Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

IAM Identity Center

Updated on 2025-02-25 GMT+08:00

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resources. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resources defined by IAM Identity Center, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource column has values for an action, the condition key takes effect only for the listed resources.
    • If the Resource column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by IAM Identity Center, see Conditions.

The following table lists the actions that you can define in SCP statements for IAM Identity Center.

Table 1 Actions supported by IAM Identity Center

Action

Description

Access Level

Resource (*: required)

Condition Key

IdentityCenter:permissionSet:create

Grants permission to create a permission set.

write

instance *

-

-

IdentityCenter:permissionSet:attachManagedPolicy

Grants permission to attach system-defined identity policies to a permission set.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:detachManagedPolicy

Grants permission to detach system-defined identity policies from a specified permission set.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:update

Grants permission to update the permission set of a specified instance.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:delete

Grants permission to delete the permission set of a specified instance.

write

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:list

Grants permission to list the permission sets of a specified instance.

list

instance *

-

IdentityCenter:permissionSet:listAccountsForProvisioned

Grants permission to list all the accounts provisioned by a specified permission set.

list

permissionSet *

-

instance *

-

IdentityCenter:permissionSet:listProvisioningStatus

Grants permission to list the status of the permission set attachment request for a specified instance.

list

instance *

-

IdentityCenter:permissionSet:listManagedPolicies

Grants permission to list the system-defined identity policies attached to a specified permission set.

list

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:listProvisionedToAccount

Grants permission to list all permission sets associated with a specified account.

list

account *

-

instance *

-

IdentityCenter:permissionSet:describeProvisioningStatus

Grants permission to obtain the details of the permission set attachment status.

read

instance *

-

IdentityCenter:permissionSet:describe

Grants permission to obtain the permission set details of a specified instance.

read

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:provision

Grants permission to attach a specified permission set to a specified principal.

write

account *

-

instance *

-

permissionSet *

-

IdentityCenter:instance:getIdentityCenterStatus

Grants permission to query the IAM Identity Center service status.

read

-

-

IdentityCenter:instance:registerRegion

Grants permission to register a region.

write

-

-

IdentityCenter:instance:describeRegisteredRegions

Grants permission to query regions enabled in IAM Identity Center.

read

-

-

IdentityCenter:instance:startIdentityCenter

Grants permission to enable IAM Identity Center.

write

-

-

IdentityCenter:instance:deleteIdentityCenter

Grants permission to disable IAM Identity Center.

write

-

-

IdentityCenter:instance:list

Grants permission to query the IAM Identity Center instance list.

list

-

-

IdentityCenter:accountAssignment:create

Grants permission to assign access to principals for a specified account using a specified permission set.

write

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:delete

Grants permission to delete a principal's access from a specified account using a specified permission set.

write

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:list

Grants permission to list the assignee of the specified account with the specified permission set.

list

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:describeDeletionStatus

Grants permission to obtain the details about the status of the assignment deletion request.

read

instance *

-

IdentityCenter:accountAssignment:describeCreationStatus

Grants permission to obtain the details about the status of the assignment creation request.

read

instance *

-

IdentityCenter:accountAssignment:listCreationStatus

Grants permission to list the status of the account assignment creation request for a specified IAM Identity Center instance.

list

instance *

-

IdentityCenter:accountAssignment:listDeletionStatus

Grants permission to list the status of the account assignment deletion request for a specified IAM Identity Center instance.

list

instance *

-

IdentityCenter:accountAssignment:listProfileAssociation

Grants permission to query all users or groups associated with an account or permission set.

read

-

-

IdentityCenter:accountAssignment:disassociationProfile

Grants permission to disassociate all authorizations from a user or group.

write

-

-

IdentityCenter:instance:listIdentityStoreAssociations

Grants permission to query details about the identity source configured in IAM Identity Center.

read

-

-

IdentityCenter:ssoConfiguration:update

Grants permission to update the configuration for the current IAM Identity Center instance.

write

-

-

IdentityCenter:ssoConfiguration:describe

Grants permission to obtain the configuration for the current IAM Identity Center instance.

