Host Security Service (HSS)
The Organizations service provides Service Control Policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to a principal. They only set the permission boundary for the principal. When SCPs are attached to an OU or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU.
This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.
For details about how to use these elements to create a custom SCP, see Creating an SCP.
Actions
Actions are specific operations that are allowed or denied in an SCP.
- Access Level indicates how the action is classified. The value can be list, read, or write. This classification helps you understand the level of access that an action grants when you use it in an SCP.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
- If this column includes a resource type, you must specify the resource URN in the Resource element of your statements.
- Required resources are marked with asterisks (*) in the table.
For details about the resource types defined by HSS, see Resource.
- The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
- If the Resource Type column has values for an action, the condition key only takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by HSS, see Conditions.
The following table lists the actions that you can define in SCP statements for HSS.
Action |
Description |
Access Level |
Resource Type (* required) |
Condition Key |
|---|---|---|---|---|
hss:host:addHostsGroup |
Grants permission to create a server group. |
write |
host * |
g:EnterpriseProjectId |
hss:ars:addPWLPolicyHost |
Grants permission to add servers to a whitelist policy. |
write |
host * |
g:EnterpriseProjectId |
hss:rasp:addRaspPolicy |
Grants permission to add protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:safetyReport:addSecurityReport |
Grants permission to create or copy new reports. |
write |
- |
g:EnterpriseProjectId |
hss:wtp:addTimingOffConfigInfo |
Grants permission to add the configuration of scheduled protection disabling. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:addWtpHostProtectDirInfo |
Grants permission to add protected directories. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:addWtpPrivilegedProcessInfo |
Grants permission to add privileged processes. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:changeAutoKillVirusStatus |
Grants permission to enable or disable automatic program isolation and killing. |
write |
- |
g:EnterpriseProjectId |
hss:event:changeBlockedIp |
Grants permissions for unblocking. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:changeMalwareCollectStatus |
Grants permission to enable or disable the sample collection for malware cloud scans. |
write |
- |
g:EnterpriseProjectId |
hss:ars:changePWLPolicy |
Grants permission to modify whitelist policies. |
write |
- |
g:EnterpriseProjectId |
hss:ars:changePWLPolicyProcessStatus |
Grants permission to mark the whitelist policy identification processes. |
write |
- |
g:EnterpriseProjectId |
hss:safetyReport:changeSecurityReport |
Grants permission to modify reports. |
write |
- |
g:EnterpriseProjectId |
hss:ars:createPWLPolicy |
Grants permission to create whitelist policies. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:deletePWLPolicy |
Grants permission to delete whitelist policies. |
write |
- |
g:EnterpriseProjectId |
hss:ars:deletePWLPolicyHost |
Grants permission to delete servers from a whitelist policy. |
write |
host * |
g:EnterpriseProjectId |
hss:antiransomware:deleteRansomwareDuplicationInfo |
Grants permission to delete backup copies. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:deleteRansomwareProtectionPolicy |
Grants permission to delete protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:rasp:deleteRaspPolicy |
Grants permission to delete protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:safetyReport:deleteSecurityReport |
Grants permission to delete reports. |
write |
- |
g:EnterpriseProjectId |
hss:wtp:deleteTimingOffConfigInfo |
Grants permission to delete the configuration of scheduled protection disabling. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:deleteWtpBackupHostInfo |
Grants permission to delete the remote backup server. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:deleteWtpHostProtectDirInfo |
Grants permission to delete protected directories. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:deleteWtpPrivilegedProcessInfo |
Grants permission to delete privileged processes. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:getAgentInstallScript |
Grants permission to query the agent installation script. |
read |
- |
g:EnterpriseProjectId |
hss:setting:getAlarmConfig |
Grants permission to query alarm configurations. |
read |
- |
g:EnterpriseProjectId |
hss:rasp:getAppRaspSwitchStatus |
Grants permission to query application protection status (enabled or disabled). |
read |
host * |
g:EnterpriseProjectId |
hss:setting:getAutoKillVirusStatus |
Grants permission to query the automatic isolation and killing status of programs. |
read |
- |
g:EnterpriseProjectId |
hss:container:getContainerNodeStatistics |
Grants permission to query container node protection overview statistics. |
read |
- |
g:EnterpriseProjectId |
hss:keyfile:getFileStatistic |
Grants permission to obtain server file statistics. |
read |
- |
g:EnterpriseProjectId |
hss:setting:getMalwareCollectStatus |
Grants permission to query the status of the sample collection configuration switch for malware cloud scans. |
read |
- |
g:EnterpriseProjectId |
hss:setting:getMalwareReminders |
Grants permission to obtain prompt information configurations. |
read |
- |
g:EnterpriseProjectId |
hss:securitycheck:getManualSecurityCheckStatus |
Grants permission to query the status and progress of manual health checks. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewAssetGroupsStatistics |
Grants permission to obtain business group distribution statistics and identify regular, important, and core assets. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewAssetOsStatistics |
Grants permission to obtain OS distribution statistics. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewAssetStatistics |
Grants permission to obtain asset statistics, including servers, containers, and images. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewAttckMitre |
Grants permission to investigate responses (ATT&CK attack path matrix). |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewDefenseStatistics |
Grants permission to obtain proactive defense statistics. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewProtectionStatusStatistics |
Grants permission to query the protection status of the current cloud loads. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewQuotaStatistics |
Grants permission to obtain server security statistics. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewRiskLists |
Grants permission to query the risk list. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewRiskManageStatistics |
Grants permission to obtain risk management information, including risk trends and type statistics. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewRiskScore |
Grants permission to query risk scores. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewRiskStatistics |
Grants permission to query risk statistics, security risks, security alarms, and proactive defense. |
read |
- |
g:EnterpriseProjectId |
hss:overview:getOverviewTrialsStatistics |
Grants permission to try server risk statistics. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:getRansomwareBackupInfoByBackupId |
Grants permission to query specified backup information. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:getRansomwareHSSBackupPolicyInfo |
Grants permission to query backup policy information. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:getRansomwareBackupStatistics |
Grants permission to query backup statistics. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:getRansomwareProtectionStatistics |
Grants permission to query protection statistics. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:getRansomwareVaultInfo |
Grants permission to query backup vault information. |
read |
- |
g:EnterpriseProjectId |
hss:rasp:getRaspPolicyDetail |
Grants permission to query protection policy details. |
read |
- |
g:EnterpriseProjectId |
hss:rasp:getRaspProtectStatistics |
Grants permission to obtain protection data statistics. |
read |
- |
g:EnterpriseProjectId |
hss:wtp:getRaspSwitchStatus |
Grants permission to query whether the dynamic WTP is enabled. |
read |
host * |
g:EnterpriseProjectId |
hss:securitycheck:getSecurityCheckConfig |
Grants permission to query security check schedules. |
read |
- |
g:EnterpriseProjectId |
hss:securitycheck:getSecurityCheckHostReport |
Grants permission to query the security check report of a specified server. |
read |
host * |
g:EnterpriseProjectId |
hss:securitycheck:getSecurityCheckOverview |
Grants permission to query the security check overview. |
read |
- |
g:EnterpriseProjectId |
hss:securitycheck:getSecurityCheckStatistic |
Grants permission to query security check statistics. |
read |
- |
g:EnterpriseProjectId |
hss:safetyReport:getSecurityReport |
Grants permission to query the content of the security report. |
read |
- |
g:EnterpriseProjectId |
hss:safetyReport:getSecurityReportSubscription |
Grants permission to query the content of a report subscription. |
read |
- |
g:EnterpriseProjectId |
hss:wtp:getTimingOffStatusInfo |
Grants permission to query whether a protection configuration is in the scheduled disabling list. |
read |
host * |
g:EnterpriseProjectId |
hss:wtp:getWtpDashboardProtectStatistics |
Grants permission to query protection statistics. |
read |
- |
g:EnterpriseProjectId |
hss:wtp:getWtpDirectory |
Grants permission to query the Tomcat bin directory for dynamic WTP. |
read |
host * |
g:EnterpriseProjectId |
hss:wtp:getWtpDirectoryMonitorOnlyStatus |
Grants permission to query the status of the monitoring-only switch. |
read |
host * |
g:EnterpriseProjectId |
hss:wtp:getWtpPrivilegedProcessesChildStatus |
Grants permission to display the trust status of privileged subprocesses. |
read |
host * |
g:EnterpriseProjectId |
hss:wtp:getWtpRemoteBackupHostInfo |
Grants permission to query information about the remote backup server. |
read |
host * |
g:EnterpriseProjectId |
hss:setting:listAgentVersion |
Grants permission to query agent versions. |
list |
- |
g:EnterpriseProjectId |
hss:container:listContainerNodes |
Grants permission to query the container node list. |
list |
- |
g:EnterpriseProjectId |
hss:keyfile:listFileEvents |
Grants permission to obtain the list of changed files. |
list |
- |
g:EnterpriseProjectId |
hss:keyfile:listFileHostEventDetails |
Grants permission to obtain details about change files on a server. |
list |
host * |
g:EnterpriseProjectId |
hss:keyfile:listFileHosts |
Grants permission to obtain the ECS change list. |
list |
- |
g:EnterpriseProjectId |
hss:host:listHostGroups |
Grants permission to query the server group list. |
list |
- |
g:EnterpriseProjectId |
hss:setting:listLoginCommonIp |
Grants permission to query common login IP addresses. |
list |
- |
g:EnterpriseProjectId |
hss:setting:listLoginCommonLocation |
Grants permission to query common login locations. |
list |
- |
g:EnterpriseProjectId |
hss:setting:listLoginWhiteIp |
Grants permission to query the login IP address whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:policy:listPolicyGroup |
Grants permission to query the policy group list. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listPortHost |
Grants permission to query asset fingerprints - port - server list. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listProcessesHost |
Grants permission to query asset fingerprints - process - server list. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listPWLEvent |
Grants permission to query process whitelist events. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listPwlPolicy |
Grants permission to query the process whitelist policy list. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listPwlPolicyHost |
Grants permission to query the servers associated with a process whitelist policy. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listPwlPolicyProcess |
Grants permission to query the process whitelist policy identification processes. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareBackedupByHostId |
Grants permission to query the vulnerability list. |
list |
host * |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareOperationLogsByVaultName |
Grants permission to query the backup and restoration task list. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareProtectionOptionalServer |
Grants permission to query the servers under ransomware protection. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareProtectionPolicy |
Grants permission to query protection policies. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareProtectionServer |
Grants permission to query servers protected against ransomware. |
list |
- |
g:EnterpriseProjectId |
hss:rasp:listRaspCheckFeatureRule |
Grants permission to query detection rules. |
list |
- |
g:EnterpriseProjectId |
hss:rasp:listRaspEvents |
Grants permission to query application protection events. |
list |
- |
g:EnterpriseProjectId |
hss:rasp:listRaspPolicies |
Grants permission to query protection policies. |
list |
- |
g:EnterpriseProjectId |
hss:rasp:listRaspProtectionServers |
Grants permission to query protected servers. |
list |
- |
g:EnterpriseProjectId |
hss:securitycheck:listSecurityCheckHostReportHistory |
Grants permission to query historical security check reports of a specified server. |
list |
host * |
g:EnterpriseProjectId |
hss:securitycheck:listSecurityCheckHostResult |
Grants permission to query the security check results of servers. |
list |
- |
g:EnterpriseProjectId |
hss:safetyReport:listSecurityReport |
Grants permission to query the list on the report overview page. |
list |
- |
g:EnterpriseProjectId |
hss:safetyReport:listSecurityReportHistoryPeriod |
Grants permission to query the statistical period list of historical reports. |
list |
- |
g:EnterpriseProjectId |
hss:safetyReport:listSecurityReportSendingRecord |
Grants permission to query report sending records. |
list |
- |
g:EnterpriseProjectId |
hss:wtp:listTimingOffConfigInfo |
Grants permission to query the scheduled disabling list. |
list |
host * |
g:EnterpriseProjectId |
hss:setting:listTwoFactorLoginHost |
Grants permission to query the list of servers with 2FA enabled. |
list |
- |
g:EnterpriseProjectId |
hss:wtp:listWtpBackupHostsInfo |
Grants permission to query the remote backup server. |
list |
- |
g:EnterpriseProjectId |
hss:wtp:listWtpHostProtectDirInfo |
Grants permission to query protected directories. |
list |
host * |
g:EnterpriseProjectId |
hss:wtp:listWtpHostProtectHistoryInfo |
Grants permission to query the static WTP status of the server. |
list |
- |
g:EnterpriseProjectId |
hss:wtp:listWtpHostRaspProtectHistoryInfo |
Grants permission to query the dynamic WTP status of the server. |
list |
- |
g:EnterpriseProjectId |
hss:wtp:listWtpPrivilegedProcessesInfo |
Grants permission to query privileged process configurations. |
list |
host * |
g:EnterpriseProjectId |
hss:wtp:listWtpProtectHost |
Grants permission to query the protection list. |
list |
- |
g:EnterpriseProjectId |
hss:setting:modifyLoginCommonIp |
Grants permission to add, edit, or delete common login IP addresses. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:modifyLoginCommonLocation |
Grants permission to add, edit, or delete common login locations. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:modifyLoginWhiteIp |
Grants permission to add, edit, or delete the login IP address whitelist. |
write |
host * |
g:EnterpriseProjectId |
hss:ars:operatePWLEvent |
Grants permission to handle events. |
write |
- |
g:EnterpriseProjectId |
hss:ars:relearnPWLPolicy |
Grants permission to relearn whitelist policies. |
write |
host * |
g:EnterpriseProjectId |
hss:overview:resetOverviewRiskScore |
Grants permission to reset risk scores and perform health checks again. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:restoreRansomwareDuplicationInfo |
Grants permission to back up and restore data. |
write |
- |
g:EnterpriseProjectId |
hss:safetyReport:sendSecurityReport |
Grants permission to send security reports. |
write |
- |
g:EnterpriseProjectId |
hss:setting:setAlarmConfig |
Grants permission to configure prompt information. |
write |
- |
g:EnterpriseProjectId |
hss:setting:setMalwareReminders |
Grants permission to configure prompt information. |
write |
- |
g:EnterpriseProjectId |
hss:wtp:setRemoteWtpBackupInfo |
Grants permission to enable or disable remote backup. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setTimingOffSwitchInfo |
Grants permission to set the status of the scheduled protection disabling. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:setTwoFactorLoginConfig |
Grants permission to configure 2FA login. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setWtpDirectoryMonitorOnlyStatus |
Grants permission to configure the monitoring-only switch. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setWtpPrivilegedProcessesChildStatus |
Grants permission to set the trust status of privileged subprocesses. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setWtpProtectionStatusInfo |
Grants permission to enable or disable WTP. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setWtpProtectSwitch |
Grants permission to enable or disable dynamic WTP. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:setWtpScheduledProtectionDateOffConfigInfo |
Grants permission to configure the frequency and period for automatically disabling protection. |
write |
host * |
g:EnterpriseProjectId |
hss:securitycheck:startManualSecurityCheck |
Grants permission to start a manual health check. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:startRansomwareBackupSingle |
Grants permission to enable the backup function for a single server. |
write |
host * |
g:EnterpriseProjectId |
hss:antiransomware:startRansomwareProtection |
Grants permission to enable ransomware protection. |
write |
host * |
g:EnterpriseProjectId |
hss:antiransomware:startRansomwareProtectionSingle |
Grants permission to enable ransomware protection for a single server. |
write |
host * |
g:EnterpriseProjectId |
hss:securitycheck:stopManualSecurityCheck |
Grants permission to cancel a manual health check. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:stopRansomwareProtection |
Grants permission to disable ransomware protection. |
write |
host * |
g:EnterpriseProjectId |
hss:container:switchContainerProtectStatus |
Grants permission to switch the protection status. |
write |
host * |
g:EnterpriseProjectId |
hss:ars:switchPWLPolicyHost |
Grants permission to enable or disable a server whitelist policy. |
write |
host * |
g:EnterpriseProjectId |
hss:rasp:switchRasp |
Grants permission to enable or disable application protection. |
write |
host * |
g:EnterpriseProjectId |
hss:safetyReport:switchSecurityReportStatus |
Grants permission to enable or disable security reports. |
write |
- |
g:EnterpriseProjectId |
hss:wtp:switchWtpHostProtectDirInfo |
Grants permission to enable or disable directory protection. |
write |
host * |
g:EnterpriseProjectId |
hss:host:uninstallAgents |
Grants permission to uninstall the agent. |
write |
host * |
g:EnterpriseProjectId |
hss:setting:updateAlarmConfig |
Grants permission to configure alarm configurations. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:updateRansomwareBackupPolicyInfo |
Grants permission to modify backup policies. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:updateRansomwareProtectionPolicy |
Grants permission to modify protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:rasp:updateRaspPolicy |
Grants permission to modify protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:securitycheck:updateSecurityCheckConfig |
Grants permission to modify security check schedules. |
write |
- |
g:EnterpriseProjectId |
hss:wtp:updateTimingOffConfigInfo |
Grants permission to modify the configuration of scheduled protection disabling. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:updateWtpBackupHostInfo |
Grants permission to add or modify a remote backup server. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:updateWtpDirectoryInfo |
Grants permission to modify the Tomcat bin directory of dynamic WTP. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:updateWtpHostProtectDirInfo |
Grants permission to modify protected directories. |
write |
host * |
g:EnterpriseProjectId |
hss:wtp:updateWtpPrivilegedProcessInfo |
Grants permission to modify privileged processes. |
write |
host * |
g:EnterpriseProjectId |
hss:asset:addValuesLevel |
Grants permission to configure asset management - server management - asset importance. |
write |
host * |
g:EnterpriseProjectId |
hss:asset:batchModifyPortStatus |
Grants permission to change port status. |
write |
host * |
g:EnterpriseProjectId |
hss:asset:deleteToolConditionHistory |
Grants permission to clear the search records of tools (operation tool). |
write |
- |
g:EnterpriseProjectId |
hss:asset:executeTool |
Grants permission to perform search with tools (operation tools). |
write |
- |
g:EnterpriseProjectId |
hss:asset:getAccountTop |
Grants permission to obtain asset management - overview - top accounts. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getAgentStatisticsStatus |
Grants permission to obtain asset management - overview - asset status - server agent status. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getAssetStatistic |
Grants permission to obtain asset statistics, including accounts, ports, and processes. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getAssetType |
Grants permission to obtain asset management - overview - asset status - asset distribution. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getAutoLaunchTop |
Grants permission to obtain asset management - overview - top auto-started items. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getCommonPort |
Grants permission to display details about a port. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getContainerProtectionStatus |
Grants permission to obtain asset management - overview - asset status - container protection status. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getCoreConfFileTop |
Grants permission to obtain asset management - overview - top key configurations. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getEnvironmentTop |
Grants permission to obtain asset management - overview - top environment variables. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getHostAssetManualCollectStatus |
Grants permission to obtain the status of the API for immediately collecting the asset fingerprints of a server. |
read |
host * |
g:EnterpriseProjectId |
hss:asset:getHostProtectionStatus |
Grants permission to obtain asset management - overview - asset status - agent status. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getJarPackageTop |
Grants permission to obtain asset management - overview - top JAR packages. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getKernelModuleTop |
Grants permission to obtain asset management - overview - top kernel modules. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getOsStatisticsInfo |
Grants permission to obtain asset management - overview - asset status - OS statistics. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getPorcessTop |
Grants permission to obtain asset management - overview - top processes. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getPortTop |
Grants permission to obtain asset management - overview - top ports. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getQuotaStatisticsInfo |
Grants permission to obtain asset management - overview - asset status - protection quota statistics. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getSoftwareTop |
Grants permission to obtain asset management - overview - top software. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getWebAppAndServiceTop |
Grants permission to obtain asset management - overview - top web apps and services. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getWebAppTop |
Grants permission to obtain asset management - overview - top web applications. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getWebFrameworkTop |
Grants permission to obtain asset management - overview - top web frameworks. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getWebServiceTop |
Grants permission to obtain asset management - overview - top web services. |
read |
- |
g:EnterpriseProjectId |
hss:asset:getWebSiteTop |
Grants permission to obtain asset management - overview - top websites. |
read |
- |
g:EnterpriseProjectId |
hss:asset:listAppChangeHistories |
Grants permission to obtain asset fingerprints – software information – operation history. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listApps |
Grants permission to obtain asset fingerprints of a single server – software. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listAppStatistics |
Grants permission to obtain asset fingerprints – software information. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listAutoLaunchChangeHistories |
Grants permission to obtain asset fingerprints - auto-started items - change history. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listAutoLaunchs |
Grants permission to obtain asset fingerprints of a server - auto-started items. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listAutoLaunchStatistics |
Grants permission to obtain asset fingerprints - auto-start items. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listCoreConfFileHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of key configuration files. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listCoreConfFileInfo |
Grants permission to obtain asset management - server management - fingerprint type - key configurations. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listCoreConfFileStatistics |
Grants permission to obtain asset management - asset fingerprints - key configuration file navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listEnvironmentHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of key environment variables (on the right of asset fingerprints). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listEnvironmentInfo |
Grants permission to obtain asset management - server management - fingerprint type - environment variables. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listEnvironmentStatistics |
Grants permission to obtain asset management - asset fingerprints - environment variable file navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listJarPackageHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of JAR packages. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listJarPackageInfo |
Grants permission to obtain asset management - server management - fingerprint type - JAR packages. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listJarPackageStatistics |
Grants permission to obtain asset management - asset fingerprints - JAR package navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listKernelModuleHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of kernel modules. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listKernelModuleInfo |
Grants permission to obtain asset management - server management - fingerprint type - kernel modules. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listKernelModuleStatistics |
Grants permission to obtain asset management - asset fingerprints - kernel module navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listPorts |
Grants permission to obtain single-server asset fingerprint (open port information). |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listPortStatistics |
Grants permission to obtain asset fingerprints (open port information). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listProcesses |
Grants permission to obtain the process list. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listProcessStatistics |
Grants permission to obtain asset fingerprints (process information). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listResult |
Grants permission to obtain execution results (operation tools). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listTool |
Grants permission to obtain the tool list (operation tools). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listToolConditionHistory |
Grants permission to obtain the search records of tools (operation tools). |
list |
- |
g:EnterpriseProjectId |
hss:asset:listUserChangeHistories |
Grants permission to obtain the account change history. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listUserGroup |
Grants permission to obtain the user group list. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listUsers |
Grants permission to obtain the account list of assets. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listUserStatistics |
Grants permission to obtain asset fingerprints - software information. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebAppAndServices |
Grants permission to obtain asset management - asset fingerprints - web app and service assets on the right. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebAppAndServiceStatistics |
Grants permission to obtain asset management - asset fingerprints - web app and service navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebAppHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of web applications. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebAppInfo |
Grants permission to obtain asset management - server management - fingerprint type - web applications. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listWebAppStatistics |
Grants permission to obtain asset management - asset fingerprints - web application navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebFrameworkHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of web frameworks. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebFrameworkInfo |
Grants permission to obtain asset management - server management - fingerprint type - web frameworks. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listWebFrameworkStatistics |
Grants permission to obtain asset management - asset fingerprints - web framework navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebServiceHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of web servers. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebServiceInfo |
Grants permission to obtain asset management - server management - fingerprint type - web services. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listWebServiceStatistics |
Grants permission to obtain asset management - asset fingerprints - web services navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebSiteHostInfo |
Grants permission to obtain asset management - asset fingerprints - the server list of websites. |
list |
- |
g:EnterpriseProjectId |
hss:asset:listWebSiteInfo |
Grants permission to obtain asset management - server management - fingerprint type - websites. |
list |
host * |
g:EnterpriseProjectId |
hss:asset:listWebSiteStatistics |
Grants permission to obtain asset management - asset fingerprints - website navigation tree on the left. |
list |
- |
g:EnterpriseProjectId |
hss:asset:runHostAssetManualCollect |
Grants permission to immediately collect the asset fingerprints of a server. |
write |
host * |
g:EnterpriseProjectId |
hss:baseline:addSecurityCheckPolicyGroup |
Grants permission to create a configuration detection policy. |
write |
- |
g:EnterpriseProjectId |
hss:baseline:changeCheckRuleState |
Grants permission to ignore, unignore, repair, and verify failed configuration check items. |
write |
baseline * |
g:EnterpriseProjectId |
hss:baseline:deleteSecurityCheckPolicyGroup |
Grants permission to delete a specified configuration detection policy. |
write |
- |
g:EnterpriseProjectId |
hss:baseline:exportSecurityCheckReport |
Grants permission to export the configuration detection report. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:getBaselineOverview |
Grants permission to query baseline check statistics. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:getBaselineScanStatus |
Grants permission to query the progress of a baseline check task. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:getBaselineStatistic |
Grants permission to query baseline check statistics, including weak passwords, password complexity, and configuration detection. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:getCheckRuleDetail |
Grants permission to query the check report of a configuration check item. |
read |
baseline * |
g:EnterpriseProjectId |
hss:baseline:getCheckRuleFixFailDetail |
Grants permission to query the cause of the check item repair failure. |
read |
baseline * |
g:EnterpriseProjectId |
hss:baseline:getDefaultSecurityCheckPolicy |
Grants permission to query the default baseline of a configuration detection policy. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:getDefaultSecurityCheckPolicyDetails |
Grants permission to query detailed baseline check items. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:getRiskConfigDetail |
Grants permission to query the check result of a specified security configuration item. |
read |
- |
g:EnterpriseProjectId |
hss:baseline:listCheckRuleHost |
Grants permission to query servers covered by a configuration check item. |
list |
baseline * |
g:EnterpriseProjectId |
hss:baseline:listPasswordComplexity |
Grants permission to query the password complexity policy check report. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:listRiskConfigCheckRules |
Grants permission to query the check item list of a specified security configuration item. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:listRiskConfigHosts |
Grants permission to query servers affected by a specified security configuration item. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:listRiskConfigs |
Grants permission to query the server security configuration check result list of a tenant. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:listSecurityCheckPolicyGroup |
Grants permission to query the list of configuration detection policy groups. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:listWeakPasswordUsers |
Grants permission to query the weak password detection results. |
list |
- |
g:EnterpriseProjectId |
hss:baseline:runBaselineDetect |
Grants manual detection permissions. Performs configuration detection and weak password detection on the servers specified in the policy. |
write |
- |
g:EnterpriseProjectId |
hss:baseline:updateSecurityCheckPolicyGroup |
Grants permission to modify a specified configuration detection policy. |
write |
- |
g:EnterpriseProjectId |
hss:event:addLoginWhiteList |
Grants permission to add a login whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:event:batchChangeEvent |
Grants permission to handle alarm events in batches. |
write |
- |
g:EnterpriseProjectId |
hss:event:changeEvent |
Grants permission to handle alarm events. |
write |
event * |
g:EnterpriseProjectId |
hss:event:changeIsolatedFile |
Grants permission to restore isolated files. |
write |
host * |
g:EnterpriseProjectId |
hss:event:exportAlarmWhiteList |
Grants permission to export the alarm whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:event:exportEmergency |
Grants permissions to export emergency malware interfaces. |
list |
- |
g:EnterpriseProjectId |
hss:event:getEmergencyStatistics |
Grants permission to obtain emergency event statistics. |
read |
- |
g:EnterpriseProjectId |
hss:event:getEventAttackTag |
Grants permission to query the list of attack ID distribution statistics. |
read |
- |
g:EnterpriseProjectId |
hss:event:getEventSeverity |
Grants permission to query the list of threat level statistics. |
read |
- |
g:EnterpriseProjectId |
hss:event:getEventStatistics |
Grants permission to query alarm event statistics. |
read |
- |
g:EnterpriseProjectId |
hss:event:getMalwareInfo |
Grants permission to obtain the list of unexpected malicious program events. |
read |
event * |
g:EnterpriseProjectId |
hss:event:handleMalwareEvent |
Grants permission to handle malware. |
write |
event * |
g:EnterpriseProjectId |
hss:event:importAlarmWhiteList |
Grants permission to import an alarm whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:event:isolateOperateEmergency |
Grants permission to enable or disable the isolation box. |
write |
- |
g:EnterpriseProjectId |
hss:event:listAlarmWhiteList |
Grants permission to query the alarm whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:event:listBlockedIp |
Grants permission to query the list of blocked IP addresses. |
list |
- |
g:EnterpriseProjectId |
hss:event:listEventOperates |
Grants permission to query the handling types supported by events. |
list |
- |
g:EnterpriseProjectId |
hss:event:listEventTopRisk |
Grants permission to query the list of top 10 event type statistics. |
list |
- |
g:EnterpriseProjectId |
hss:event:listEventType |
Grants permission to query the list of event type statistics. |
list |
- |
g:EnterpriseProjectId |
hss:event:listFileIsolateList |
Grants permission to obtain the list of files isolated due to unexpected malware events. |
list |
- |
g:EnterpriseProjectId |
hss:event:listIsolatedFile |
Grants permission to query the isolated file list. |
list |
- |
g:EnterpriseProjectId |
hss:event:listLoginWhiteList |
Grants permission to query the login whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:event:listMalware |
Grants permission to obtain the list of unexpected malicious program events. |
list |
- |
g:EnterpriseProjectId |
hss:event:listSecurityEvents |
Grants permission to query the intrusion event list. |
list |
- |
g:EnterpriseProjectId |
hss:event:recoverIsolateFile |
Grants permission to restore the file isolation box. |
write |
- |
g:EnterpriseProjectId |
hss:event:removeAlarmWhiteList |
Grants permission to delete an alarm whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:event:removeLoginWhiteList |
Grants permission to delete a login whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:host:associateHostAssetValue |
Grants permission to associate asset importance. |
write |
host * |
g:EnterpriseProjectId |
hss:host:associateHostsGroup |
Grants permission to allocate servers to a server group. |
write |
host * |
g:EnterpriseProjectId |
hss:host:batchInstallAgent |
Grants permission to install agents in batches. |
write |
host * |
g:EnterpriseProjectId |
hss:host:changeHostsGroup |
Grants permission to edit a server group. |
write |
- |
g:EnterpriseProjectId |
hss:host:deleteHostsGroup |
Grants permission to delete a server group. |
write |
- |
g:EnterpriseProjectId |
hss:host:getHostsStatistics |
Grants permission to collect server statistics. |
read |
- |
g:EnterpriseProjectId |
hss:host:listFirewallStatus |
Grants permission to query the firewall status of a server. |
read |
host * |
g:EnterpriseProjectId |
hss:host:listHostGroupAssetValue |
Grants permission to query the list of server groups by asset importance. |
list |
- |
g:EnterpriseProjectId |
hss:host:listHostsRisk |
Grants permission to obtain ECS risk status. |
read |
host * |
g:EnterpriseProjectId |
hss:host:listHostStatus |
Grants permission to query the list of protected servers. |
list |
- |
g:EnterpriseProjectId |
hss:host:listHostsUpgrade |
Grants permission to obtain the agent upgrade status of a server. |
read |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:host:manualCheckVul |
Grants permission to manually detect vulnerabilities. |
write |
- |
g:EnterpriseProjectId |
hss:host:switchFirewallStatus |
Grants permission to modify the firewall authorization status. |
write |
host * |
g:EnterpriseProjectId |
hss:host:switchHostsProtectStatus |
Grants permission to switch the protection status. |
write |
host * |
g:EnterpriseProjectId |
hss:host:upgradeAgent |
Grants permission to upgrade the agent from 1.0 to 2.0. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:host:upgradeAgents |
Grants permission to upgrade the agent. |
write |
host * |
g:EnterpriseProjectId |
hss:image:batchScanLocalImage |
Grants permission to perform local image scanning. |
write |
- |
g:EnterpriseProjectId |
hss:image:batchScanPrivateImage |
Grants permission to scan images in private image repositories in batches. |
write |
- |
g:EnterpriseProjectId |
hss:image:getImageFilesStat |
Grants permission to query image file statistics. |
read |
- |
g:EnterpriseProjectId |
hss:image:getImageLocalVulOverview |
Grants permission to query local vulnerabilities. |
read |
- |
g:EnterpriseProjectId |
hss:image:getImageVulOverview |
Grants permission to query repository vulnerabilities. |
read |
- |
g:EnterpriseProjectId |
hss:image:listCfgCheckAffectedImage |
Grants permission to query the list of images affected by a tenant image that failed baseline checks. |
list |
- |
g:EnterpriseProjectId |
hss:image:listGlobalCfgCheck |
Grants permission to query container image baseline inspection results. |
list |
- |
g:EnterpriseProjectId |
hss:image:listGlobalMalware |
Grants permission to query the list of malicious tenant files. |
list |
- |
g:EnterpriseProjectId |
hss:image:listGlobalVul |
Grants permission to query vulnerability details about a tenant image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageApps |
Grants permission to query the image software list. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageAppVul |
Grants permission to query the software vulnerability list. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageCfgCheck |
Grants permission to query configuration baseline check results of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageFiles |
Grants permission to query the list of image files that have no owners. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageLocal |
Grants permission to query the local image list. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageMalware |
Grants permission to query the list of malicious image files. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageNamespace |
Grants permission to query the namespace of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageRepository |
Grants permission to query the list of images in a private image repository. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageVul |
Grants permission to query image vulnerability details. |
list |
- |
g:EnterpriseProjectId |
hss:image:listInstanceImageVul |
Grants permission to query vulnerability details about enterprise images. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageApp |
Grants permission to query the local software image list. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageAppVuls |
Grants permission to query the vulnerability list of a piece of software in a local image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageContainers |
Grants permission to query the container information about a local image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageHosts |
Grants permission to query the server information about a local image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageMalware |
Grants permission to query malicious file information about local images. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageVuls |
Grants permission to query vulnerability information about a local image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalVulRepoImage |
Grants permission to query details about images and containers affected by local image vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:image:listPrivateImageRepository |
Grants permission to query the list of images in a private image repository. |
list |
- |
g:EnterpriseProjectId |
hss:image:listSharedImageRepository |
Grants permission to query the list of images in the shared image repository. |
list |
- |
g:EnterpriseProjectId |
hss:image:listVulCve |
Grants permission to query CVE details about a vulnerability. |
list |
- |
g:EnterpriseProjectId |
hss:image:listVulRepoImage |
Grants permission to query details about images in the image repository affected by a vulnerability. |
list |
- |
g:EnterpriseProjectId |
hss:image:runImageScan |
Grants permission to scan images. |
write |
- |
g:EnterpriseProjectId |
hss:image:runImageSynchronizeTask |
Grants permission to synchronize the free image list from SWR. |
write |
- |
g:EnterpriseProjectId |
hss:image:runSwrImageScan |
Grants permission to update and scan SWR images and to access SWR. |
write |
- |
g:EnterpriseProjectId |
hss:image:sharedImageSynchronization |
Grants permission to update images shared from SWR. |
write |
- |
g:EnterpriseProjectId |
hss:policy:addPolicyGroup |
Grants permission to copy server policy groups. |
write |
policy * |
g:EnterpriseProjectId |
hss:policy:associatePolicyGroup |
Grants permission to deploy a policy. |
write |
policy * |
g:EnterpriseProjectId |
host * |
g:EnterpriseProjectId |
|||
hss:policy:changePolicyDetail |
Grants permission to modify a policy. |
write |
policy * |
g:EnterpriseProjectId |
hss:policy:changePolicyGroup |
Grants permission to modify policy groups. |
write |
policy * |
g:EnterpriseProjectId |
hss:policy:deletePolicyGroup |
Grants permission to delete policy groups. |
write |
policy * |
g:EnterpriseProjectId |
hss:policy:getPolicyDetail |
Grants permission to query details about a specified policy. |
read |
policy * |
g:EnterpriseProjectId |
hss:policy:listPolicyGroupDetail |
Grants permission to query the policy information list of a policy group. |
list |
policy * |
g:EnterpriseProjectId |
hss:quota:addResourceInstanceTag |
Grants permission to add tags to a resource. |
tagging |
- |
|
hss:quota:batchCreateTags |
Grants permission to create tags in batches. |
write |
- |
|
hss:quota:batchDeleteTags |
Grants permission to delete tags in batches. |
write |
- |
|
hss:quota:cancelHostsQuota |
Grants permission to unbind quotas. |
write |
- |
- |
hss:quota:changeTmsResourceTagInfo |
Grants permission to add or delete resource tags in batches. |
write |
- |
|
hss:quota:countResourceInstances |
Grants permission to query the number of purchased resources by tag. |
list |
- |
|
hss:quota:dealOrder |
Grants permission to subscribe to HSS. |
write |
- |
- |
hss:quota:deleteResourceInstanceTag |
Grants permission to delete tags from a resource. |
tagging |
- |
|
hss:quota:filterResourceInstanceList |
Grants permission to search for purchased resources by tag. |
list |
- |
|
hss:quota:getResourceInstanceTag |
Grants permission to query tags of a resource. |
read |
- |
- |
hss:quota:getResourceQuotas |
Grants permission to query quota information. |
read |
- |
- |
hss:quota:getTmsResourceTagsInfo |
Grants permission to query resource tags. |
read |
- |
- |
hss:quota:listProjectTags |
Grants permission to query all used tags in the current project. |
list |
- |
- |
hss:quota:listQuotasDetail |
Grants permission to query quota details. |
list |
- |
- |
hss:quota:listResourceIds |
Grants permission to query quota IDs in batches. |
list |
- |
- |
hss:quota:listTmsResourceInstancesInfo |
Grants permission to query resource instances. |
list |
- |
|
hss:quota:upgradeOrder |
Grants permission to change specifications. |
write |
- |
- |
hss:vulnerability:changeVulStatus |
Grants permission to modify the status of a vulnerability. |
write |
host * |
g:EnterpriseProjectId |
hss:vulnerability:exportEmergencyVulnerabilities |
Grants permission to export emergency vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:exportVulsList |
Grants permission to export information about vulnerabilities and their affected servers. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:getCmsVulDetail |
Grants permission to query basic information about the Web-CMS vulnerabilities. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getEmergencySummary |
Grants permission to query the event overview. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getEmergencyVulDetail |
Grants permission to query vulnerability details in events. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getLinuxVulDetail |
Grants permission to query basic information about Linux vulnerabilities. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulCheckStatus |
Grants permission to query the status of server vulnerability scanning. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulSummary |
Grants permission to query vulnerability statistics. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getWindosVulDetail |
Grants permission to query basic information about Windows vulnerabilities. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getWindowsVulNum |
Grants permission to query the number of Windows vulnerabilities on a server. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listEmergencyVul |
Grants permission to query vulnerabilities in events. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listHostVuls |
Grants permission to query vulnerability information about a single server. |
list |
host * |
g:EnterpriseProjectId |
hss:vulnerability:listHostVulSummary |
Grants permission to query server statistics and top 5 risky servers. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listTopVulSummary |
Grants permission to query top 5 vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHosts |
Grants permission to query ECSs affected by a specific vulnerability. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulnerabilities |
Grants permission to query the vulnerability list. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulRepairFailedDetail |
Grants permission to query information about vulnerability fixing failures. |
list |
host * |
g:EnterpriseProjectId |
hss:vulnerability:listVulTypeSummary |
Grants permission to query vulnerability type distribution. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:operateEmergency |
Grants permission to operate vulnerabilities in events. |
write |
- |
g:EnterpriseProjectId |
hss:host:getScanStatus |
Grants permission to query the manual scan status. |
read |
host * |
g:EnterpriseProjectId |
hss:host:setManualDetect |
Grants permission to deliver a manual scan. |
write |
host * |
g:EnterpriseProjectId |
hss::getTrustServiceStatus |
Grants permission to obtain the status of trusted services. |
read |
- |
- |
hss::enableTrustService |
Grants permission to enable trusted services. |
permission_management |
- |
- |
hss::validateAdmin |
Grants permission to check whether the current account is an administrator account (organization administrator or agency administrator). |
tagging |
- |
- |
hss::listAccounts |
Grants permission to display the account list. |
list |
- |
- |
hss::batchAddAccounts |
Grant permission to add accounts in batches. |
write |
- |
- |
hss::deleteAccount |
Grants permission to delete accounts. |
write |
- |
- |
hss::listOrganizationTree |
Grants permission to display the account tree structure. |
list |
- |
- |
hss::listDelegatedAccounts |
Grants permission to query the tree structure of delegated accounts. |
list |
- |
- |
hss:antiransomware:listBackupVaults |
Grants permission to query the backup vault list. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:listRansomwareProtectionNodes |
Grants permission to query servers protected against ransomware. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:getBackupsStatistics |
Grants permission to query backup statistics. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:startSingleBackup |
Grants permission to enable the backup function for a single server. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:antiransomware:getBackupPolicyInfo |
Grants permission to query a backup policy. |
read |
- |
g:EnterpriseProjectId |
hss:hostGroup:getOutsideGroupStatus |
Grants permission to query whether data center server groups can be created. |
read |
- |
g:EnterpriseProjectId |
hss:hostGroup:getOutsideHostGroup |
Grants permission to query off-cloud data center server groups. |
read |
- |
g:EnterpriseProjectId |
hss:hostGroup:addOutsideHostGroup |
Grants permission to create off-cloud data center server groups. |
write |
- |
g:EnterpriseProjectId |
hss:hostGroup:changeOutsideHostGroup |
Grants permission to edit off-cloud data center server groups. |
write |
- |
g:EnterpriseProjectId |
hss:images:listImageTag |
Grant the permission to query the image tag version list. |
list |
- |
g:EnterpriseProjectId |
hss:images:listImageSensitive |
Grants permission to query sensitive image information. |
list |
- |
g:EnterpriseProjectId |
hss:images:getFilePathWhiteDetail |
Grants permission to query the sensitive information file path whitelist of images. |
read |
- |
g:EnterpriseProjectId |
hss:images:changeFilePathWhiteDetail |
Grants permission to modify the sensitive information file path whitelist of images. |
write |
- |
g:EnterpriseProjectId |
hss:images:changeSensitiveInfo |
Grants permission to perform operations on sensitive information. |
write |
- |
g:EnterpriseProjectId |
hss:event:listTopEventType |
Grants permission to query the statistics about the top 5 events. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulScanPolicy |
Grants permission to query a vulnerability scan policy. |
read |
- |
- |
hss:vulnerability:changeVulScanPolicy |
Grants permission to modify a vulnerability scan policy. |
write |
host * |
- |
hss:vulnerability:listVulWhiteList |
Grants permission to query the vulnerability whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulWhiteListDetail |
Grants permission to query vulnerability whitelist details. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:changeVulWhiteList |
Grants permission to modify the vulnerability whitelist. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:vulnerability:deleteVulWhiteList |
Grants permission to delete an item from the vulnerability whitelist. |
write |
- |
- |
hss:vulnerability:addVulWhiteList |
Grants permission to add an item to the vulnerability whitelist. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:vulnerability:listVulWhiteListVulOptions |
Grants permission to query vulnerability options when adding a whitelist item. |
list |
- |
- |
hss:vulnerability:listVulScanTask |
Grants permission to query the vulnerability scan task list. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulScanTaskHost |
Grants permission to query the list of servers corresponding to a vulnerability scan task. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:rescanVulScanTask |
Grants permission to rescan servers in a vulnerability scan task. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:vulnerability:getVulScanTaskStatistics |
Grants permission to query vulnerability scan task statistics. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:listHostVulStatistics |
Grants permission to query vulnerability management statistics. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHostApps |
Grants permission to query details about the software list of servers affected by vulnerabilities. |
list |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:vulnerability:listVulHostProcess |
Grants permission to query details about the process list of servers affected by vulnerabilities. |
list |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:vulnerability:listVulHandleHistory |
Grants permission to query historical vulnerability handling records. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHostHosts |
Grants permission to query the list of servers with vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHostVuls |
Grants permission to query emergency fixes and unfixed vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHostHandleVuls |
Grants permission to query vulnerabilities handled today and the total vulnerabilities handled. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageNonCompliantApp |
Grants permission to query the non-compliant software information of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:batchExportSWRVulList |
Grants permission to export vulnerabilities from an SWR image repository in batches. |
write |
- |
g:EnterpriseProjectId |
hss:image:batchExportLocalVulList |
Grants permission to export local image vulnerabilities in batches. |
write |
- |
g:EnterpriseProjectId |
hss:image:getExtendedWeakPassword |
Grants permission to query the user-defined weak passwords of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:changeExtendedWeakPassword |
Grants permission to modify the user-defined weak passwords of an image. |
write |
- |
g:EnterpriseProjectId |
hss:image:listImageBasicImage |
Grants permission to query basic image information. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImagePwdComplexity |
Grants permission to query the password complexity check report of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageWeakPwdUsers |
Grants permission to query the image weak password check results of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageRiskConfigs |
Grants permission to query the security configuration check results of an image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageRiskConfigCheckRules |
Grants permission to query the check items of a specified image security configuration item. |
list |
- |
g:EnterpriseProjectId |
hss:image:getImageRiskConfigDetail |
Grants permission to query the check results of a specified image security configuration item. |
read |
- |
g:EnterpriseProjectId |
hss:image:getImageCheckRuleDetail |
Grants permission to query the check reports of an image configuration check item. |
read |
- |
g:EnterpriseProjectId |
hss:image:getImageBaselineStatistic |
Grants permission to query baseline check statistics, including weak passwords, password complexity, and configuration detection. |
read |
- |
g:EnterpriseProjectId |
hss:event:addSystemUserWhiteList |
Grants permission to add users to the system user whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:event:updateSystemUserWhiteList |
Grants permission to modify the system user whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:event:listSystemUserWhiteList |
Grants permission to query the system user whitelist. |
list |
- |
g:EnterpriseProjectId |
hss:event:removeSystemUserWhiteList |
Grants permission to remove users from the system user whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:container:saveClusters |
Grants permission to synchronize cluster information. |
write |
- |
g:EnterpriseProjectId |
hss:container:listClusterInfo |
Grants permission to query the Kubernetes cluster list. |
list |
- |
g:EnterpriseProjectId |
hss:container:listPodInfo |
Grants permission to query the basic pod information list. |
list |
- |
g:EnterpriseProjectId |
hss:container:showPodDetail |
Grants permission to query pod details. |
read |
- |
g:EnterpriseProjectId |
hss:container:listContainerInfo |
Grants permission to query the basic container information list. |
list |
- |
g:EnterpriseProjectId |
hss:container:showContainerDetail |
Grants permission to query container details. |
list |
- |
g:EnterpriseProjectId |
hss:container:listServiceInfo |
Grants permission to query the Kubernetes service list. |
list |
- |
g:EnterpriseProjectId |
hss:container:showServiceDetail |
Grants permission to query Kubernetes service details. |
read |
- |
g:EnterpriseProjectId |
hss:container:listEndpointInfo |
Grants permission to query the Kubernetes endpoint list. |
list |
- |
g:EnterpriseProjectId |
hss:container:showEndpointDetail |
Grants permission to query Kubernetes endpoint details. |
read |
- |
g:EnterpriseProjectId |
hss:container:listDeployments |
Grants permission to query the Kubernetes Deployment list. |
list |
- |
g:EnterpriseProjectId |
hss:container:listStatefulSets |
Grants permission to query the Kubernetes StatefulSet list. |
list |
- |
g:EnterpriseProjectId |
hss:container:listDaemonSets |
Grants permission to query the Kubernetes daemon list. |
list |
- |
g:EnterpriseProjectId |
hss:container:listJobs |
Grants permission to query the Kubernetes common job list. |
list |
- |
g:EnterpriseProjectId |
hss:container:listCronJobs |
Grants permission to query the Kubernetes scheduled task list. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:showVulAffectedStatics |
Grants permission to count the servers affected by vulnerabilities. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHandleTask |
Grants permission to query the vulnerability handling task list. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulHandleTaskDetail |
Grants permission to query vulnerability handling task details. |
list |
- |
g:EnterpriseProjectId |
hss:container:isolateK8sContainer |
Grants permission to modify the running status of the container. |
write |
- |
g:EnterpriseProjectId |
hss:container:getNetworkStatistics |
Grants permission to query the container firewall statistics status. |
list |
- |
g:EnterpriseProjectId |
hss:container:getClusters |
Grants permission to query the cluster list. |
list |
- |
g:EnterpriseProjectId |
hss:container:getClusterNetworkInfo |
Grants permission to query cluster network information. |
read |
- |
g:EnterpriseProjectId |
hss:container:getClusterPolicyList |
Grants permission to query the container network policy list. |
list |
- |
g:EnterpriseProjectId |
hss:container:deletePolicy |
Grants permission to delete container network policies. |
write |
- |
g:EnterpriseProjectId |
hss:container:createPolicy |
Grants permission to create container network policies. |
write |
- |
g:EnterpriseProjectId |
hss:container:updatePolicy |
Grants permission to update container network policies. |
write |
- |
g:EnterpriseProjectId |
hss:container:syncClusterPolicyList |
Grants permission to synchronize container network policies. |
read |
- |
g:EnterpriseProjectId |
hss:container:syncClusterList |
Grants permission to synchronize cluster namespace information. |
read |
- |
g:EnterpriseProjectId |
hss:container:getNamespaceList |
Grants permission to query the cluster namespace list. |
list |
- |
g:EnterpriseProjectId |
hss:container:getNodeList |
Grants permission to query the cluster node list. |
list |
- |
g:EnterpriseProjectId |
hss:container:syncClusterNodeList |
Grants permission to synchronize cluster nodes. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulScanTaskEstimatedTime |
Grants permission to query the estimated time of a vulnerability scan. |
read |
- |
g:EnterpriseProjectId |
hss:antiransomware:addRansomwareProtectionPolicy |
Grants permission to add ransomware protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:associateBackupPolicy |
Grants permission to apply backup policies to vaults. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:listBackupPolicy |
Grants permission to query the backup policy list. |
list |
- |
g:EnterpriseProjectId |
hss:antiransomware:associateProtectionPolicy |
Grants permission to switch ransomware protection policies. |
write |
- |
g:EnterpriseProjectId |
hss:antiransomware:batchStartProtection |
Grants permission to enable ransomware protection. |
write |
- |
g:EnterpriseProjectId |
hss:event:getEventAttCk |
Grants permission to query the list of ATT&CK attack phase statistics. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:event:downloadEventSourceFile |
Grants permission to download alarm source files. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:overview:showSecurityScore |
Grants permission to query security scores. |
list |
- |
g:EnterpriseProjectId |
hss:overview:listSecurityRisk |
Grants permission to query the security risk list. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showQuotaHostStatistics |
Grants permission to query server quota statistics. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showAgentStatistics |
Grants permission to query the number of agents to be upgraded, online, and offline. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showHotInformation |
Grants permission to query hot news. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showSecurityRisk |
Grants permission to query security risk information. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showProtectStatistics |
Grants permission to query the protection period, virus library update time, vulnerability library update time, and accumulated number of records of each module. |
list |
- |
g:EnterpriseProjectId |
hss:overview:showStatistics |
Grants permission to query the numbers of servers with enabled ransomware protection, application protection, web tamper protection, and two-factor authentication; and the number of isolated files. |
list |
- |
g:EnterpriseProjectId |
hss:event:listEventHandleHistory |
Grants permission to query the list of historical events handling. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:image:listSwrImageRepository |
Grants permission to query the image list in the SWR image repository. |
list |
- |
g:EnterpriseProjectId |
hss:image:batchScanSwrImage |
Grants permission to scan images in the image repository in batches. |
write |
- |
g:EnterpriseProjectId |
hss:image:vulnerabilities |
Grants permission to query image vulnerability details. |
list |
- |
g:EnterpriseProjectId |
hss:image:listVulnerabilityCve |
Grants permission to query CVE details about a vulnerability. |
list |
- |
g:EnterpriseProjectId |
hss:image:listImageRiskConfigRules |
Grants permission to query the check items of a specified image security configuration item. |
list |
- |
g:EnterpriseProjectId |
hss:image:runImageSynchronize |
Grants permission to synchronize the image list from SWR. |
write |
- |
g:EnterpriseProjectId |
hss:event:listEventForensic |
Grants permission to query event forensics information. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:event:listSimilarHandledEvents |
Grants permission to query similar handled alarms. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:event:listSameEvent |
Grants permission to query the same alarms. |
list |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:container:getPolicies |
Grants permission to query the policy list. |
list |
- |
g:EnterpriseProjectId |
hss:container:getPolicyDetail |
Grants permission to query policy details. |
list |
- |
g:EnterpriseProjectId |
hss:container:getOverview |
Grants permission to query cluster protection overview. |
list |
- |
g:EnterpriseProjectId |
hss:container:getProtectEvents |
Grants permission to query cluster protection events. |
list |
- |
g:EnterpriseProjectId |
hss:container:getProtectClusters |
Grants permission to query cluster protection information. |
list |
- |
g:EnterpriseProjectId |
hss:container:changeProtectStatus |
Grants permission to change the cluster protection status. |
write |
- |
g:EnterpriseProjectId |
hss:container:addWhiteImage |
Grants permission to add images to the whitelist. |
write |
- |
g:EnterpriseProjectId |
hss:container:listDefaultPolicy |
Grants permission to query the default policy template. |
list |
- |
g:EnterpriseProjectId |
hss:container:listProtectionItem |
Grants permission to query the protection scope. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulBackupStatistics |
Grants permission to query backup statistics of the server corresponding to the vulnerability handling. |
read |
- |
g:EnterpriseProjectId |
hss:vulnerability:ListVulHostVaults |
Grants permission to query the list of server vaults corresponding to vulnerability handling. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:ListVulHostBackups |
Grants permission to query the list of backups that can be rolled back. |
list |
host * |
g:EnterpriseProjectId |
hss:vulnerability:RestoreVulHostBackup |
Grants permission to roll back with backups. |
write |
- |
g:EnterpriseProjectId |
hss:event:exportEvent |
Grants permission to export event alarms. |
write |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:event:queryExportTask |
Grants permission to query the task of exporting event alarms. |
read |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:event:downloadEvent |
Grants permission to download event alarms. |
read |
event * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:createAppWhitelistPolicy |
Grants permission to create an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:listAppWhitelistPolicy |
Grants permission to query the list of application process whitelist policies. |
list |
- |
g:EnterpriseProjectId |
hss:ars:changeAppWhitelistPolicy |
Grants permission to modify an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:deleteAppWhitelistPolicy |
Grants permission to delete an application process whitelist policy. |
write |
- |
g:EnterpriseProjectId |
hss:ars:showAppWhitelistPolicy |
Grants permission to query the application process whitelist policy information. |
list |
- |
g:EnterpriseProjectId |
hss:ars:switchAppWhitelistPolicyHost |
Grants permission to modify the protection status of an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:addAppWhitelistPolicyHost |
Grant permissions to add servers to an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:listAppWhitelistPolicyHost |
Grants permission to query the server list for an application process whitelist policy. |
list |
- |
g:EnterpriseProjectId |
hss:ars:deleteAppWhitelistPolicyHost |
Grants permission to remove servers from an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:listAppWhitelistHostStatus |
Grants permission to query the list of available servers for an application process whitelist policy. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listAppWhitelistPolicyProcess |
Grants permission to query the list of processes that an application process whitelist policy applies to. |
list |
- |
g:EnterpriseProjectId |
hss:ars:changeAppWhitelistPolicyProcessStatus |
Grants permission to modify the process trust status of an application process whitelist policy. |
write |
- |
g:EnterpriseProjectId |
hss:ars:addAppWhitelistPolicyProcess |
Grants permission to add processes to an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:listAppWhitelistPolicyProcessExtend |
Grants permission to query the extended process list for an application process whitelist policy. |
list |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:exportAppWhitelistPolicyProcess |
Grants permission to export the list of processes that an application process whitelist policy applies to. |
list |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:switchAppWhitelistPolicyLearnStatus |
Grants permission to modify the learning status of an application process whitelist policy. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:ars:showAppWhitelistAgentStatics |
Grants permission to query the number of servers that are protected by the premium edition and do not support application process control. |
list |
- |
g:EnterpriseProjectId |
hss:ars:listAppWhitelistEvent |
Grants permission to query the list of suspicious process events detected by application process control. |
list |
- |
g:EnterpriseProjectId |
hss:container:deleteSelfBuildK8sClusterDaemonsetInfo |
Grants permission to delete a daemonset of the self-built cluster. |
write |
- |
g:EnterpriseProjectId |
hss:container:saveSelfBuildK8sClusterDaemonsetInfo |
Grants permission to save a daemonset of the self-built cluster. |
write |
- |
g:EnterpriseProjectId |
hss:container:showSelfBuildK8sClusterDaemonsetInfo |
Grants permission to query a daemonset of the self-built cluster. |
read |
- |
g:EnterpriseProjectId |
hss:container:listSelfBuildK8sClusterInfo |
Grants permission to query the self-built Kubernetes cluster list. |
list |
- |
g:EnterpriseProjectId |
hss:container:createDaemonset |
Grants permission to create a daemonset of CCE cluster. |
write |
- |
g:EnterpriseProjectId |
hss:vulnerability:listVulRepairCmds |
Grants permission to query vulnerability fixing commands. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:listUrgentVulnerabilities |
Grants permission to query the emergency vulnerability list. |
list |
- |
g:EnterpriseProjectId |
hss:antivirus:createAntivirusTask |
Grants permission to create virus scan tasks. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:antivirus:listAntivirusTask |
Grants permission to query the virus scan task list. |
list |
- |
g:EnterpriseProjectId |
hss:antivirus:switchAntivirusTask |
Grants permission to cancel virus scan tasks. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:antivirus:listAntivirusHost |
Grants permission to query the list of servers available for virus scan. |
list |
- |
g:EnterpriseProjectId |
hss:antivirus:createAntivirusPolicy |
Grants permission to create custom virus scan policies. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:antivirus:listAntivirusPolicy |
Grants permission to query the list of custom virus scan policies. |
list |
- |
g:EnterpriseProjectId |
hss:antivirus:listAntivirusResult |
Grants permission to query the list of virus scan results. |
list |
- |
g:EnterpriseProjectId |
hss:antivirus:operateAntivirusResult |
Grants permission to handle virus scan results. |
write |
- |
g:EnterpriseProjectId |
hss:antivirus:exportAntivirusResult |
Grants permission to export virus scan results. |
write |
- |
g:EnterpriseProjectId |
hss:antivirus:showAntivirusStatistic |
Grants permission to query virus scan statistics. |
list |
- |
g:EnterpriseProjectId |
hss:image:showImageFullScanProgress |
Grants permission to query the progress of a full image scan. |
list |
- |
g:EnterpriseProjectId |
hss:host:changeHostIgnoreStatus |
Grants permission to ignore or unignore servers. |
write |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:host:listIgnoreHosts |
Grants permission to query ignored servers. |
list |
host * |
- |
- |
g:EnterpriseProjectId |
|||
hss:image:batchExportBaselineTask |
Grants permission to export image baseline check results. |
write |
- |
g:EnterpriseProjectId |
hss:image:showImageSecurityReportStatistic |
Grants permission to query the number of image scan results to be exported. |
write |
- |
g:EnterpriseProjectId |
hss:vulnerability:exportVuls |
Grants permission to create vulnerability export tasks. |
write |
- |
g:EnterpriseProjectId |
hss:exportTask:queryExportTask |
Grants permission to query export tasks. |
list |
- |
g:EnterpriseProjectId |
hss:file:downloadExportedFile |
Grants permission to download files. |
list |
- |
g:EnterpriseProjectId |
hss:image:listGlobalVulnerabilities |
Grants permission to query vulnerability details about a tenant image. |
list |
- |
g:EnterpriseProjectId |
hss:image:listVulnerabilityImages |
Grants permission to query details about images in the image repository affected by a vulnerability. |
list |
- |
g:EnterpriseProjectId |
hss:setting:getPluginInstallScript |
Grants permission to query server plug-in information. |
list |
- |
g:EnterpriseProjectId |
hss:setting:getPluginList |
Grants permission to query the plug-in installation guide. |
list |
- |
g:EnterpriseProjectId |
hss:setting:getAutoOpenQuotaStatus |
Grants permission to query the status of automatic quota binding. |
read |
- |
g:EnterpriseProjectId |
hss:setting:changeAutoOpenQuotaStatus |
Grants permission to modify the status of automatic quota binding. |
write |
- |
g:EnterpriseProjectId |
hss:image:batchExportSWRVulTask |
Grants permission to export SWR image vulnerability scan results. |
write |
- |
g:EnterpriseProjectId |
hss:image:batchExportLocalVulTask |
Grants permission to export local image vulnerability scan results. |
write |
- |
g:EnterpriseProjectId |
hss:vulnerability:exportVulReport |
Grants permission to export vulnerability reports in HTML format. |
list |
- |
g:EnterpriseProjectId |
hss:vulnerability:getVulReportData |
Grants permission to obtain vulnerability reports in PDF format. |
list |
- |
g:EnterpriseProjectId |
hss:setting:getAgentAutoUpgradeStatus |
Grants permission to query the status of automatic agent upgrade. |
read |
- |
g:EnterpriseProjectId |
hss:setting:changeAgentAutoUpgradeStatus |
Grants permission to modify the status of automatic agent upgrade. |
write |
- |
g:EnterpriseProjectId |
hss:quota:showProductdataOfferingInfos |
Grants permission to query product information. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageAppInfo |
Grants permission to query the local software image list. |
list |
- |
g:EnterpriseProjectId |
hss:image:listLocalImageAppVulnerabilities |
Grants permission to query the vulnerability list of a piece of software in a local image. |
list |
- |
g:EnterpriseProjectId |
Each API of HSS usually supports one or more actions. Table 2 lists the supported actions and dependencies.
API |
Action |
Dependencies |
|---|---|---|
POST /v5/{project_id}/host-management/groups |
hss:host:addHostsGroup |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/event/blocked-ip |
hss:event:changeBlockedIp |
eps:enterpriseProjects:list |
GET /v5/{project_id}/backup/policy |
hss:antiransomware:getRansomwareHSSBackupPolicyInfo |
eps:enterpriseProjects:list |
GET /v5/{project_id}/container/nodes |
hss:container:listContainerNodes |
eps:enterpriseProjects:list |
GET /v5/{project_id}/host-management/groups |
hss:host:listHostGroups |
eps:enterpriseProjects:list |
GET /v5/{project_id}/policy/groups |
hss:policy:listPolicyGroup |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/ports/detail |
hss:asset:listPortHost |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/processes/detail |
hss:asset:listProcessesHost |
eps:enterpriseProjects:list |
GET /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:listRansomwareProtectionPolicy |
eps:enterpriseProjects:list |
GET /v5/{project_id}/ransomware/server |
hss:antiransomware:listRansomwareProtectionServer |
eps:enterpriseProjects:list |
GET /v5/{project_id}/webtamper/static/protect-history |
hss:wtp:listWtpHostProtectHistoryInfo |
eps:enterpriseProjects:list |
GET /v5/{project_id}/webtamper/rasp/protect-history |
hss:wtp:listWtpHostRaspProtectHistoryInfo |
eps:enterpriseProjects:list |
GET /v5/{project_id}/webtamper/hosts |
hss:wtp:listWtpProtectHost |
|
POST /v5/{project_id}/webtamper/static/status |
hss:wtp:setWtpProtectionStatusInfo |
eps:enterpriseProjects:list |
POST /v5/{project_id}/webtamper/rasp/status |
hss:wtp:setWtpProtectSwitch |
eps:enterpriseProjects:list |
POST /v5/{project_id}/ransomware/protection/open |
hss:antiransomware:startRansomwareProtection |
eps:enterpriseProjects:list |
POST /v5/{project_id}/ransomware/protection/close |
hss:antiransomware:stopRansomwareProtection |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/backup/policy |
hss:antiransomware:updateRansomwareBackupPolicyInfo |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:updateRansomwareProtectionPolicy |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/statistics |
hss:asset:getAssetStatistic |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/app/change-history |
hss:asset:listAppChangeHistories |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/apps |
hss:asset:listApps |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/app/statistics |
hss:asset:listAppStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/auto-launch/change-history |
hss:asset:listAutoLaunchChangeHistories |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/auto-launchs |
hss:asset:listAutoLaunchs |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/auto-launch/statistics |
hss:asset:listAutoLaunchStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/midwares/detail |
hss:asset:listJarPackageHostInfo |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/midwares |
hss:asset:listJarPackageStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/ports |
hss:asset:listPorts |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/port/statistics |
hss:asset:listPortStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/process/statistics |
hss:asset:listProcessStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/user/change-history |
hss:asset:listUserChangeHistories |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/users |
hss:asset:listUsers |
eps:enterpriseProjects:list |
GET /v5/{project_id}/asset/user/statistics |
hss:asset:listUserStatistics |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/check-rule/detail |
hss:baseline:getCheckRuleDetail |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/risk-config/{check_name}/detail |
hss:baseline:getRiskConfigDetail |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/password-complexity |
hss:baseline:listPasswordComplexity |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/risk-config/{check_name}/check-rules |
hss:baseline:listRiskConfigCheckRules |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/risk-config/{check_name}/hosts |
hss:baseline:listRiskConfigHosts |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/risk-configs |
hss:baseline:listRiskConfigs |
eps:enterpriseProjects:list |
GET /v5/{project_id}/baseline/weak-password-users |
hss:baseline:listWeakPasswordUsers |
eps:enterpriseProjects:list |
POST /v5/{project_id}/event/operate |
hss:event:changeEvent |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/event/isolated-file |
hss:event:changeIsolatedFile |
eps:enterpriseProjects:list |
GET /v5/{project_id}/event/white-list/alarm |
hss:event:listAlarmWhiteList |
eps:enterpriseProjects:list |
GET /v5/{project_id}/event/blocked-ip |
hss:event:listBlockedIp |
eps:enterpriseProjects:list |
GET /v5/{project_id}/event/isolated-file |
hss:event:listIsolatedFile |
eps:enterpriseProjects:list |
GET /v5/{project_id}/event/events |
hss:event:listSecurityEvents |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/host-management/groups |
hss:host:changeHostsGroup |
eps:enterpriseProjects:list |
DELETE /v5/{project_id}/host-management/groups |
hss:host:deleteHostsGroup |
eps:enterpriseProjects:list |
GET /v5/{project_id}/host-management/hosts |
hss:host:listHostStatus |
|
POST /v5/{project_id}/host-management/protection |
hss:host:switchHostsProtectStatus |
eps:enterpriseProjects:list |
POST /v5/{project_id}/policy/deploy |
hss:policy:associatePolicyGroup |
eps:enterpriseProjects:list |
POST /v5/{project_id}/{resource_type}/{resource_id}/tags/create |
hss:quota:batchCreateTags |
eps:enterpriseProjects:list |
DELETE /v5/{project_id}/{resource_type}/{resource_id}/tags/{key} |
hss:quota:deleteResourceInstanceTag |
eps:enterpriseProjects:list |
GET /v5/{project_id}/billing/quotas |
hss:quota:getResourceQuotas |
eps:enterpriseProjects:list |
GET /v5/{project_id}/billing/quotas-detail |
hss:quota:listQuotasDetail |
eps:enterpriseProjects:list |
PUT /v5/{project_id}/vulnerability/status |
hss:vulnerability:changeVulStatus |
eps:enterpriseProjects:list |
GET /v5/{project_id}/vulnerability/host/{host_id} |
hss:vulnerability:listHostVuls |
eps:enterpriseProjects:list |
GET /v5/{project_id}/vulnerability/hosts |
hss:vulnerability:listVulHosts |
eps:enterpriseProjects:list |
GET /v5/{project_id}/vulnerability/vulnerabilities |
hss:vulnerability:listVulnerabilities |
eps:enterpriseProjects:list |
GET /v5/{project_id}/vulnerability/scan-policy |
hss:vulnerability:getVulScanPolicy |
- |
PUT /v5/{project_id}/vulnerability/scan-policy |
hss:vulnerability:changeVulScanPolicy |
- |
GET /v5/{project_id}/vulnerability/scan-tasks |
hss:vulnerability:listVulScanTask |
- |
GET /v5/{project_id}/vulnerability/scan-task/{task_id}/hosts |
hss:vulnerability:listVulScanTaskHost |
- |
GET /v5/{project_id}/vulnerability/statistics |
hss:vulnerability:listHostVulStatistics |
- |
GET /v5/{project_id}/image/baseline/risk-configs |
hss:image:listImageRiskConfigs |
- |
GET /v5/{project_id}/image/baseline/check-rule/detail |
hss:image:getImageCheckRuleDetail |
- |
GET /v5/{project_id}/image/swr-repository |
hss:image:listSwrImageRepository |
- |
POST /v5/{project_id}/image/batch-scan |
hss:image:batchScanSwrImage |
- |
GET /v5/{project_id}/image/{image_id}/vulnerabilities |
hss:image:vulnerabilities |
- |
GET /v5/{project_id}/image/vulnerability/{vul_id}/cve |
hss:image:listVulnerabilityCve |
- |
GET /v5/{project_id}/image/baseline/risk-configs/{check_name}/rules |
hss:image:listImageRiskConfigRules |
- |
POST /v5/{project_id}/image/synchronize |
hss:image:runImageSynchronize |
- |
GET /v5/{project_id}/product/productdata/offering-infos |
hss:quota:showProductdataOfferingInfos |
- |
Resource
A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.
The following table lists the resource types that you can define in SCP statements for HSS.
Conditions
HSS does not support service-specific condition keys in SCP statements.
HSS can use global condition keys applicable to all services. For details, see Global Condition Keys.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
