Help Center/ System Permissions/ User Guide/ Identity Policy–based Authorization/ Storage/ Scalable File Service Turbo (SFS Turbo)
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Scalable File Service Turbo (SFS Turbo)

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by SFS Turbo, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by SFS Turbo, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for identity policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for SFS Turbo.

Table 1 Actions supported by SFS Turbo

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

sfsturbo:shares:createShare

Grants permission to create SFS Turbo file systems.

write

shares *
  • g:EnterpriseProjectId
  • g:TagKeys
  • g:RequestTag/<tag-key>
  • sfsturbo:CryptKeyId
  • cbr:VaultId

-

sfsturbo:shares:deleteShare

Grants permission to delete SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:getAllShares

Grants permission to list SFS Turbo file systems.

list

-
  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

-

sfsturbo:shares:getShare

Grants permission to query SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:extendShare

Grants permission to expand capacities of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateHpcShare

Grants permission to update SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateShareSecurityGroup

Grants permission to change the security groups of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:addTag

Grants permission to add a tag to an SFS Turbo file system.

tagging

shares *
  • g:ResourceTag/<tag-key>
  • g:TagKeys

-

sfsturbo:shares:getTag

Grants permission to query tags of an SFS Turbo file system.

read

shares *

g:EnterpriseProjectId

-

sfsturbo:shares:deleteTag

Grants permission to delete tags from an SFS Turbo file system.

tagging

shares *
  • g:ResourceTag/<tag-key>
  • g:TagKeys

-

sfsturbo:shares:batchResTag

Grants permission to batch add tags to an SFS Turbo file system.

tagging

shares *
  • g:ResourceTag/<tag-key>
  • g:TagKeys

-

sfsturbo:shares:getAllTag

Grants permission to list all tags of an SFS Turbo file system.

list

-

g:EnterpriseProjectId

-

sfsturbo:shares:renameShare

Grants permission to change SFS Turbo file system names.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showClientIpInfo

Grants permission to query the client IP addresses of an SFS Turbo file system.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createDataRepositoryTask

Grants permission to create SFS Turbo backup vaults.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteDataRepositoryTask

Grants permission to delete SFS Turbo backup vaults.

write

shares *
  • g:ResourceTag/<tag-key> g:EnterpriseProjectId

-

sfsturbo:shares:getDataRepositoryTask

Grants permission to query SFS Turbo backup vaults.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:getAllDataRepositoryTasks

Grants permission to list SFS Turbo backup vaults.

list

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:getAZInfo

Grants permission to query the AZ information of the current region.

read

-

-

-

sfsturbo:shares:getQuota

Grants permission to query SFS Turbo quotas.

read

-

-

-

sfsturbo:shares:getFlavors

Grants permission to query SFS Turbo file system types.

read

-

-

-

sfsturbo:shares:checkShareName

Grants permission to check SFS Turbo file system names.

read

-

-

-

sfsturbo:shares:createFsDir

Grants permission to create directories in SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showFsDir

Grants permission to query directories of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteFsDir

Grants permission to delete directories from SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createFsDirQuota

Grants permission to configure quota limits for directories in SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showFsDirQuota

Grants permission to query quota limits of directories in SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteFsDirQuota

Grants permission to remove quota limits from directories in SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateFsDirQuota

Grants permission to update quota limits of directories in SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:batchCreateFsDirQuotas

Grants permission to batch configure quota limits for directories in SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:listFsDirQuotas

Grants permission to list quota limits of directories in SFS Turbo file systems.

list

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showFsDirUsage

Grants permission to query usages of directories in SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createFsAsyncTask

Grants permission to create asynchronous tasks of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showFsAsyncTask

Grants permission to query details of asynchronous tasks of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:listFsAsyncTasks

Grants permission to list asynchronous tasks of SFS Turbo file systems.

list

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteFsAsyncTask

Grants permission to delete asynchronous tasks of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createBackendTarget

Grants permission to add storage backends of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showBackendTargetInfo

Grants permission to query details about storage backends of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:listBackendTargets

Grants permission to list storage backends of SFS Turbo file systems.

list

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteBackendTarget

Grants permission to remove storage backends of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateObsTargetPolicy

Grants permission to modify the auto synchronization policy between SFS Turbo file systems and OBS storage backends.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateObsTargetAttributes

Grants permission to modify attributes of storage backends of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:listPermRules

Grants permission to list permission rules of SFS Turbo file systems.

list

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showPermRule

Grants permission to query details of permissions rules of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createPermRule

Grants permission to create permissions rules of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updatePermRule

Grants permission to modify permissions rules of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deletePermRule

Grants permission to delete permissions rules of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showLdap

Grants permission to query the LDAP configuration of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:createLdap

Grants permission to create the LDAP configuration of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateLdap

Grants permission to modify the LDAP configuration of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteLdap

Grants permission to delete the LDAP configuration of SFS Turbo file systems.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:addActiveDirectoryDomain

Grants permission to add SFS Turbo file systems to AD domains.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:deleteActiveDirectoryDomain

Grants permission to remove SFS Turbo file systems from AD domains.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:showActiveDirectoryDomain

Grants permission to query AD domains of SFS Turbo file systems.

read

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:updateActiveDirectoryDomain

Grants permission to modify the AD domain configuration of an SFS Turbo file system.

write

shares *
  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

-

sfsturbo:shares:getJob

Grants permission to query details of tasks in SFS Turbo file systems.

read

-

-

-

Each API of SFS Turbo usually supports one or more actions. Table 2 lists the actions and dependencies supported by SFS Turbo APIs.

Table 2 Actions and dependencies supported by SFS Turbo APIs

API

Action

Dependencies

POST /v1/{project_id}/sfs-turbo/shares

sfsturbo:shares:createShare
  • billing:order:pay
  • billing:contract:viewDiscount
  • vpc:vpcs:get
  • vpc:subnets:get
  • vpc:securityGroups:get
  • vpc:securityGroups:create
  • vpc:ports:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:securityGroupRules:get
  • vpc:securityGroupRules:create
  • vpc:quotas:list
  • cbr:backups:get
  • cbr:vaults:addResources
  • evs:types:get
  • kms:cmk:listGrants
  • kms:cmk:createGrant
  • kms:cmk:get
  • sfsturbo:shares:getAZInfo
  • sfsturbo:shares:getQuota
  • sfsturbo:shares:getFlavors
  • sfsturbo:shares:checkShareName
  • eps:enterpriseProjects:list

GET /v1/{project_id}/sfs-turbo/shares/detail

sfsturbo:shares:getAllShares

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}

sfsturbo:shares:getShare

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}

sfsturbo:shares:deleteShare
  • vpc:ports:get
  • vpc:ports:delete
  • vpc:securityGroupRules:delete
  • vpc:securityGroups:delete

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/action

sfsturbo:shares:extendShare
  • billing:order:pay
  • vpc:vpcs:get
  • vpc:subnets:get
  • vpc:ports:get
  • vpc:ports:create
  • vpc:ports:update

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/action

sfsturbo:shares:updateShareSecurityGroup
  • vpc:ports:update
  • vpc:securityGroups:get
  • vpc:securityGroupRules:create
  • vpc:securityGroupRules:delete

POST /v1/{project_id}/sfs-turbo/{share_id}/tags

sfsturbo:shares:addTag

-

GET /v1/{project_id}/sfs-turbo/{share_id}/tags

sfsturbo:shares:getTag

-

DELETE /v1/{project_id}/sfs-turbo/{share_id}/tags/{key}

sfsturbo:shares:deleteTag

-

POST /v1/{project_id}/sfs-turbo/{share_id}/tags/action

sfsturbo:shares:batchResTag

-

POST /v1/{project_id}/sfs-turbo/resource_instances/action

sfsturbo:shares:getAllTag

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/action

sfsturbo:shares:renameShare

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/{feature}/tasks

sfsturbo:shares:createFsAsyncTask

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/{feature}/tasks

sfsturbo:shares:listFsAsyncTasks

-

GET /v1/{project_id}/sfs- turbo/shares/{share_id}/fs/{feature}/tasks/{task_id}

sfsturbo:shares:showFsAsyncTask

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/{feature}/tasks/{task_id}

sfsturbo:shares:deleteFsAsyncTask

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/targets

sfsturbo:shares:createBackendTarget
  • obs:bucket:putBucketPolicy
  • vpc:ports:get
  • vpc:ports:create
  • vpc:subnets:get