read

-

-

IdentityCenter:mfaDevices:describeManagementSettings

Grants permission to obtain MFA settings.

read

-

-

IdentityCenter:mfaDevices:updateManagementSettings

Grants permission to update MFA settings.

write

-

-

IdentityCenter:instance:createAlias

Grants permission to create an alias for a specified identity source.

write

-

-

IdentityCenter:user:create

Grants permission to create a user.

write

-

-

IdentityCenter:user:list

Grants permission to query the user list.

read

-

-

IdentityCenter:user:describe

Grants permission to query user details.

read

-

-

IdentityCenter:user:describeUsers

Grants permission to obtain user details in batch.

read

-

-

IdentityCenter:user:update

Grants permission to update a user.

write

-

-

IdentityCenter:user:delete

Grants permission to delete a user.

write

-

-

IdentityCenter:user:getUserId

Grants permission to obtain the user ID.

read

-

-

IdentityCenter:user:enableUser

Grants permission to enable a user.

write

-

-

IdentityCenter:user:disableUser

Grants permission to disable a user.

write

-

-

IdentityCenter:group:create

Grants permission to create a group.

write

-

-

IdentityCenter:group:list

Grants permission to query the group list.

read

-

-

IdentityCenter:group:describe

Grants permission to query group details.

read

-

-

IdentityCenter:group:describeGroups

Grants permission to obtain group details in batch.

read

-

-

IdentityCenter:group:update

Grants permission to update a group.

write

-

-

IdentityCenter:group:delete

Grants permission to delete a group.

write

-

-

IdentityCenter:group:getGroupId

Grants permission to obtain the group ID.

read

-

-

IdentityCenter:groupMembership:create

Grants permission to add a member to a group.

write

-

-

IdentityCenter:groupMemberships:list

Grants permission to query all members in a group.

read

-

-

IdentityCenter:groupMembership:listForMember

Grants permission to query all groups that a user is added to.

read

-

-

IdentityCenter:groupMembership:describe

Grants permission to query the group membership.

read

-

-

IdentityCenter:groupMembership:delete

Grants permission to disassociate users and groups.

write

-

-

IdentityCenter:groupMembership:getGroupMembershipId

Grants permission to query the membership ID.

read

-

-

IdentityCenter:groupMembership:isMembershipInGroup

Grants permission to query whether a user is in a group.

read

-

-

IdentityCenter:externalIdp:create

Grants permission to create an external identity provider.

write

-

-

IdentityCenter:externalIdp:list

Grants permission to obtain the identity source configuration of the external identity provider.

read

-

-

IdentityCenter:externalIdp:enable

Grants permission to enable an external identity provider.

write

-

-

IdentityCenter:externalIdp:disable

Grants permission to disable an external identity provider.

write

-

-

IdentityCenter:externalIdp:getSpConfiguration

Grants permission to obtain the configuration of the IAM Identity Center service provider.

read

-

-

IdentityCenter:externalIdp:update

Grants permission to update the configuration of the external identity provider.

write

-

-

IdentityCenter:externalIdp:delete

Grants permission to delete the configuration of the external identity provider.

write

-

-

IdentityCenter:externalIdp:importCertificate

Grants permission to import a certificate.

write

-

-

IdentityCenter:externalIdp:deleteCertificate

Grants permission to delete a certificate.

write

-

-

IdentityCenter:externalIdp:listCertificates

Grants permission to obtain the certificate list.

read

-

-

IdentityCenter:externalIdp:createProvisioningTenant

Grants permission to create a tenant.

write

-

-

IdentityCenter:externalIdp:listProvisioningTenant

Grants permission to query the tenant list.

read

-

-

IdentityCenter:externalIdp:deleteProvisioningTenant

Grants permission to delete a tenant.

write

-

-

IdentityCenter:externalIdp:createBearerToken

Grants permission to create a bearer token.

write

-

-

IdentityCenter:externalIdp:listBearerTokens

Grants permission to query the bearer token list.

read

-

-

IdentityCenter:externalIdp:deleteBearerToken

Grants permission to delete a bearer token.

write

-

-

IdentityCenter:user:updatePassword

Grants permission to update a password by sending a password reset link via email or generating a one-time password for a user.

write

-

-

IdentityCenter:user:deleteUserMfaDevice

Grants permission to delete an MFA device for a specified user.

write

-

-

IdentityCenter:user:updateMfaDevice

Grants permission to update MFA device information.

write

-

-

IdentityCenter:user:listMfaDevice

Grants permission to query the MFA device list.

read

-

-

IdentityCenter:user:registerVirtualMfaDevice

Grants permission to begin the creation process of a virtual MFA device.

write

-

-

IdentityCenter:user:verifyEmail

Grants permission to verify an email address of a user.

write

-

-

Each API of IAM Identity Center usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by IAM Identity Center APIs

API

Action

Dependencies

POST /v1/instances/{instance_id}/permission-sets

IdentityCenter:permissionSet:create

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/attach-managed-policy

IdentityCenter:permissionSet:attachManagedPolicy

  • iam:policies:get
  • organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/detach-managed-policy

IdentityCenter:permissionSet:detachManagedPolicy

organizations:delegatedAdministrators:list

PUT /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:update

organizations:delegatedAdministrators:list

DELETE /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:delete

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets

IdentityCenter:permissionSet:list

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/accounts

IdentityCenter:permissionSet:listAccountsForProvisioned

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioning-statuses

IdentityCenter:permissionSet:listProvisioningStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/managed-policies

IdentityCenter:permissionSet:listManagedPolicies

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioned-to-accounts

IdentityCenter:permissionSet:listProvisionedToAccount

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioning-status/{request_id}

IdentityCenter:permissionSet:describeProvisioningStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:describe

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/provision

IdentityCenter:permissionSet:provision

organizations:delegatedAdministrators:list

GET /v1/instances

IdentityCenter:instance:list

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/account-assignments/create

IdentityCenter:accountAssignment:create

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/account-assignments/delete

IdentityCenter:accountAssignment:delete

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments

IdentityCenter:accountAssignment:list

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/deletion-status/{request_id}

IdentityCenter:accountAssignment:describeDeletionStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/creation-status/{request_id}

IdentityCenter:accountAssignment:describeCreationStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/creation-statuses

IdentityCenter:accountAssignment:listCreationStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/deletion-statuses

IdentityCenter:accountAssignment:listDeletionStatus

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/users

IdentityCenter:user:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/users

IdentityCenter:user:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:describe

organizations:delegatedAdministrators:list

PUT /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:update

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/users/retrieve-user-id

IdentityCenter:user:getUserId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/groups

IdentityCenter:group:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/groups

IdentityCenter:group:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:describe

organizations:delegatedAdministrators:list

PUT /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:update

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/groups/retrieve-group-id

IdentityCenter:group:getGroupId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/group-memberships

IdentityCenter:groupMembership:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships

IdentityCenter:groupMemberships:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships-for-member

IdentityCenter:groupMembership:listForMember

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id}

IdentityCenter:groupMembership:describe

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id}

IdentityCenter:groupMembership:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/group-memberships/retrieve-group-membership-id

IdentityCenter:groupMembership:getGroupMembershipId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/is-member-in-groups

IdentityCenter:groupMembership:isMembershipInGroup

organizations:delegatedAdministrators:list

Resources

A resource is what a policy applies to. If you specify a resource for any action in Table 3, the resource URN must be specified in the policy statements using that action, and the policy applies only to these resources. If no resources are specified, the Resource element is marked with an asterisk (*) and the policy applies to all resources. You can also set condition keys in a policy to define resources.

The following table lists the resources that you can define in SCP statements for IAM Identity Center.

Table 3 Resources supported by IAM Identity Center

Resource

URN

instance

IdentityCenter::<management-account-id>:instance:<instance-id>

account

IdentityCenter::<management-account-id>:account:<account-id>

permissionSet

IdentityCenter::<management-account-id>:permissionSet:<instance-id>/<permission-set-id>

Conditions

IAM Identity Center does not support service-specific condition keys in SCPs.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback