Custom Policies for SWR Enterprise Edition

Scenarios

Custom policies can be created to supplement system-defined policies. You can add actions in custom policies as needed. For details about supported actions, see Table 1.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a policy in the JSON format from scratch or based on an existing policy.

For details, see Creating a Custom Policy.

Example Custom Policies

Example 1: Create a policy to allow users to create, update, view, or delete a namespace.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "swr:repository:getNamespace",
                "swr:repository:listNamespaces",
                "swr:repository:createNamespace",
                "swr:repository:updateNamespace",
                "swr:repository:deleteNamespace"
            ]
        }
    ]
}

Example 2:
A policy with only Deny permissions must be used in conjunction with other policies to take effect. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence.

If you want to assign the SWR FullAccess policy to a user but do not want this user to have permission to delete repositories, create a custom policy that denies repository deletion. Then, attach both the policies to the group that the user belongs to. In this way, the user can perform all operations on repositories except deleting the repositories. The following is an example of a deny policy:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "swr:instance:delete"
            ]
        }
    ]
}
```

Common SWR Operations Supported by Each System-defined Policy

**Table 1** SWR Enterprise Edition operations supported by system-defined policies
Operation	Action	SWR FullAccess	SWR OperateAccess	SWR ReadOnlyAccess
Listing artifacts	swr:repository:listArtifacts	√	√	√
Querying artifact details	swr:repository:getArtifact	√	√	√
Deleting artifacts	swr:repository:deleteArtifact	√	√	×
Listing artifact accessories	swr:repository:listAccessories	√	√	√
Querying additional information about an artifact	swr:repository:getArtifactAddition	√	√	√
Querying policies of an Enterprise Edition instance	swr:instance:getPolicy	√	√	√
Updating policies of an Enterprise Edition instance	swr:instance:updatePolicy	√	×	×
Querying configurations of an Enterprise Edition instance	swr:instance:getConfigurations	√	√	√
Updating configurations of an Enterprise Edition instance	swr:instance:updateConfigurations	√	×	×
Listing the instances that use a resource	swr:instance:listResourceInstances	√	√	√
Querying the number of instances that use a resource	swr:instance:getResourceInstancesCount	√	√	√
Creating resource tags in batches	swr:instance:createResourceTags	√	×	×
Deleting resource tags in batches	swr:instance:deleteResourceTags	√	×	×
Querying project tags	swr:instance:getProjectTags	√	√	√
Querying tags of a resource	swr:instance:getResourceTags	√	√	√
Creating an Enterprise Edition instance	swr:instance:create	√	×	×
Listing Enterprise Edition instances	swr:instance:list	√	√	√
Querying details about an Enterprise Edition instance	swr:instance:get	√	√	√
Deleting Enterprise Edition instances	swr:instance:delete	√	×	×
Querying audit logs of an Enterprise Edition instance	swr:instance:getAuditLogs	√	√	√
Querying statistics on Enterprise Edition instances	swr:instance:getStatistics	√	√	√
Listing tasks	swr:instance:listJobs	√	√	√
Querying task details	swr:instance:getJobs	√	√	√
Deleting tasks	swr:instance:deleteJob	√	×	×
Creating a namespace	swr:repository:createNamespace	√	√	×
Listing namespaces	swr:repository:listNamespaces	√	√	√
Querying namespace details	swr:repository:getNamespace	√	√	√
Modifying a namespace	swr:repository:updateNamespace	√	√	×
Deleting namespaces	swr:repository:deleteNamespace	√	√	×
Listing artifact repositories	swr:repository:listRepositories	√	√	√
Querying details about an artifact repository	swr:repository:getRepository	√	√	√
Modifying an artifact repository	swr:repository:updateRepository	√	√	×
Deleting artifact repositories	swr:repository:deleteRepository	√	√	×
Listing artifact tags	swr:repository:listTags	√	√	√
Querying details about an artifact tag	swr:repository:getTag	√	√	√
Deleting artifact tags	swr:repository:deleteTag	√	√	×
Querying additional information about an artifact tag	swr:repository:getTagAddition	√	√	√
Creating a tag retention policy	swr:repository:createRetentionPolicy	√	√	×
Listing tag retention policies	swr:repository:listRetentionPolicies	√	√	√
Querying details about a tag retention policy	swr:repository:getRetentionPolicy	√	√	√
Modifying a tag retention policy	swr:repository:updateRetentionPolicy	√	√	×
Deleting tag retention policies	swr:repository:deleteRetentionPolicy	√	√	×
Executing tag retention policies	swr:repository:executeRetentionPolicy	√	√	×
Listing tag retention records	swr:repository:listRetentionPolicyExecutions	√	√	√
Listing tag retention tasks	swr:repository:listRetentionPolicyExecTasks	√	√	√
Listing tag retention subtasks	swr:repository:listRetentionPolicyExecSubTasks	√	√	√
Creating a trigger	swr:repository:createWebhook	√	√	×
Listing triggers	swr:repository:listWebhooks	√	√	√
Querying trigger details	swr:repository:getWebhook	√	√	√
Modifying a trigger	swr:repository:updateWebhook	√	√	×
Deleting triggers	swr:repository:deleteWebhook	√	√	×
Listing triggering records	swr:repository:listWebhookJobs	√	√	√
Creating a destination registry	swr:instance:createRegistry	√	×	×
Listing destination registries	swr:instance:listRegistries	√	√	√
Querying details about a destination registry	swr:instance:getRegistry	√	√	√
Modifying a destination registry	swr:instance:updateRegistry	√	×	×
Deleting destination registries	swr:instance:deleteRegistry	√	×	×
Creating a replication policy	swr:instance:createReplicationPolicy	√	×	×
Listing replication policies	swr:instance:listReplicationPolicies	√	√	√
Querying details about a replication policy	swr:instance:getReplicationPolicy	√	√	√
Modifying a replication policy	swr:instance:updateReplicationPolicy	√	×	×
Deleting replication policies	swr:instance:deleteReplicationPolicy	√	×	×
Executing replication policies	swr:instance:executeReplicationPolicy	√	√	×
Stopping replication tasks	swr:instance:stopReplicationPolicyExecution	√	×	×
Listing replication records	swr:instance:listReplicationPolicyExecutions	√	√	√
Listing replication tasks	swr:instance:listReplicationPolicyExecTasks	√	√	√
Listing replication subtasks	swr:instance:listReplicationPolicyExecSubTasks	√	√	√
Creating a sign policy	swr:repository:createSignPolicy	√	√	×
Listing sign policies	swr:repository:listSignPolicies	√	√	√
Querying details about a sign policy	swr:repository:getSignPolicy	√	√	√
Modifying a sign policy	swr:repository:updateSignPolicy	√	√	×
Deleting sign policies	swr:repository:deleteSignPolicy	√	√	×
Executing sign policies	swr:repository:executeSignPolicy	√	√	×
Listing signing records	swr:repository:listSignPolicyExecutions	√	√	√
Listing signing tasks	swr:repository:listSignPolicyExecTasks	√	√	√
Listing signing subtasks	swr:repository:listSignPolicyExecSubTasks	√	√	√
Creating a scan policy	swr:repository:createScanPolicy	√	√	×
Listing scan policies	swr:repository:listScanPolicies	√	√	√
Querying details about a scan policy	swr:repository:getScanPolicy	√	√	√
Modifying a scan policy	swr:repository:updateScanPolicy	√	√	×
Deleting scan policies	swr:repository:deleteScanPolicy	√	√	×
Executing scan policies	swr:repository:executeScanPolicy	√	√	×
Listing scanning records	swr:repository:listScanPolicyExecutions	√	√	√
Listing scanning tasks	swr:repository:listScanPolicyExecTasks	√	√	√
Creating a block policy	swr:repository:createBlockPolicy	√	√	×
Listing block policies	swr:repository:listBlockPolicies	√	√	√
Querying details about a block policy	swr:repository:getBlockPolicy	√	√	√
Modifying a block policy	swr:repository:updateBlockPolicy	√	√	×
Listing blocking records	swr:repository:listBlockPolicyRecords	√	√	√
Updating the whitelist for public network access	swr:instance:updateEndpointPolicy	√	×	×
Updating the whitelist status for public network access	swr:instance:updateEndpointPolicyStatus	√	×	×
Querying the whitelist for public network access	swr:instance:getEndpointPolicy	√	√	√
Allowing a connection from the intranet	swr:instance:createInternalEndpoint	√	×	×
Querying details about an allowed connection from the intranet	swr:instance:getInternalEndpoint	√	√	√
Denying a connection from the intranet	swr:instance:deleteInternalEndpoint	√	×	×
Listing allowed connections from the intranet	swr:instance:listInternalEndpoints	√	√	√
Uploading artifacts	swr:repository:uploadArtifact	√	√	×
Downloading artifacts	swr:repository:downloadArtifact	√	√	√
Creating a temporary access credential	swr:instance:createTempCredential	√	√	√
Creating a long-term access credential	swr:instance:createLTCredential	√	×	×
Enabling or disabling long-term access credentials	swr:instance:updateLTCredential	√	×	×
Listing long-term access credentials	swr:instance:listLTCredentials	√	√	√
Deleting long-term access credentials	swr:instance:deleteLTCredential	√	×	×