercise caution when detaching the FullAccess SCP because this operation is very risky.
- If you detach the FullAccess SCP from an OU, the operations for the accounts in that OU and its lower-level OUs will fail.
- If you detach the FullAccess SCP from a member account, the operations for that account will fail.
Tasks Not Restricted by SCPs
You cannot use SCPs to restrict the following tasks:
- Any action performed by the organization management account or IAM users.
- Any action performed using permissions that are attached to a service-linked agency
- Any API calls made by SCP-unsupported cloud services to SCP-supported cloud services For SCP-supported cloud services and regions, see Cloud Services for Using SCPs and Regions for Using SCPs.
- Token obtained by APIs used for access to APIs of SCP-supported cloud services (in most cases).
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot