Help Center/ SoftWare Repository for Container/ User Guide (Enterprise Edition)/ Control Policies Supported by SWR/ NCPs
Updated on 2025-09-19 GMT+08:00
View PDF
Share

NCPs

Example 1: Accounts in an organization can only download private images in that organization through VPC Endpoint, but they can download any public images.

The following policy means that images in the OU or account bound to the policy cannot be downloaded by accounts outside the o-j1ftg6v1z9zldcg2o29ho0gvazswvia2 organization through VPC Endpoint. They can only be downloaded by accounts in the organization.

The organization here refers to the organization in the Organizations service, not the organization in SWR. To obtain the ID of the organization, follow the steps in the figure.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "swr:repository:downloadArtifact"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Bool": {
          "g:PrincipalIsService": [
            "false"
          ]
        },
        "StringNotEquals": {
          "g:ResourceOrgId": [
            "o-j1ftg6v1z9zldcg2o29ho0gvazswvia2"
          ]
        }
      }
    }
  ]
}

Example 2: Accounts in an organization can only download private images in that organization through VPC Endpoint, and they can download any public images.

The following policy means that private images in the OU or account bound to the policy cannot be downloaded by accounts outside the o-j1ftg6v1z9zldcg2o29ho0gvazswvia2 organization through VPC Endpoint. They can only be downloaded by accounts in the organization. Public images can be downloaded by any account.

The organization here refers to the organization in the Organizations service, not the organization in SWR. To obtain the ID of the organization, follow the steps in the figure.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "swr:repository:downloadArtifact"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Bool": {
          "g:PrincipalIsService": [
            "false"
          ],
          "swr:RepositoryIsPublic": [
            "false"
          ]
        },
        "StringNotEquals": {
          "g:ResourceOrgId": [
            "o-j1ftg6v1z9zldcg2o29ho0gvazswvia2"
          ]
        }
      }
    }
  ]
}

The configuration method is the same as that described in SCPs.