Tutorials for RBAC

This section describes how to use Identity and Access Management (IAM)to implement fine-grained permissions control for your COC resources. With IAM, you can:

Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing COC resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust an account or cloud service to perform efficient O&M on your COC resources.

If your account does not require individual IAM users, skip this topic.

This section describes the workflow for granting permissions to users.

Prerequisites

Learn about the permissions supported by COC, see Permissions Management. To grant permissions for other services, learn about all system-defined permissions.

Example Workflow

Create a user group and assign permissions to it.
Create a user group on the IAM console, and grant the read-only system permission COC ReadOnlyAccess and the administrator system permission COC FullAccess to the user group.
Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in and verify permissions.
- Log in to COC, access the Overview page, and click Create Task in the upper right corner to create a to-do task. If a to-do task fails to be created (assume that you have only the COC ReadOnlyAccess permission), the COC ReadOnlyAccess permission has taken effect.
- Log in to COC, access the Overview page, and click Create Task in the upper right corner to create a to-do task. If a to-do task is created (assume that you have only the COC FullAccess permission), the COC FullAccess permission has taken effect.
Custom policies can be created to supplement the system-defined policies of COC. For the actions supported for custom policies, see Policies and Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common COC custom policies.

Example Custom Policies

Example 1: Allow users to create O&M tasks.

{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:task:create"
      ]
    }
  ]
}

Example 2: Grant permissions to deny topic deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the COC FullAccess policy to a user but want to prevent them from deleting documents. You can create a custom policy for denying document deletion, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on COC resources except deleting documents. The following is an example of a deny policy:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "coc:document:delete"
      ]
    }
  ]
}
```
Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of multiple services that are of the project-level type. The following is a custom policy containing multiple actions:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:document:create",
        "scm:cert:complete"
      ]
    }
  ]
}
```