Updated on 2024-06-21 GMT+08:00

Host Security Service (HSS)

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permission boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • Access Level indicates how the action is classified. The value can be list, read, or write. This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the resource URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table.

    For details about the resource types defined by HSS, see Resource.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key only takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by HSS, see Conditions.

The following table lists the actions that you can define in SCP statements for HSS.

Table 1 Actions supported by HSS

Action

Description

Access Level

Resource Type (* required)

Condition Key

hss:host:addHostsGroup

Grants permission to create a server group.

write

host *

g:EnterpriseProjectId

hss:ars:addPWLPolicyHost

Grants permission to add servers to a whitelist policy.

write

host *

g:EnterpriseProjectId

hss:rasp:addRaspPolicy

Grants permission to add protection policies.

write

-

g:EnterpriseProjectId

hss:safetyReport:addSecurityReport

Grants permission to create or copy new reports.

write

-

g:EnterpriseProjectId

hss:wtp:addTimingOffConfigInfo

Grants permission to add the configuration of scheduled protection disabling.

write

host *

g:EnterpriseProjectId

hss:wtp:addWtpHostProtectDirInfo

Grants permission to add protected directories.

write

host *

g:EnterpriseProjectId

hss:wtp:addWtpPrivilegedProcessInfo

Grants permission to add privileged processes.

write

host *

g:EnterpriseProjectId

hss:setting:changeAutoKillVirusStatus

Grants permission to enable or disable automatic program isolation and killing.

write

-

g:EnterpriseProjectId

hss:event:changeBlockedIp

Grants permissions for unblocking.

write

host *

g:EnterpriseProjectId

hss:setting:changeMalwareCollectStatus

Grants permission to enable or disable the sample collection for malware cloud scans.

write

-

g:EnterpriseProjectId

hss:ars:changePWLPolicy

Grants permission to modify whitelist policies.

write

-

g:EnterpriseProjectId

hss:ars:changePWLPolicyProcessStatus

Grants permission to mark the whitelist policy identification processes.

write

-

g:EnterpriseProjectId

hss:safetyReport:changeSecurityReport

Grants permission to modify reports.

write

-

g:EnterpriseProjectId

hss:ars:createPWLPolicy

Grants permission to create whitelist policies.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:deletePWLPolicy

Grants permission to delete whitelist policies.

write

-

g:EnterpriseProjectId

hss:ars:deletePWLPolicyHost

Grants permission to delete servers from a whitelist policy.

write

host *

g:EnterpriseProjectId

hss:antiransomware:deleteRansomwareDuplicationInfo

Grants permission to delete backup copies.

write

-

g:EnterpriseProjectId

hss:antiransomware:deleteRansomwareProtectionPolicy

Grants permission to delete protection policies.

write

-

g:EnterpriseProjectId

hss:rasp:deleteRaspPolicy

Grants permission to delete protection policies.

write

-

g:EnterpriseProjectId

hss:safetyReport:deleteSecurityReport

Grants permission to delete reports.

write

-

g:EnterpriseProjectId

hss:wtp:deleteTimingOffConfigInfo

Grants permission to delete the configuration of scheduled protection disabling.

write

host *

g:EnterpriseProjectId

hss:wtp:deleteWtpBackupHostInfo

Grants permission to delete the remote backup server.

write

host *

g:EnterpriseProjectId

hss:wtp:deleteWtpHostProtectDirInfo

Grants permission to delete protected directories.

write

host *

g:EnterpriseProjectId

hss:wtp:deleteWtpPrivilegedProcessInfo

Grants permission to delete privileged processes.

write

host *

g:EnterpriseProjectId

hss:setting:getAgentInstallScript

Grants permission to query the agent installation script.

read

-

g:EnterpriseProjectId

hss:setting:getAlarmConfig

Grants permission to query alarm configurations.

read

-

g:EnterpriseProjectId

hss:rasp:getAppRaspSwitchStatus

Grants permission to query application protection status (enabled or disabled).

read

host *

g:EnterpriseProjectId

hss:setting:getAutoKillVirusStatus

Grants permission to query the automatic isolation and killing status of programs.

read

-

g:EnterpriseProjectId

hss:container:getContainerNodeStatistics

Grants permission to query container node protection overview statistics.

read

-

g:EnterpriseProjectId

hss:keyfile:getFileStatistic

Grants permission to obtain server file statistics.

read

-

g:EnterpriseProjectId

hss:setting:getMalwareCollectStatus

Grants permission to query the status of the sample collection configuration switch for malware cloud scans.

read

-

g:EnterpriseProjectId

hss:setting:getMalwareReminders

Grants permission to obtain prompt information configurations.

read

-

g:EnterpriseProjectId

hss:securitycheck:getManualSecurityCheckStatus

Grants permission to query the status and progress of manual health checks.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewAssetGroupsStatistics

Grants permission to obtain business group distribution statistics and identify regular, important, and core assets.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewAssetOsStatistics

Grants permission to obtain OS distribution statistics.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewAssetStatistics

Grants permission to obtain asset statistics, including servers, containers, and images.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewAttckMitre

Grants permission to investigate responses (ATT&CK attack path matrix).

read

-

g:EnterpriseProjectId

hss:overview:getOverviewDefenseStatistics

Grants permission to obtain proactive defense statistics.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewProtectionStatusStatistics

Grants permission to query the protection status of the current cloud loads.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewQuotaStatistics

Grants permission to obtain server security statistics.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewRiskLists

Grants permission to query the risk list.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewRiskManageStatistics

Grants permission to obtain risk management information, including risk trends and type statistics.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewRiskScore

Grants permission to query risk scores.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewRiskStatistics

Grants permission to query risk statistics, security risks, security alarms, and proactive defense.

read

-

g:EnterpriseProjectId

hss:overview:getOverviewTrialsStatistics

Grants permission to try server risk statistics.

read

-

g:EnterpriseProjectId

hss:antiransomware:getRansomwareBackupInfoByBackupId

Grants permission to query specified backup information.

read

-

g:EnterpriseProjectId

hss:antiransomware:getRansomwareHSSBackupPolicyInfo

Grants permission to query backup policy information.

read

-

g:EnterpriseProjectId

hss:antiransomware:getRansomwareBackupStatistics

Grants permission to query backup statistics.

read

-

g:EnterpriseProjectId

hss:antiransomware:getRansomwareProtectionStatistics

Grants permission to query protection statistics.

read

-

g:EnterpriseProjectId

hss:antiransomware:getRansomwareVaultInfo

Grants permission to query backup vault information.

read

-

g:EnterpriseProjectId

hss:rasp:getRaspPolicyDetail

Grants permission to query protection policy details.

read

-

g:EnterpriseProjectId

hss:rasp:getRaspProtectStatistics

Grants permission to obtain protection data statistics.

read

-

g:EnterpriseProjectId

hss:wtp:getRaspSwitchStatus

Grants permission to query whether the dynamic WTP is enabled.

read

host *

g:EnterpriseProjectId

hss:securitycheck:getSecurityCheckConfig

Grants permission to query security check schedules.

read

-

g:EnterpriseProjectId

hss:securitycheck:getSecurityCheckHostReport

Grants permission to query the security check report of a specified server.

read

host *

g:EnterpriseProjectId

hss:securitycheck:getSecurityCheckOverview

Grants permission to query the security check overview.

read

-

g:EnterpriseProjectId

hss:securitycheck:getSecurityCheckStatistic

Grants permission to query security check statistics.

read

-

g:EnterpriseProjectId

hss:safetyReport:getSecurityReport

Grants permission to query the content of the security report.

read

-

g:EnterpriseProjectId

hss:safetyReport:getSecurityReportSubscription

Grants permission to query the content of a report subscription.

read

-

g:EnterpriseProjectId

hss:wtp:getTimingOffStatusInfo

Grants permission to query whether a protection configuration is in the scheduled disabling list.

read

host *

g:EnterpriseProjectId

hss:wtp:getWtpDashboardProtectStatistics

Grants permission to query protection statistics.

read

-

g:EnterpriseProjectId

hss:wtp:getWtpDirectory

Grants permission to query the Tomcat bin directory for dynamic WTP.

read

host *

g:EnterpriseProjectId

hss:wtp:getWtpDirectoryMonitorOnlyStatus

Grants permission to query the status of the monitoring-only switch.

read

host *

g:EnterpriseProjectId

hss:wtp:getWtpPrivilegedProcessesChildStatus

Grants permission to display the trust status of privileged subprocesses.

read

host *

g:EnterpriseProjectId

hss:wtp:getWtpRemoteBackupHostInfo

Grants permission to query information about the remote backup server.

read

host *

g:EnterpriseProjectId

hss:setting:listAgentVersion

Grants permission to query agent versions.

list

-

g:EnterpriseProjectId

hss:container:listContainerNodes

Grants permission to query the container node list.

list

-

g:EnterpriseProjectId

hss:keyfile:listFileEvents

Grants permission to obtain the list of changed files.

list

-

g:EnterpriseProjectId

hss:keyfile:listFileHostEventDetails

Grants permission to obtain details about change files on a server.

list

host *

g:EnterpriseProjectId

hss:keyfile:listFileHosts

Grants permission to obtain the ECS change list.

list

-

g:EnterpriseProjectId

hss:host:listHostGroups

Grants permission to query the server group list.

list

-

g:EnterpriseProjectId

hss:setting:listLoginCommonIp

Grants permission to query common login IP addresses.

list

-

g:EnterpriseProjectId

hss:setting:listLoginCommonLocation

Grants permission to query common login locations.

list

-

g:EnterpriseProjectId

hss:setting:listLoginWhiteIp

Grants permission to query the login IP address whitelist.

list

-

g:EnterpriseProjectId

hss:policy:listPolicyGroup

Grants permission to query the policy group list.