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/targets

sfsturbo:shares:listBackendTargets

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/targets/{target_id}

sfsturbo:shares:showBackendTargetInfo

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/targets/{target_id}

sfsturbo:shares:deleteBackendTarget

-

POST /v1/{project_id}/sfs-turbo/{share_id}/hpc-cache/task

sfsturbo:shares:createDataRepositoryTask

obs:bucket:headBucket

GET /v1/{project_id}/sfs-turbo/{share_id}/hpc-cache/task/{task_id}

sfsturbo:shares:getDataRepositoryTask

-

GET /v1/{project_id}/sfs-turbo/{share_id}/hpc-cache/tasks

sfsturbo:shares:getAllDataRepositoryTasks

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}

sfsturbo:shares:updateHpcShare

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir-quota

sfsturbo:shares:createFsDirQuota

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir-quota

sfsturbo:shares:updateFsDirQuota

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir-quota

sfsturbo:shares:showFsDirQuota

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir-quota

sfsturbo:shares:deleteFsDirQuota

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir

sfsturbo:shares:createFsDir

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir

sfsturbo:shares:showFsDir

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir

sfsturbo:shares:deleteFsDir

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/dir-usage

sfsturbo:shares:showFsDirUsage

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/perm-rules

sfsturbo:shares:createPermRule

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/perm-rules

sfsturbo:shares:listPermRules

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/perm-rules/{rule_id}

sfsturbo:shares:showPermRule

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/perm-rules/{rule_id}

sfsturbo:shares:updatePermRule

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/perm-rules/{rule_id}

sfsturbo:shares:deletePermRule

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/ldap

sfsturbo:shares:createLdap

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/ldap

sfsturbo:shares:showLdap

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/ldap

sfsturbo:shares:updateLdap

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/ldap

sfsturbo:shares:deleteLdap

-

GET /v1/{project_id}/sfs-turbo/jobs/{job_id}

sfsturbo:shares:getJob

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/action

sfsturbo:shares:showClientIpInfo

-

DELETE /v1/{project_id}/sfs-turbo/{share_id}/hpc-cache/task/{task_id}

sfsturbo:shares:deleteDataRepositoryTask

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/targets/{target_id}/policy

sfsturbo:shares:updateObsTargetPolicy

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/targets/{target_id}/attributes

sfsturbo:shares:updateObsTargetAttributes

-

POST /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/active-directory-domain

sfsturbo:shares:addActiveDirectoryDomain

-

DELETE /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/active-directory-domain

sfsturbo:shares:deleteActiveDirectoryDomain

-

GET /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/active-directory-domain

sfsturbo:shares:showActiveDirectoryDomain

-

PUT /v1/{project_id}/sfs-turbo/shares/{share_id}/fs/active-directory-domain

sfsturbo:shares:updateActiveDirectoryDomain

-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for SFS Turbo.

Table 3 Resource types supported by SFS Turbo

Resource Type

URN

shares

shares *

Conditions

A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name as the prefix, for example, sfsturbo) apply only to operations of SFS Turbo. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

Service-specific condition keys supported by SFS Turbo

The following table lists the condition keys that you can define in identity policies for SFS Turbo. You can include these condition keys to specify conditions for when your identity policy is in effect.

Table 4 Service-specific condition keys supported by SFS Turbo

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

sfsturbo:CryptKeyId

String

Single-valued

Filters access based on the key ID specified in the request parameter.
Parent topic: Storage