list

-

g:EnterpriseProjectId

hss:asset:listPortHost

Grants permission to query asset fingerprints - port - server list.

list

-

g:EnterpriseProjectId

hss:asset:listProcessesHost

Grants permission to query asset fingerprints - process - server list.

list

-

g:EnterpriseProjectId

hss:ars:listPWLEvent

Grants permission to query process whitelist events.

list

-

g:EnterpriseProjectId

hss:ars:listPwlPolicy

Grants permission to query the process whitelist policy list.

list

-

g:EnterpriseProjectId

hss:ars:listPwlPolicyHost

Grants permission to query the servers associated with a process whitelist policy.

list

-

g:EnterpriseProjectId

hss:ars:listPwlPolicyProcess

Grants permission to query the process whitelist policy identification processes.

list

-

g:EnterpriseProjectId

hss:antiransomware:listRansomwareBackedupByHostId

Grants permission to query the vulnerability list.

list

host *

g:EnterpriseProjectId

hss:antiransomware:listRansomwareOperationLogsByVaultName

Grants permission to query the backup and restoration task list.

list

-

g:EnterpriseProjectId

hss:antiransomware:listRansomwareProtectionOptionalServer

Grants permission to query the servers under ransomware protection.

list

-

g:EnterpriseProjectId

hss:antiransomware:listRansomwareProtectionPolicy

Grants permission to query protection policies.

list

-

g:EnterpriseProjectId

hss:antiransomware:listRansomwareProtectionServer

Grants permission to query servers protected against ransomware.

list

-

g:EnterpriseProjectId

hss:rasp:listRaspCheckFeatureRule

Grants permission to query detection rules.

list

-

g:EnterpriseProjectId

hss:rasp:listRaspEvents

Grants permission to query application protection events.

list

-

g:EnterpriseProjectId

hss:rasp:listRaspPolicies

Grants permission to query protection policies.

list

-

g:EnterpriseProjectId

hss:rasp:listRaspProtectionServers

Grants permission to query protected servers.

list

-

g:EnterpriseProjectId

hss:securitycheck:listSecurityCheckHostReportHistory

Grants permission to query historical security check reports of a specified server.

list

host *

g:EnterpriseProjectId

hss:securitycheck:listSecurityCheckHostResult

Grants permission to query the security check results of servers.

list

-

g:EnterpriseProjectId

hss:safetyReport:listSecurityReport

Grants permission to query the list on the report overview page.

list

-

g:EnterpriseProjectId

hss:safetyReport:listSecurityReportHistoryPeriod

Grants permission to query the statistical period list of historical reports.

list

-

g:EnterpriseProjectId

hss:safetyReport:listSecurityReportSendingRecord

Grants permission to query report sending records.

list

-

g:EnterpriseProjectId

hss:wtp:listTimingOffConfigInfo

Grants permission to query the scheduled disabling list.

list

host *

g:EnterpriseProjectId

hss:setting:listTwoFactorLoginHost

Grants permission to query the list of servers with 2FA enabled.

list

-

g:EnterpriseProjectId

hss:wtp:listWtpBackupHostsInfo

Grants permission to query the remote backup server.

list

-

g:EnterpriseProjectId

hss:wtp:listWtpHostProtectDirInfo

Grants permission to query protected directories.

list

host *

g:EnterpriseProjectId

hss:wtp:listWtpHostProtectHistoryInfo

Grants permission to query the static WTP status of the server.

list

-

g:EnterpriseProjectId

hss:wtp:listWtpHostRaspProtectHistoryInfo

Grants permission to query the dynamic WTP status of the server.

list

-

g:EnterpriseProjectId

hss:wtp:listWtpPrivilegedProcessesInfo

Grants permission to query privileged process configurations.

list

host *

g:EnterpriseProjectId

hss:wtp:listWtpProtectHost

Grants permission to query the protection list.

list

-

g:EnterpriseProjectId

hss:setting:modifyLoginCommonIp

Grants permission to add, edit, or delete common login IP addresses.

write

host *

g:EnterpriseProjectId

hss:setting:modifyLoginCommonLocation

Grants permission to add, edit, or delete common login locations.

write

host *

g:EnterpriseProjectId

hss:setting:modifyLoginWhiteIp

Grants permission to add, edit, or delete the login IP address whitelist.

write

host *

g:EnterpriseProjectId

hss:ars:operatePWLEvent

Grants permission to handle events.

write

-

g:EnterpriseProjectId

hss:ars:relearnPWLPolicy

Grants permission to relearn whitelist policies.

write

host *

g:EnterpriseProjectId

hss:overview:resetOverviewRiskScore

Grants permission to reset risk scores and perform health checks again.

write

-

g:EnterpriseProjectId

hss:antiransomware:restoreRansomwareDuplicationInfo

Grants permission to back up and restore data.

write

-

g:EnterpriseProjectId

hss:safetyReport:sendSecurityReport

Grants permission to send security reports.

write

-

g:EnterpriseProjectId

hss:setting:setAlarmConfig

Grants permission to configure prompt information.

write

-

g:EnterpriseProjectId

hss:setting:setMalwareReminders

Grants permission to configure prompt information.

write

-

g:EnterpriseProjectId

hss:wtp:setRemoteWtpBackupInfo

Grants permission to enable or disable remote backup.

write

host *

g:EnterpriseProjectId

hss:wtp:setTimingOffSwitchInfo

Grants permission to set the status of the scheduled protection disabling.

write

host *

g:EnterpriseProjectId

hss:setting:setTwoFactorLoginConfig

Grants permission to configure 2FA login.

write

host *

g:EnterpriseProjectId

hss:wtp:setWtpDirectoryMonitorOnlyStatus

Grants permission to configure the monitoring-only switch.

write

host *

g:EnterpriseProjectId

hss:wtp:setWtpPrivilegedProcessesChildStatus

Grants permission to set the trust status of privileged subprocesses.

write

host *

g:EnterpriseProjectId

hss:wtp:setWtpProtectionStatusInfo

Grants permission to enable or disable WTP.

write

host *

g:EnterpriseProjectId

hss:wtp:setWtpProtectSwitch

Grants permission to enable or disable dynamic WTP.

write

host *

g:EnterpriseProjectId

hss:wtp:setWtpScheduledProtectionDateOffConfigInfo

Grants permission to configure the frequency and period for automatically disabling protection.

write

host *

g:EnterpriseProjectId

hss:securitycheck:startManualSecurityCheck

Grants permission to start a manual health check.

write

-

g:EnterpriseProjectId

hss:antiransomware:startRansomwareBackupSingle

Grants permission to enable the backup function for a single server.

write

host *

g:EnterpriseProjectId

hss:antiransomware:startRansomwareProtection

Grants permission to enable ransomware protection.

write

host *

g:EnterpriseProjectId

hss:antiransomware:startRansomwareProtectionSingle

Grants permission to enable ransomware protection for a single server.

write

host *

g:EnterpriseProjectId

hss:securitycheck:stopManualSecurityCheck

Grants permission to cancel a manual health check.

write

-

g:EnterpriseProjectId

hss:antiransomware:stopRansomwareProtection

Grants permission to disable ransomware protection.

write

host *

g:EnterpriseProjectId

hss:container:switchContainerProtectStatus

Grants permission to switch the protection status.

write

host *

g:EnterpriseProjectId

hss:ars:switchPWLPolicyHost

Grants permission to enable or disable a server whitelist policy.

write

host *

g:EnterpriseProjectId

hss:rasp:switchRasp

Grants permission to enable or disable application protection.

write

host *

g:EnterpriseProjectId

hss:safetyReport:switchSecurityReportStatus

Grants permission to enable or disable security reports.

write

-

g:EnterpriseProjectId

hss:wtp:switchWtpHostProtectDirInfo

Grants permission to enable or disable directory protection.

write

host *

g:EnterpriseProjectId

hss:host:uninstallAgents

Grants permission to uninstall the agent.

write

host *

g:EnterpriseProjectId

hss:setting:updateAlarmConfig

Grants permission to configure alarm configurations.

write

-

g:EnterpriseProjectId

hss:antiransomware:updateRansomwareBackupPolicyInfo

Grants permission to modify backup policies.

write

-

g:EnterpriseProjectId

hss:antiransomware:updateRansomwareProtectionPolicy

Grants permission to modify protection policies.

write

-

g:EnterpriseProjectId

hss:rasp:updateRaspPolicy

Grants permission to modify protection policies.

write

-

g:EnterpriseProjectId

hss:securitycheck:updateSecurityCheckConfig

Grants permission to modify security check schedules.

write

-

g:EnterpriseProjectId

hss:wtp:updateTimingOffConfigInfo

Grants permission to modify the configuration of scheduled protection disabling.

write

host *

g:EnterpriseProjectId

hss:wtp:updateWtpBackupHostInfo

Grants permission to add or modify a remote backup server.

write

host *

g:EnterpriseProjectId

hss:wtp:updateWtpDirectoryInfo

Grants permission to modify the Tomcat bin directory of dynamic WTP.

write

host *

g:EnterpriseProjectId

hss:wtp:updateWtpHostProtectDirInfo

Grants permission to modify protected directories.

write

host *

g:EnterpriseProjectId

hss:wtp:updateWtpPrivilegedProcessInfo

Grants permission to modify privileged processes.

write

host *

g:EnterpriseProjectId

hss:asset:addValuesLevel

Grants permission to configure asset management - server management - asset importance.

write

host *

g:EnterpriseProjectId

hss:asset:batchModifyPortStatus

Grants permission to change port status.

write

host *

g:EnterpriseProjectId

hss:asset:deleteToolConditionHistory

Grants permission to clear the search records of tools (operation tool).

write

-

g:EnterpriseProjectId

hss:asset:executeTool

Grants permission to perform search with tools (operation tools).

write

-

g:EnterpriseProjectId

hss:asset:getAccountTop

Grants permission to obtain asset management - overview - top accounts.

read

-

g:EnterpriseProjectId

hss:asset:getAgentStatisticsStatus

Grants permission to obtain asset management - overview - asset status - server agent status.

read

-

g:EnterpriseProjectId

hss:asset:getAssetStatistic

Grants permission to obtain asset statistics, including accounts, ports, and processes.

read

-

g:EnterpriseProjectId

hss:asset:getAssetType

Grants permission to obtain asset management - overview - asset status - asset distribution.

read

-

g:EnterpriseProjectId

hss:asset:getAutoLaunchTop

Grants permission to obtain asset management - overview - top auto-started items.

read

-

g:EnterpriseProjectId

hss:asset:getCommonPort

Grants permission to display details about a port.

read

-

g:EnterpriseProjectId

hss:asset:getContainerProtectionStatus

Grants permission to obtain asset management - overview - asset status - container protection status.

read

-

g:EnterpriseProjectId

hss:asset:getCoreConfFileTop

Grants permission to obtain asset management - overview - top key configurations.

read

-

g:EnterpriseProjectId

hss:asset:getEnvironmentTop

Grants permission to obtain asset management - overview - top environment variables.

read

-

g:EnterpriseProjectId

hss:asset:getHostAssetManualCollectStatus

Grants permission to obtain the status of the API for immediately collecting the asset fingerprints of a server.

read

host *

g:EnterpriseProjectId

hss:asset:getHostProtectionStatus

Grants permission to obtain asset management - overview - asset status - agent status.

read

-

g:EnterpriseProjectId

hss:asset:getJarPackageTop

Grants permission to obtain asset management - overview - top JAR packages.

read

-

g:EnterpriseProjectId

hss:asset:getKernelModuleTop

Grants permission to obtain asset management - overview - top kernel modules.

read

-

g:EnterpriseProjectId

hss:asset:getOsStatisticsInfo

Grants permission to obtain asset management - overview - asset status - OS statistics.

read

-

g:EnterpriseProjectId

hss:asset:getPorcessTop

Grants permission to obtain asset management - overview - top processes.

read

-

g:EnterpriseProjectId

hss:asset:getPortTop

Grants permission to obtain asset management - overview - top ports.

read

-

g:EnterpriseProjectId

hss:asset:getQuotaStatisticsInfo

Grants permission to obtain asset management - overview - asset status - protection quota statistics.

read

-

g:EnterpriseProjectId

hss:asset:getSoftwareTop

Grants permission to obtain asset management - overview - top software.

read

-

g:EnterpriseProjectId

hss:asset:getWebAppAndServiceTop

Grants permission to obtain asset management - overview - top web apps and services.

read

-

g:EnterpriseProjectId

hss:asset:getWebAppTop

Grants permission to obtain asset management - overview - top web applications.

read

-

g:EnterpriseProjectId

hss:asset:getWebFrameworkTop

Grants permission to obtain asset management - overview - top web frameworks.

read

-

g:EnterpriseProjectId

hss:asset:getWebServiceTop

Grants permission to obtain asset management - overview - top web services.

read

-

g:EnterpriseProjectId

hss:asset:getWebSiteTop

Grants permission to obtain asset management - overview - top websites.

read

-

g:EnterpriseProjectId

hss:asset:listAppChangeHistories

Grants permission to obtain asset fingerprints – software information – operation history.

list

-

g:EnterpriseProjectId

hss:asset:listApps

Grants permission to obtain asset fingerprints of a single server – software.

list

-

g:EnterpriseProjectId

hss:asset:listAppStatistics

Grants permission to obtain asset fingerprints – software information.

list

-

g:EnterpriseProjectId

hss:asset:listAutoLaunchChangeHistories

Grants permission to obtain asset fingerprints - auto-started items - change history.

list

-

g:EnterpriseProjectId

hss:asset:listAutoLaunchs

Grants permission to obtain asset fingerprints of a server - auto-started items.

list

-

g:EnterpriseProjectId

hss:asset:listAutoLaunchStatistics

Grants permission to obtain asset fingerprints - auto-start items.

list

-

g:EnterpriseProjectId

hss:asset:listCoreConfFileHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of key configuration files.

list

-

g:EnterpriseProjectId

hss:asset:listCoreConfFileInfo

Grants permission to obtain asset management - server management - fingerprint type - key configurations.

list

host *

g:EnterpriseProjectId

hss:asset:listCoreConfFileStatistics

Grants permission to obtain asset management - asset fingerprints - key configuration file navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listEnvironmentHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of key environment variables (on the right of asset fingerprints).

list

-

g:EnterpriseProjectId

hss:asset:listEnvironmentInfo

Grants permission to obtain asset management - server management - fingerprint type - environment variables.

list

host *

g:EnterpriseProjectId

hss:asset:listEnvironmentStatistics

Grants permission to obtain asset management - asset fingerprints - environment variable file navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listJarPackageHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of JAR packages.

list

-

g:EnterpriseProjectId

hss:asset:listJarPackageInfo

Grants permission to obtain asset management - server management - fingerprint type - JAR packages.

list

host *

g:EnterpriseProjectId

hss:asset:listJarPackageStatistics

Grants permission to obtain asset management - asset fingerprints - JAR package navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listKernelModuleHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of kernel modules.

list

-

g:EnterpriseProjectId

hss:asset:listKernelModuleInfo

Grants permission to obtain asset management - server management - fingerprint type - kernel modules.

list

host *

g:EnterpriseProjectId

hss:asset:listKernelModuleStatistics

Grants permission to obtain asset management - asset fingerprints - kernel module navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listPorts

Grants permission to obtain single-server asset fingerprint (open port information).

list

host *

g:EnterpriseProjectId

hss:asset:listPortStatistics

Grants permission to obtain asset fingerprints (open port information).

list

-

g:EnterpriseProjectId

hss:asset:listProcesses

Grants permission to obtain the process list.

list

host *

g:EnterpriseProjectId

hss:asset:listProcessStatistics

Grants permission to obtain asset fingerprints (process information).

list

-

g:EnterpriseProjectId

hss:asset:listResult

Grants permission to obtain execution results (operation tools).

list

-

g:EnterpriseProjectId

hss:asset:listTool

Grants permission to obtain the tool list (operation tools).

list

-

g:EnterpriseProjectId

hss:asset:listToolConditionHistory

Grants permission to obtain the search records of tools (operation tools).

list

-

g:EnterpriseProjectId

hss:asset:listUserChangeHistories

Grants permission to obtain the account change history.

list

-

g:EnterpriseProjectId

hss:asset:listUserGroup

Grants permission to obtain the user group list.

list

-

g:EnterpriseProjectId

hss:asset:listUsers

Grants permission to obtain the account list of assets.

list

-

g:EnterpriseProjectId

hss:asset:listUserStatistics

Grants permission to obtain asset fingerprints - software information.

list

-

g:EnterpriseProjectId

hss:asset:listWebAppAndServices

Grants permission to obtain asset management - asset fingerprints - web app and service assets on the right.

list

-

g:EnterpriseProjectId

hss:asset:listWebAppAndServiceStatistics

Grants permission to obtain asset management - asset fingerprints - web app and service navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listWebAppHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of web applications.

list

-

g:EnterpriseProjectId

hss:asset:listWebAppInfo

Grants permission to obtain asset management - server management - fingerprint type - web applications.

list

host *

g:EnterpriseProjectId

hss:asset:listWebAppStatistics

Grants permission to obtain asset management - asset fingerprints - web application navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listWebFrameworkHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of web frameworks.

list

-

g:EnterpriseProjectId

hss:asset:listWebFrameworkInfo

Grants permission to obtain asset management - server management - fingerprint type - web frameworks.

list

host *

g:EnterpriseProjectId

hss:asset:listWebFrameworkStatistics

Grants permission to obtain asset management - asset fingerprints - web framework navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listWebServiceHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of web servers.

list

-

g:EnterpriseProjectId

hss:asset:listWebServiceInfo

Grants permission to obtain asset management - server management - fingerprint type - web services.

list

host *

g:EnterpriseProjectId

hss:asset:listWebServiceStatistics

Grants permission to obtain asset management - asset fingerprints - web services navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:listWebSiteHostInfo

Grants permission to obtain asset management - asset fingerprints - the server list of websites.

list

-

g:EnterpriseProjectId

hss:asset:listWebSiteInfo

Grants permission to obtain asset management - server management - fingerprint type - websites.

list

host *

g:EnterpriseProjectId

hss:asset:listWebSiteStatistics

Grants permission to obtain asset management - asset fingerprints - website navigation tree on the left.

list

-

g:EnterpriseProjectId

hss:asset:runHostAssetManualCollect

Grants permission to immediately collect the asset fingerprints of a server.

write

host *

g:EnterpriseProjectId

hss:baseline:addSecurityCheckPolicyGroup

Grants permission to create a configuration detection policy.

write

-

g:EnterpriseProjectId

hss:baseline:changeCheckRuleState

Grants permission to ignore, unignore, repair, and verify failed configuration check items.

write

baseline *

g:EnterpriseProjectId

hss:baseline:deleteSecurityCheckPolicyGroup

Grants permission to delete a specified configuration detection policy.

write

-

g:EnterpriseProjectId

hss:baseline:exportSecurityCheckReport

Grants permission to export the configuration detection report.

list

-

g:EnterpriseProjectId

hss:baseline:getBaselineOverview

Grants permission to query baseline check statistics.

read

-

g:EnterpriseProjectId

hss:baseline:getBaselineScanStatus

Grants permission to query the progress of a baseline check task.

read

-

g:EnterpriseProjectId

hss:baseline:getBaselineStatistic

Grants permission to query baseline check statistics, including weak passwords, password complexity, and configuration detection.

read

-

g:EnterpriseProjectId

hss:baseline:getCheckRuleDetail

Grants permission to query the check report of a configuration check item.

read

baseline *

g:EnterpriseProjectId

hss:baseline:getCheckRuleFixFailDetail

Grants permission to query the cause of the check item repair failure.

read

baseline *

g:EnterpriseProjectId

hss:baseline:getDefaultSecurityCheckPolicy

Grants permission to query the default baseline of a configuration detection policy.

read

-

g:EnterpriseProjectId

hss:baseline:getDefaultSecurityCheckPolicyDetails

Grants permission to query detailed baseline check items.

read

-

g:EnterpriseProjectId

hss:baseline:getRiskConfigDetail

Grants permission to query the check result of a specified security configuration item.

read

-

g:EnterpriseProjectId

hss:baseline:listCheckRuleHost

Grants permission to query servers covered by a configuration check item.

list

baseline *

g:EnterpriseProjectId

hss:baseline:listPasswordComplexity

Grants permission to query the password complexity policy check report.

list

-

g:EnterpriseProjectId

hss:baseline:listRiskConfigCheckRules

Grants permission to query the check item list of a specified security configuration item.

list

-

g:EnterpriseProjectId

hss:baseline:listRiskConfigHosts

Grants permission to query servers affected by a specified security configuration item.

list

-

g:EnterpriseProjectId

hss:baseline:listRiskConfigs

Grants permission to query the server security configuration check result list of a tenant.

list

-

g:EnterpriseProjectId

hss:baseline:listSecurityCheckPolicyGroup

Grants permission to query the list of configuration detection policy groups.

list

-

g:EnterpriseProjectId

hss:baseline:listWeakPasswordUsers

Grants permission to query the weak password detection results.

list

-

g:EnterpriseProjectId

hss:baseline:runBaselineDetect

Grants manual detection permissions. Performs configuration detection and weak password detection on the servers specified in the policy.

write

-

g:EnterpriseProjectId

hss:baseline:updateSecurityCheckPolicyGroup

Grants permission to modify a specified configuration detection policy.

write

-

g:EnterpriseProjectId

hss:event:addLoginWhiteList

Grants permission to add a login whitelist.

write

-

g:EnterpriseProjectId

hss:event:batchChangeEvent

Grants permission to handle alarm events in batches.

write

-

g:EnterpriseProjectId

hss:event:changeEvent

Grants permission to handle alarm events.

write

event *

g:EnterpriseProjectId

hss:event:changeIsolatedFile

Grants permission to restore isolated files.

write

host *

g:EnterpriseProjectId

hss:event:exportAlarmWhiteList

Grants permission to export the alarm whitelist.

list

-

g:EnterpriseProjectId

hss:event:exportEmergency

Grants permissions to export emergency malware interfaces.

list

-

g:EnterpriseProjectId

hss:event:getEmergencyStatistics

Grants permission to obtain emergency event statistics.

read

-

g:EnterpriseProjectId

hss:event:getEventAttackTag

Grants permission to query the list of attack ID distribution statistics.

read

-

g:EnterpriseProjectId

hss:event:getEventSeverity

Grants permission to query the list of threat level statistics.

read

-

g:EnterpriseProjectId

hss:event:getEventStatistics

Grants permission to query alarm event statistics.

read

-

g:EnterpriseProjectId

hss:event:getMalwareInfo

Grants permission to obtain the list of unexpected malicious program events.

read

event *

g:EnterpriseProjectId

hss:event:handleMalwareEvent

Grants permission to handle malware.

write

event *

g:EnterpriseProjectId

hss:event:importAlarmWhiteList

Grants permission to import an alarm whitelist.

write

-

g:EnterpriseProjectId

hss:event:isolateOperateEmergency

Grants permission to enable or disable the isolation box.

write

-

g:EnterpriseProjectId

hss:event:listAlarmWhiteList

Grants permission to query the alarm whitelist.

list

-

g:EnterpriseProjectId

hss:event:listBlockedIp

Grants permission to query the list of blocked IP addresses.

list

-

g:EnterpriseProjectId

hss:event:listEventOperates

Grants permission to query the handling types supported by events.

list

-

g:EnterpriseProjectId

hss:event:listEventTopRisk

Grants permission to query the list of top 10 event type statistics.

list

-

g:EnterpriseProjectId

hss:event:listEventType

Grants permission to query the list of event type statistics.

list

-

g:EnterpriseProjectId

hss:event:listFileIsolateList

Grants permission to obtain the list of files isolated due to unexpected malware events.

list

-

g:EnterpriseProjectId

hss:event:listIsolatedFile

Grants permission to query the isolated file list.

list

-

g:EnterpriseProjectId

hss:event:listLoginWhiteList

Grants permission to query the login whitelist.

list

-

g:EnterpriseProjectId

hss:event:listMalware

Grants permission to obtain the list of unexpected malicious program events.

list

-

g:EnterpriseProjectId

hss:event:listSecurityEvents

Grants permission to query the intrusion event list.

list

-

g:EnterpriseProjectId

hss:event:recoverIsolateFile

Grants permission to restore the file isolation box.

write

-

g:EnterpriseProjectId

hss:event:removeAlarmWhiteList

Grants permission to delete an alarm whitelist.

write

-

g:EnterpriseProjectId

hss:event:removeLoginWhiteList

Grants permission to delete a login whitelist.

write

-

g:EnterpriseProjectId

hss:host:associateHostAssetValue

Grants permission to associate asset importance.

write

host *

g:EnterpriseProjectId

hss:host:associateHostsGroup

Grants permission to allocate servers to a server group.

write

host *

g:EnterpriseProjectId

hss:host:batchInstallAgent

Grants permission to install agents in batches.

write

host *

g:EnterpriseProjectId

hss:host:changeHostsGroup

Grants permission to edit a server group.

write

-

g:EnterpriseProjectId

hss:host:deleteHostsGroup

Grants permission to delete a server group.

write

-

g:EnterpriseProjectId

hss:host:getHostsStatistics

Grants permission to collect server statistics.

read

-

g:EnterpriseProjectId

hss:host:listFirewallStatus

Grants permission to query the firewall status of a server.

read

host *

g:EnterpriseProjectId

hss:host:listHostGroupAssetValue

Grants permission to query the list of server groups by asset importance.

list

-

g:EnterpriseProjectId

hss:host:listHostsRisk

Grants permission to obtain ECS risk status.

read

host *

g:EnterpriseProjectId

hss:host:listHostStatus

Grants permission to query the list of protected servers.

list

-

g:EnterpriseProjectId

hss:host:listHostsUpgrade

Grants permission to obtain the agent upgrade status of a server.

read

host *

-

-

g:EnterpriseProjectId

hss:host:manualCheckVul

Grants permission to manually detect vulnerabilities.

write

-

g:EnterpriseProjectId

hss:host:switchFirewallStatus

Grants permission to modify the firewall authorization status.

write

host *

g:EnterpriseProjectId

hss:host:switchHostsProtectStatus

Grants permission to switch the protection status.

write

host *

g:EnterpriseProjectId

hss:host:upgradeAgent

Grants permission to upgrade the agent from 1.0 to 2.0.

write

host *

-

-

g:EnterpriseProjectId

hss:host:upgradeAgents

Grants permission to upgrade the agent.

write

host *

g:EnterpriseProjectId

hss:image:batchScanLocalImage

Grants permission to perform local image scanning.

write

-

g:EnterpriseProjectId

hss:image:batchScanPrivateImage

Grants permission to scan images in private image repositories in batches.

write

-

g:EnterpriseProjectId

hss:image:getImageFilesStat

Grants permission to query image file statistics.

read

-

g:EnterpriseProjectId

hss:image:getImageLocalVulOverview

Grants permission to query local vulnerabilities.

read

-

g:EnterpriseProjectId

hss:image:getImageVulOverview

Grants permission to query repository vulnerabilities.

read

-

g:EnterpriseProjectId

hss:image:listCfgCheckAffectedImage

Grants permission to query the list of images affected by a tenant image that failed baseline checks.

list

-

g:EnterpriseProjectId

hss:image:listGlobalCfgCheck

Grants permission to query container image baseline inspection results.

list

-

g:EnterpriseProjectId

hss:image:listGlobalMalware

Grants permission to query the list of malicious tenant files.

list

-

g:EnterpriseProjectId

hss:image:listGlobalVul

Grants permission to query vulnerability details about a tenant image.

list

-

g:EnterpriseProjectId

hss:image:listImageApps

Grants permission to query the image software list.

list

-

g:EnterpriseProjectId

hss:image:listImageAppVul

Grants permission to query the software vulnerability list.

list

-

g:EnterpriseProjectId

hss:image:listImageCfgCheck

Grants permission to query configuration baseline check results of an image.

list

-

g:EnterpriseProjectId

hss:image:listImageFiles

Grants permission to query the list of image files that have no owners.

list

-

g:EnterpriseProjectId

hss:image:listImageLocal

Grants permission to query the local image list.

list

-

g:EnterpriseProjectId

hss:image:listImageMalware

Grants permission to query the list of malicious image files.

list

-

g:EnterpriseProjectId

hss:image:listImageNamespace

Grants permission to query the namespace of an image.

list

-

g:EnterpriseProjectId

hss:image:listImageRepository

Grants permission to query the list of images in a private image repository.

list

-

g:EnterpriseProjectId

hss:image:listImageVul

Grants permission to query image vulnerability details.

list

-

g:EnterpriseProjectId

hss:image:listInstanceImageVul

Grants permission to query vulnerability details about enterprise images.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageApp

Grants permission to query the local software image list.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageAppVuls

Grants permission to query the vulnerability list of a piece of software in a local image.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageContainers

Grants permission to query the container information about a local image.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageHosts

Grants permission to query the server information about a local image.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageMalware

Grants permission to query malicious file information about local images.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageVuls

Grants permission to query vulnerability information about a local image.

list

-

g:EnterpriseProjectId

hss:image:listLocalVulRepoImage

Grants permission to query details about images and containers affected by local image vulnerabilities.

list

-

g:EnterpriseProjectId

hss:image:listPrivateImageRepository

Grants permission to query the list of images in a private image repository.

list

-

g:EnterpriseProjectId

hss:image:listSharedImageRepository

Grants permission to query the list of images in the shared image repository.

list

-

g:EnterpriseProjectId

hss:image:listVulCve

Grants permission to query CVE details about a vulnerability.

list

-

g:EnterpriseProjectId

hss:image:listVulRepoImage

Grants permission to query details about images in the image repository affected by a vulnerability.

list

-

g:EnterpriseProjectId

hss:image:runImageScan

Grants permission to scan images.

write

-

g:EnterpriseProjectId

hss:image:runImageSynchronizeTask

Grants permission to synchronize the free image list from SWR.

write

-

g:EnterpriseProjectId

hss:image:runSwrImageScan

Grants permission to update and scan SWR images and to access SWR.

write

-

g:EnterpriseProjectId

hss:image:sharedImageSynchronization

Grants permission to update images shared from SWR.

write

-

g:EnterpriseProjectId

hss:policy:addPolicyGroup

Grants permission to copy server policy groups.

write

policy *

g:EnterpriseProjectId

hss:policy:associatePolicyGroup

Grants permission to deploy a policy.

write

policy *

g:EnterpriseProjectId

host *

g:EnterpriseProjectId

hss:policy:changePolicyDetail

Grants permission to modify a policy.

write

policy *

g:EnterpriseProjectId

hss:policy:changePolicyGroup

Grants permission to modify policy groups.

write

policy *

g:EnterpriseProjectId

hss:policy:deletePolicyGroup

Grants permission to delete policy groups.

write

policy *

g:EnterpriseProjectId

hss:policy:getPolicyDetail

Grants permission to query details about a specified policy.

read

policy *

g:EnterpriseProjectId

hss:policy:listPolicyGroupDetail

Grants permission to query the policy information list of a policy group.

list

policy *

g:EnterpriseProjectId

hss:quota:addResourceInstanceTag

Grants permission to add tags to a resource.

tagging

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:batchCreateTags

Grants permission to create tags in batches.

write

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:batchDeleteTags

Grants permission to delete tags in batches.

write

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:cancelHostsQuota

Grants permission to unbind quotas.

write

-

-

hss:quota:changeTmsResourceTagInfo

Grants permission to add or delete resource tags in batches.

write

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:countResourceInstances

Grants permission to query the number of purchased resources by tag.

list

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:dealOrder

Grants permission to subscribe to HSS.

write

-

-

hss:quota:deleteResourceInstanceTag

Grants permission to delete tags from a resource.

tagging

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:filterResourceInstanceList

Grants permission to search for purchased resources by tag.

list

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:getResourceInstanceTag

Grants permission to query tags of a resource.

read

-

-

hss:quota:getResourceQuotas

Grants permission to query quota information.

read

-

-

hss:quota:getTmsResourceTagsInfo

Grants permission to query resource tags.

read

-

-

hss:quota:listProjectTags

Grants permission to query all used tags in the current project.

list

-

-

hss:quota:listQuotasDetail

Grants permission to query quota details.

list

-

-

hss:quota:listResourceIds

Grants permission to query quota IDs in batches.

list

-

-

hss:quota:listTmsResourceInstancesInfo

Grants permission to query resource instances.

list

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

hss:quota:upgradeOrder

Grants permission to change specifications.

write

-

-

hss:vulnerability:changeVulStatus

Grants permission to modify the status of a vulnerability.

write

host *

g:EnterpriseProjectId

hss:vulnerability:exportEmergencyVulnerabilities

Grants permission to export emergency vulnerabilities.

list

-

g:EnterpriseProjectId

hss:vulnerability:exportVulsList

Grants permission to export information about vulnerabilities and their affected servers.

list

-

g:EnterpriseProjectId

hss:vulnerability:getCmsVulDetail

Grants permission to query basic information about the Web-CMS vulnerabilities.

read

-

g:EnterpriseProjectId

hss:vulnerability:getEmergencySummary

Grants permission to query the event overview.

read

-

g:EnterpriseProjectId

hss:vulnerability:getEmergencyVulDetail

Grants permission to query vulnerability details in events.

read

-

g:EnterpriseProjectId

hss:vulnerability:getLinuxVulDetail

Grants permission to query basic information about Linux vulnerabilities.

read

-

g:EnterpriseProjectId

hss:vulnerability:getVulCheckStatus

Grants permission to query the status of server vulnerability scanning.

read

-

g:EnterpriseProjectId

hss:vulnerability:getVulSummary

Grants permission to query vulnerability statistics.

read

-

g:EnterpriseProjectId

hss:vulnerability:getWindosVulDetail

Grants permission to query basic information about Windows vulnerabilities.

read

-

g:EnterpriseProjectId

hss:vulnerability:getWindowsVulNum

Grants permission to query the number of Windows vulnerabilities on a server.

list

-

g:EnterpriseProjectId

hss:vulnerability:listEmergencyVul

Grants permission to query vulnerabilities in events.

list

-

g:EnterpriseProjectId

hss:vulnerability:listHostVuls

Grants permission to query vulnerability information about a single server.

list

host *

g:EnterpriseProjectId

hss:vulnerability:listHostVulSummary

Grants permission to query server statistics and top 5 risky servers.

list

-

g:EnterpriseProjectId

hss:vulnerability:listTopVulSummary

Grants permission to query top 5 vulnerabilities.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHosts

Grants permission to query ECSs affected by a specific vulnerability.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulnerabilities

Grants permission to query the vulnerability list.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulRepairFailedDetail

Grants permission to query information about vulnerability fixing failures.

list

host *

g:EnterpriseProjectId

hss:vulnerability:listVulTypeSummary

Grants permission to query vulnerability type distribution.

list

-

g:EnterpriseProjectId

hss:vulnerability:operateEmergency

Grants permission to operate vulnerabilities in events.

write

-

g:EnterpriseProjectId

hss:host:getScanStatus

Grants permission to query the manual scan status.

read

host *

g:EnterpriseProjectId

hss:host:setManualDetect

Grants permission to deliver a manual scan.

write

host *

g:EnterpriseProjectId

hss::getTrustServiceStatus

Grants permission to obtain the status of trusted services.

read

-

-

hss::enableTrustService

Grants permission to enable trusted services.

permission_management

-

-

hss::validateAdmin

Grants permission to check whether the current account is an administrator account (organization administrator or agency administrator).

tagging

-

-

hss::listAccounts

Grants permission to display the account list.

list

-

-

hss::batchAddAccounts

Grant permission to add accounts in batches.

write

-

-

hss::deleteAccount

Grants permission to delete accounts.

write

-

-

hss::listOrganizationTree

Grants permission to display the account tree structure.

list

-

-

hss::listDelegatedAccounts

Grants permission to query the tree structure of delegated accounts.

list

-

-

hss:antiransomware:listBackupVaults

Grants permission to query the backup vault list.

list

-

g:EnterpriseProjectId

hss:antiransomware:listRansomwareProtectionNodes

Grants permission to query servers protected against ransomware.

list

-

g:EnterpriseProjectId

hss:antiransomware:getBackupsStatistics

Grants permission to query backup statistics.

list

-

g:EnterpriseProjectId

hss:antiransomware:startSingleBackup

Grants permission to enable the backup function for a single server.

write

host *

-

-

g:EnterpriseProjectId

hss:antiransomware:getBackupPolicyInfo

Grants permission to query a backup policy.

read

-

g:EnterpriseProjectId

hss:hostGroup:getOutsideGroupStatus

Grants permission to query whether data center server groups can be created.

read

-

g:EnterpriseProjectId

hss:hostGroup:getOutsideHostGroup

Grants permission to query off-cloud data center server groups.

read

-

g:EnterpriseProjectId

hss:hostGroup:addOutsideHostGroup

Grants permission to create off-cloud data center server groups.

write

-

g:EnterpriseProjectId

hss:hostGroup:changeOutsideHostGroup

Grants permission to edit off-cloud data center server groups.

write

-

g:EnterpriseProjectId

hss:images:listImageTag

Grant the permission to query the image tag version list.

list

-

g:EnterpriseProjectId

hss:images:listImageSensitive

Grants permission to query sensitive image information.

list

-

g:EnterpriseProjectId

hss:images:getFilePathWhiteDetail

Grants permission to query the sensitive information file path whitelist of images.

read

-

g:EnterpriseProjectId

hss:images:changeFilePathWhiteDetail

Grants permission to modify the sensitive information file path whitelist of images.

write

-

g:EnterpriseProjectId

hss:images:changeSensitiveInfo

Grants permission to perform operations on sensitive information.

write

-

g:EnterpriseProjectId

hss:event:listTopEventType

Grants permission to query the statistics about the top 5 events.

list

-

g:EnterpriseProjectId

hss:vulnerability:getVulScanPolicy

Grants permission to query a vulnerability scan policy.

read

-

-

hss:vulnerability:changeVulScanPolicy

Grants permission to modify a vulnerability scan policy.

write

host *

-

hss:vulnerability:listVulWhiteList

Grants permission to query the vulnerability whitelist.

list

-

g:EnterpriseProjectId

hss:vulnerability:getVulWhiteListDetail

Grants permission to query vulnerability whitelist details.

read

-

g:EnterpriseProjectId

hss:vulnerability:changeVulWhiteList

Grants permission to modify the vulnerability whitelist.

write

host *

-

-

g:EnterpriseProjectId

hss:vulnerability:deleteVulWhiteList

Grants permission to delete an item from the vulnerability whitelist.

write

-

-

hss:vulnerability:addVulWhiteList

Grants permission to add an item to the vulnerability whitelist.

write

host *

-

-

g:EnterpriseProjectId

hss:vulnerability:listVulWhiteListVulOptions

Grants permission to query vulnerability options when adding a whitelist item.

list

-

-

hss:vulnerability:listVulScanTask

Grants permission to query the vulnerability scan task list.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulScanTaskHost

Grants permission to query the list of servers corresponding to a vulnerability scan task.

list

-

g:EnterpriseProjectId

hss:vulnerability:rescanVulScanTask

Grants permission to rescan servers in a vulnerability scan task.

write

host *

-

-

g:EnterpriseProjectId

hss:vulnerability:getVulScanTaskStatistics

Grants permission to query vulnerability scan task statistics.

read

-

g:EnterpriseProjectId

hss:vulnerability:listHostVulStatistics

Grants permission to query vulnerability management statistics.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHostApps

Grants permission to query details about the software list of servers affected by vulnerabilities.

list

host *

-

-

g:EnterpriseProjectId

hss:vulnerability:listVulHostProcess

Grants permission to query details about the process list of servers affected by vulnerabilities.

list

host *

-

-

g:EnterpriseProjectId

hss:vulnerability:listVulHandleHistory

Grants permission to query historical vulnerability handling records.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHostHosts

Grants permission to query the list of servers with vulnerabilities.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHostVuls

Grants permission to query emergency fixes and unfixed vulnerabilities.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHostHandleVuls

Grants permission to query vulnerabilities handled today and the total vulnerabilities handled.

list

-

g:EnterpriseProjectId

hss:image:listImageNonCompliantApp

Grants permission to query the non-compliant software information of an image.

list

-

g:EnterpriseProjectId

hss:image:batchExportSWRVulList

Grants permission to export vulnerabilities from an SWR image repository in batches.

write

-

g:EnterpriseProjectId

hss:image:batchExportLocalVulList

Grants permission to export local image vulnerabilities in batches.

write

-

g:EnterpriseProjectId

hss:image:getExtendedWeakPassword

Grants permission to query the user-defined weak passwords of an image.

list

-

g:EnterpriseProjectId

hss:image:changeExtendedWeakPassword

Grants permission to modify the user-defined weak passwords of an image.

write

-

g:EnterpriseProjectId

hss:image:listImageBasicImage

Grants permission to query basic image information.

list

-

g:EnterpriseProjectId

hss:image:listImagePwdComplexity

Grants permission to query the password complexity check report of an image.

list

-

g:EnterpriseProjectId

hss:image:listImageWeakPwdUsers

Grants permission to query the image weak password check results of an image.

list

-

g:EnterpriseProjectId

hss:image:listImageRiskConfigs

Grants permission to query the security configuration check results of an image.

list

-

g:EnterpriseProjectId

hss:image:listImageRiskConfigCheckRules

Grants permission to query the check items of a specified image security configuration item.

list

-

g:EnterpriseProjectId

hss:image:getImageRiskConfigDetail

Grants permission to query the check results of a specified image security configuration item.

read

-

g:EnterpriseProjectId

hss:image:getImageCheckRuleDetail

Grants permission to query the check reports of an image configuration check item.

read

-

g:EnterpriseProjectId

hss:image:getImageBaselineStatistic

Grants permission to query baseline check statistics, including weak passwords, password complexity, and configuration detection.

read

-

g:EnterpriseProjectId

hss:event:addSystemUserWhiteList

Grants permission to add users to the system user whitelist.

write

-

g:EnterpriseProjectId

hss:event:updateSystemUserWhiteList

Grants permission to modify the system user whitelist.

write

-

g:EnterpriseProjectId

hss:event:listSystemUserWhiteList

Grants permission to query the system user whitelist.

list

-

g:EnterpriseProjectId

hss:event:removeSystemUserWhiteList

Grants permission to remove users from the system user whitelist.

write

-

g:EnterpriseProjectId

hss:container:saveClusters

Grants permission to synchronize cluster information.

write

-

g:EnterpriseProjectId

hss:container:listClusterInfo

Grants permission to query the Kubernetes cluster list.

list

-

g:EnterpriseProjectId

hss:container:listPodInfo

Grants permission to query the basic pod information list.

list

-

g:EnterpriseProjectId

hss:container:showPodDetail

Grants permission to query pod details.

read

-

g:EnterpriseProjectId

hss:container:listContainerInfo

Grants permission to query the basic container information list.

list

-

g:EnterpriseProjectId

hss:container:showContainerDetail

Grants permission to query container details.

list

-

g:EnterpriseProjectId

hss:container:listServiceInfo

Grants permission to query the Kubernetes service list.

list

-

g:EnterpriseProjectId

hss:container:showServiceDetail

Grants permission to query Kubernetes service details.

read

-

g:EnterpriseProjectId

hss:container:listEndpointInfo

Grants permission to query the Kubernetes endpoint list.

list

-

g:EnterpriseProjectId

hss:container:showEndpointDetail

Grants permission to query Kubernetes endpoint details.

read

-

g:EnterpriseProjectId

hss:container:listDeployments

Grants permission to query the Kubernetes Deployment list.

list

-

g:EnterpriseProjectId

hss:container:listStatefulSets

Grants permission to query the Kubernetes StatefulSet list.

list

-

g:EnterpriseProjectId

hss:container:listDaemonSets

Grants permission to query the Kubernetes daemon list.

list

-

g:EnterpriseProjectId

hss:container:listJobs

Grants permission to query the Kubernetes common job list.

list

-

g:EnterpriseProjectId

hss:container:listCronJobs

Grants permission to query the Kubernetes scheduled task list.

list

-

g:EnterpriseProjectId

hss:vulnerability:showVulAffectedStatics

Grants permission to count the servers affected by vulnerabilities.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHandleTask

Grants permission to query the vulnerability handling task list.

list

-

g:EnterpriseProjectId

hss:vulnerability:listVulHandleTaskDetail

Grants permission to query vulnerability handling task details.

list

-

g:EnterpriseProjectId

hss:container:isolateK8sContainer

Grants permission to modify the running status of the container.

write

-

g:EnterpriseProjectId

hss:container:getNetworkStatistics

Grants permission to query the container firewall statistics status.

list

-

g:EnterpriseProjectId

hss:container:getClusters

Grants permission to query the cluster list.

list

-

g:EnterpriseProjectId

hss:container:getClusterNetworkInfo

Grants permission to query cluster network information.

read

-

g:EnterpriseProjectId

hss:container:getClusterPolicyList

Grants permission to query the container network policy list.

list

-

g:EnterpriseProjectId

hss:container:deletePolicy

Grants permission to delete container network policies.

write

-

g:EnterpriseProjectId

hss:container:createPolicy

Grants permission to create container network policies.

write

-

g:EnterpriseProjectId

hss:container:updatePolicy

Grants permission to update container network policies.

write

-

g:EnterpriseProjectId

hss:container:syncClusterPolicyList

Grants permission to synchronize container network policies.

read

-

g:EnterpriseProjectId

hss:container:syncClusterList

Grants permission to synchronize cluster namespace information.

read

-

g:EnterpriseProjectId

hss:container:getNamespaceList

Grants permission to query the cluster namespace list.

list

-

g:EnterpriseProjectId

hss:container:getNodeList

Grants permission to query the cluster node list.

list

-

g:EnterpriseProjectId

hss:container:syncClusterNodeList

Grants permission to synchronize cluster nodes.

read

-

g:EnterpriseProjectId

hss:vulnerability:getVulScanTaskEstimatedTime

Grants permission to query the estimated time of a vulnerability scan.

read

-

g:EnterpriseProjectId

hss:antiransomware:addRansomwareProtectionPolicy

Grants permission to add ransomware protection policies.

write

-

g:EnterpriseProjectId

hss:antiransomware:associateBackupPolicy

Grants permission to apply backup policies to vaults.

write

-

g:EnterpriseProjectId

hss:antiransomware:listBackupPolicy

Grants permission to query the backup policy list.

list

-

g:EnterpriseProjectId

hss:antiransomware:associateProtectionPolicy

Grants permission to switch ransomware protection policies.

write

-

g:EnterpriseProjectId

hss:antiransomware:batchStartProtection

Grants permission to enable ransomware protection.

write

-

g:EnterpriseProjectId

hss:event:getEventAttCk

Grants permission to query the list of ATT&CK attack phase statistics.

list

event *

-

-

g:EnterpriseProjectId

hss:event:downloadEventSourceFile

Grants permission to download alarm source files.

list

event *

-

-

g:EnterpriseProjectId

hss:overview:showSecurityScore

Grants permission to query security scores.

list

-

g:EnterpriseProjectId

hss:overview:listSecurityRisk

Grants permission to query the security risk list.

list

-

g:EnterpriseProjectId

hss:overview:showQuotaHostStatistics

Grants permission to query server quota statistics.

list

-

g:EnterpriseProjectId

hss:overview:showAgentStatistics

Grants permission to query the number of agents to be upgraded, online, and offline.

list

-

g:EnterpriseProjectId

hss:overview:showHotInformation

Grants permission to query hot news.

list

-

g:EnterpriseProjectId

hss:overview:showSecurityRisk

Grants permission to query security risk information.

list

-

g:EnterpriseProjectId

hss:overview:showProtectStatistics

Grants permission to query the protection period, virus library update time, vulnerability library update time, and accumulated number of records of each module.

list

-

g:EnterpriseProjectId

hss:overview:showStatistics

Grants permission to query the numbers of servers with enabled ransomware protection, application protection, web tamper protection, and two-factor authentication; and the number of isolated files.

list

-

g:EnterpriseProjectId

hss:event:listEventHandleHistory

Grants permission to query the list of historical events handling.

list

event *

-

-

g:EnterpriseProjectId

hss:image:listSwrImageRepository

Grants permission to query the image list in the SWR image repository.

list

-

g:EnterpriseProjectId

hss:image:batchScanSwrImage

Grants permission to scan images in the image repository in batches.

write

-

g:EnterpriseProjectId

hss:image:vulnerabilities

Grants permission to query image vulnerability details.

list

-

g:EnterpriseProjectId

hss:image:listVulnerabilityCve

Grants permission to query CVE details about a vulnerability.

list

-

g:EnterpriseProjectId

hss:image:listImageRiskConfigRules

Grants permission to query the check items of a specified image security configuration item.

list

-

g:EnterpriseProjectId

hss:image:runImageSynchronize

Grants permission to synchronize the image list from SWR.

write

-

g:EnterpriseProjectId

hss:event:listEventForensic

Grants permission to query event forensics information.

list

event *

-

-

g:EnterpriseProjectId

hss:event:listSimilarHandledEvents

Grants permission to query similar handled alarms.

list

event *

-

-

g:EnterpriseProjectId

hss:event:listSameEvent

Grants permission to query the same alarms.

list

event *

-

-

g:EnterpriseProjectId

hss:container:getPolicies

Grants permission to query the policy list.

list

-

g:EnterpriseProjectId

hss:container:getPolicyDetail

Grants permission to query policy details.

list

-

g:EnterpriseProjectId

hss:container:getOverview

Grants permission to query cluster protection overview.

list

-

g:EnterpriseProjectId

hss:container:getProtectEvents

Grants permission to query cluster protection events.

list

-

g:EnterpriseProjectId

hss:container:getProtectClusters

Grants permission to query cluster protection information.

list

-

g:EnterpriseProjectId

hss:container:changeProtectStatus

Grants permission to change the cluster protection status.

write

-

g:EnterpriseProjectId

hss:container:addWhiteImage

Grants permission to add images to the whitelist.

write

-

g:EnterpriseProjectId

hss:container:listDefaultPolicy

Grants permission to query the default policy template.

list

-

g:EnterpriseProjectId

hss:container:listProtectionItem

Grants permission to query the protection scope.

list

-

g:EnterpriseProjectId

hss:vulnerability:getVulBackupStatistics

Grants permission to query backup statistics of the server corresponding to the vulnerability handling.

read

-

g:EnterpriseProjectId

hss:vulnerability:ListVulHostVaults

Grants permission to query the list of server vaults corresponding to vulnerability handling.

list

-

g:EnterpriseProjectId

hss:vulnerability:ListVulHostBackups

Grants permission to query the list of backups that can be rolled back.

list

host *

g:EnterpriseProjectId

hss:vulnerability:RestoreVulHostBackup

Grants permission to roll back with backups.

write

-

g:EnterpriseProjectId

hss:event:exportEvent

Grants permission to export event alarms.

write

event *

-

-

g:EnterpriseProjectId

hss:event:queryExportTask

Grants permission to query the task of exporting event alarms.

read

event *

-

-

g:EnterpriseProjectId

hss:event:downloadEvent

Grants permission to download event alarms.

read

event *

-

-

g:EnterpriseProjectId

hss:ars:createAppWhitelistPolicy

Grants permission to create an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistPolicy

Grants permission to query the list of application process whitelist policies.

list

-

g:EnterpriseProjectId

hss:ars:changeAppWhitelistPolicy

Grants permission to modify an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:deleteAppWhitelistPolicy

Grants permission to delete an application process whitelist policy.

write

-

g:EnterpriseProjectId

hss:ars:showAppWhitelistPolicy

Grants permission to query the application process whitelist policy information.

list

-

g:EnterpriseProjectId

hss:ars:switchAppWhitelistPolicyHost

Grants permission to modify the protection status of an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:addAppWhitelistPolicyHost

Grant permissions to add servers to an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistPolicyHost

Grants permission to query the server list for an application process whitelist policy.

list

-

g:EnterpriseProjectId

hss:ars:deleteAppWhitelistPolicyHost

Grants permission to remove servers from an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistHostStatus

Grants permission to query the list of available servers for an application process whitelist policy.

list

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistPolicyProcess

Grants permission to query the list of processes that an application process whitelist policy applies to.

list

-

g:EnterpriseProjectId

hss:ars:changeAppWhitelistPolicyProcessStatus

Grants permission to modify the process trust status of an application process whitelist policy.

write

-

g:EnterpriseProjectId

hss:ars:addAppWhitelistPolicyProcess

Grants permission to add processes to an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistPolicyProcessExtend

Grants permission to query the extended process list for an application process whitelist policy.

list

host *

-

-

g:EnterpriseProjectId

hss:ars:exportAppWhitelistPolicyProcess

Grants permission to export the list of processes that an application process whitelist policy applies to.

list

host *

-

-

g:EnterpriseProjectId

hss:ars:switchAppWhitelistPolicyLearnStatus

Grants permission to modify the learning status of an application process whitelist policy.

write

host *

-

-

g:EnterpriseProjectId

hss:ars:showAppWhitelistAgentStatics

Grants permission to query the number of servers that are protected by the premium edition and do not support application process control.

list

-

g:EnterpriseProjectId

hss:ars:listAppWhitelistEvent

Grants permission to query the list of suspicious process events detected by application process control.

list

-

g:EnterpriseProjectId

hss:container:deleteSelfBuildK8sClusterDaemonsetInfo

Grants permission to delete a daemonset of the self-built cluster.

write

-

g:EnterpriseProjectId

hss:container:saveSelfBuildK8sClusterDaemonsetInfo

Grants permission to save a daemonset of the self-built cluster.

write

-

g:EnterpriseProjectId

hss:container:showSelfBuildK8sClusterDaemonsetInfo

Grants permission to query a daemonset of the self-built cluster.

read

-

g:EnterpriseProjectId

hss:container:listSelfBuildK8sClusterInfo

Grants permission to query the self-built Kubernetes cluster list.

list

-

g:EnterpriseProjectId

hss:container:createDaemonset

Grants permission to create a daemonset of CCE cluster.

write

-

g:EnterpriseProjectId

hss:vulnerability:listVulRepairCmds

Grants permission to query vulnerability fixing commands.

list

-

g:EnterpriseProjectId

hss:vulnerability:listUrgentVulnerabilities

Grants permission to query the emergency vulnerability list.

list

-

g:EnterpriseProjectId

hss:antivirus:createAntivirusTask

Grants permission to create virus scan tasks.

write

host *

-

-

g:EnterpriseProjectId

hss:antivirus:listAntivirusTask

Grants permission to query the virus scan task list.

list

-

g:EnterpriseProjectId

hss:antivirus:switchAntivirusTask

Grants permission to cancel virus scan tasks.

write

host *

-

-

g:EnterpriseProjectId

hss:antivirus:listAntivirusHost

Grants permission to query the list of servers available for virus scan.

list

-

g:EnterpriseProjectId

hss:antivirus:createAntivirusPolicy

Grants permission to create custom virus scan policies.

write

host *

-

-

g:EnterpriseProjectId

hss:antivirus:listAntivirusPolicy

Grants permission to query the list of custom virus scan policies.

list

-

g:EnterpriseProjectId

hss:antivirus:listAntivirusResult

Grants permission to query the list of virus scan results.

list

-

g:EnterpriseProjectId

hss:antivirus:operateAntivirusResult

Grants permission to handle virus scan results.

write

-

g:EnterpriseProjectId

hss:antivirus:exportAntivirusResult

Grants permission to export virus scan results.

write

-

g:EnterpriseProjectId

hss:antivirus:showAntivirusStatistic

Grants permission to query virus scan statistics.

list

-

g:EnterpriseProjectId

hss:image:showImageFullScanProgress

Grants permission to query the progress of a full image scan.

list

-

g:EnterpriseProjectId

hss:host:changeHostIgnoreStatus

Grants permission to ignore or unignore servers.

write

host *

-

-

g:EnterpriseProjectId

hss:host:listIgnoreHosts

Grants permission to query ignored servers.

list

host *

-

-

g:EnterpriseProjectId

hss:image:batchExportBaselineTask

Grants permission to export image baseline check results.

write

-

g:EnterpriseProjectId

hss:image:showImageSecurityReportStatistic

Grants permission to query the number of image scan results to be exported.

write

-

g:EnterpriseProjectId

hss:vulnerability:exportVuls

Grants permission to create vulnerability export tasks.

write

-

g:EnterpriseProjectId

hss:exportTask:queryExportTask

Grants permission to query export tasks.

list

-

g:EnterpriseProjectId

hss:file:downloadExportedFile

Grants permission to download files.

list

-

g:EnterpriseProjectId

hss:image:listGlobalVulnerabilities

Grants permission to query vulnerability details about a tenant image.

list

-

g:EnterpriseProjectId

hss:image:listVulnerabilityImages

Grants permission to query details about images in the image repository affected by a vulnerability.

list

-

g:EnterpriseProjectId

hss:setting:getPluginInstallScript

Grants permission to query server plug-in information.

list

-

g:EnterpriseProjectId

hss:setting:getPluginList

Grants permission to query the plug-in installation guide.

list

-

g:EnterpriseProjectId

hss:setting:getAutoOpenQuotaStatus

Grants permission to query the status of automatic quota binding.

read

-

g:EnterpriseProjectId

hss:setting:changeAutoOpenQuotaStatus

Grants permission to modify the status of automatic quota binding.

write

-

g:EnterpriseProjectId

hss:image:batchExportSWRVulTask

Grants permission to export SWR image vulnerability scan results.

write

-

g:EnterpriseProjectId

hss:image:batchExportLocalVulTask

Grants permission to export local image vulnerability scan results.

write

-

g:EnterpriseProjectId

hss:vulnerability:exportVulReport

Grants permission to export vulnerability reports in HTML format.

list

-

g:EnterpriseProjectId

hss:vulnerability:getVulReportData

Grants permission to obtain vulnerability reports in PDF format.

list

-

g:EnterpriseProjectId

hss:setting:getAgentAutoUpgradeStatus

Grants permission to query the status of automatic agent upgrade.

read

-

g:EnterpriseProjectId

hss:setting:changeAgentAutoUpgradeStatus

Grants permission to modify the status of automatic agent upgrade.

write

-

g:EnterpriseProjectId

hss:quota:showProductdataOfferingInfos

Grants permission to query product information.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageAppInfo

Grants permission to query the local software image list.

list

-

g:EnterpriseProjectId

hss:image:listLocalImageAppVulnerabilities

Grants permission to query the vulnerability list of a piece of software in a local image.

list

-

g:EnterpriseProjectId

Each API of HSS usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by HSS APIs

API

Action

Dependencies

POST /v5/{project_id}/host-management/groups

hss:host:addHostsGroup

eps:enterpriseProjects:list

PUT /v5/{project_id}/event/blocked-ip

hss:event:changeBlockedIp

eps:enterpriseProjects:list

GET /v5/{project_id}/backup/policy

hss:antiransomware:getRansomwareHSSBackupPolicyInfo

eps:enterpriseProjects:list

GET /v5/{project_id}/container/nodes

hss:container:listContainerNodes

eps:enterpriseProjects:list

GET /v5/{project_id}/host-management/groups

hss:host:listHostGroups

eps:enterpriseProjects:list

GET /v5/{project_id}/policy/groups

hss:policy:listPolicyGroup

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/ports/detail

hss:asset:listPortHost

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/processes/detail

hss:asset:listProcessesHost

eps:enterpriseProjects:list

GET /v5/{project_id}/ransomware/protection/policy

hss:antiransomware:listRansomwareProtectionPolicy

eps:enterpriseProjects:list

GET /v5/{project_id}/ransomware/server

hss:antiransomware:listRansomwareProtectionServer

eps:enterpriseProjects:list

GET /v5/{project_id}/webtamper/static/protect-history

hss:wtp:listWtpHostProtectHistoryInfo

eps:enterpriseProjects:list

GET /v5/{project_id}/webtamper/rasp/protect-history

hss:wtp:listWtpHostRaspProtectHistoryInfo

eps:enterpriseProjects:list

GET /v5/{project_id}/webtamper/hosts

hss:wtp:listWtpProtectHost

  • eps:enterpriseProjects:list
  • vpc:ports:list

POST /v5/{project_id}/webtamper/static/status

hss:wtp:setWtpProtectionStatusInfo

eps:enterpriseProjects:list

POST /v5/{project_id}/webtamper/rasp/status

hss:wtp:setWtpProtectSwitch

eps:enterpriseProjects:list

POST /v5/{project_id}/ransomware/protection/open

hss:antiransomware:startRansomwareProtection

eps:enterpriseProjects:list

POST /v5/{project_id}/ransomware/protection/close

hss:antiransomware:stopRansomwareProtection

eps:enterpriseProjects:list

PUT /v5/{project_id}/backup/policy

hss:antiransomware:updateRansomwareBackupPolicyInfo

eps:enterpriseProjects:list

PUT /v5/{project_id}/ransomware/protection/policy

hss:antiransomware:updateRansomwareProtectionPolicy

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/statistics

hss:asset:getAssetStatistic

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/app/change-history

hss:asset:listAppChangeHistories

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/apps

hss:asset:listApps

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/app/statistics

hss:asset:listAppStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/auto-launch/change-history

hss:asset:listAutoLaunchChangeHistories

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/auto-launchs

hss:asset:listAutoLaunchs

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/auto-launch/statistics

hss:asset:listAutoLaunchStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/midwares/detail

hss:asset:listJarPackageHostInfo

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/midwares

hss:asset:listJarPackageStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/ports

hss:asset:listPorts

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/port/statistics

hss:asset:listPortStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/process/statistics

hss:asset:listProcessStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/user/change-history

hss:asset:listUserChangeHistories

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/users

hss:asset:listUsers

eps:enterpriseProjects:list

GET /v5/{project_id}/asset/user/statistics

hss:asset:listUserStatistics

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/check-rule/detail

hss:baseline:getCheckRuleDetail

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/risk-config/{check_name}/detail

hss:baseline:getRiskConfigDetail

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/password-complexity

hss:baseline:listPasswordComplexity

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/risk-config/{check_name}/check-rules

hss:baseline:listRiskConfigCheckRules

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/risk-config/{check_name}/hosts

hss:baseline:listRiskConfigHosts

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/risk-configs

hss:baseline:listRiskConfigs

eps:enterpriseProjects:list

GET /v5/{project_id}/baseline/weak-password-users

hss:baseline:listWeakPasswordUsers

eps:enterpriseProjects:list

POST /v5/{project_id}/event/operate

hss:event:changeEvent

eps:enterpriseProjects:list

PUT /v5/{project_id}/event/isolated-file

hss:event:changeIsolatedFile

eps:enterpriseProjects:list

GET /v5/{project_id}/event/white-list/alarm

hss:event:listAlarmWhiteList

eps:enterpriseProjects:list

GET /v5/{project_id}/event/blocked-ip

hss:event:listBlockedIp

eps:enterpriseProjects:list

GET /v5/{project_id}/event/isolated-file

hss:event:listIsolatedFile

eps:enterpriseProjects:list

GET /v5/{project_id}/event/events

hss:event:listSecurityEvents

eps:enterpriseProjects:list

PUT /v5/{project_id}/host-management/groups

hss:host:changeHostsGroup

eps:enterpriseProjects:list

DELETE /v5/{project_id}/host-management/groups

hss:host:deleteHostsGroup

eps:enterpriseProjects:list

GET /v5/{project_id}/host-management/hosts

hss:host:listHostStatus

  • eps:enterpriseProjects:list
  • vpc:ports:list
  • eip:publicIps:list

POST /v5/{project_id}/host-management/protection

hss:host:switchHostsProtectStatus

eps:enterpriseProjects:list

POST /v5/{project_id}/policy/deploy

hss:policy:associatePolicyGroup

eps:enterpriseProjects:list

POST /v5/{project_id}/{resource_type}/{resource_id}/tags/create

hss:quota:batchCreateTags

eps:enterpriseProjects:list

DELETE /v5/{project_id}/{resource_type}/{resource_id}/tags/{key}

hss:quota:deleteResourceInstanceTag

eps:enterpriseProjects:list

GET /v5/{project_id}/billing/quotas

hss:quota:getResourceQuotas

eps:enterpriseProjects:list

GET /v5/{project_id}/billing/quotas-detail

hss:quota:listQuotasDetail

eps:enterpriseProjects:list

PUT /v5/{project_id}/vulnerability/status

hss:vulnerability:changeVulStatus

eps:enterpriseProjects:list

GET /v5/{project_id}/vulnerability/host/{host_id}

hss:vulnerability:listHostVuls

eps:enterpriseProjects:list

GET /v5/{project_id}/vulnerability/hosts

hss:vulnerability:listVulHosts

eps:enterpriseProjects:list

GET /v5/{project_id}/vulnerability/vulnerabilities

hss:vulnerability:listVulnerabilities

eps:enterpriseProjects:list

GET /v5/{project_id}/vulnerability/scan-policy

hss:vulnerability:getVulScanPolicy

-

PUT /v5/{project_id}/vulnerability/scan-policy

hss:vulnerability:changeVulScanPolicy

-

GET /v5/{project_id}/vulnerability/scan-tasks

hss:vulnerability:listVulScanTask

-

GET /v5/{project_id}/vulnerability/scan-task/{task_id}/hosts

hss:vulnerability:listVulScanTaskHost

-

GET /v5/{project_id}/vulnerability/statistics

hss:vulnerability:listHostVulStatistics

-

GET /v5/{project_id}/image/baseline/risk-configs

hss:image:listImageRiskConfigs

-

GET /v5/{project_id}/image/baseline/check-rule/detail

hss:image:getImageCheckRuleDetail

-

GET /v5/{project_id}/image/swr-repository

hss:image:listSwrImageRepository

-

POST /v5/{project_id}/image/batch-scan

hss:image:batchScanSwrImage

-

GET /v5/{project_id}/image/{image_id}/vulnerabilities

hss:image:vulnerabilities

-

GET /v5/{project_id}/image/vulnerability/{vul_id}/cve

hss:image:listVulnerabilityCve

-

GET /v5/{project_id}/image/baseline/risk-configs/{check_name}/rules

hss:image:listImageRiskConfigRules

-

POST /v5/{project_id}/image/synchronize

hss:image:runImageSynchronize

-

GET /v5/{project_id}/product/productdata/offering-infos

hss:quota:showProductdataOfferingInfos

-

Resource

A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements for HSS.

Table 3 Resource types supported by HSS

Resource Type

URN

host

hss:<region>:<account-id>:host:<host-id>

event

hss:<region>:<account-id>:event:<event-id>

baseline

hss:<region>:<account-id>:baseline:<type>/<check_rule_id>

policy

hss:<region>:<account-id>:policy:<resource-type>/<type-id>

Conditions

HSS does not support service-specific condition keys in SCP statements.

HSS can use global condition keys applicable to all services. For details, see Global Condition Keys.