Help Center/ SoftWare Repository for Container/ User Guide (Enterprise Edition)/ IAM-based Permissions Management/ SWR Custom Policies
Updated on 2025-09-19 GMT+08:00
View PDF
Share

SWR Custom Policies

Custom policies can be created to supplement system-defined policies of SWR.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

    For details, see Creating a Custom Policy. This section illustrates common custom policies.

Example SWR custom policies

  • Example 1: Allowing a user to upload and download images in the test-swr SWR Enterprise Edition instance in the test-namespace namespace 
    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "swr:repository:downloadArtifact",
        "swr:repository:uploadArtifact"
      ],
      "Resource": [
        "swr:*:*:repository:test-swr/test-namespace/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "swr:instance:createTempCredential"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
  • Example 3: Denying image replication from region A to region B 
    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "swr:instance:createReplicationPolicy"
      ],
      "Resource": [
        "swr:*:*:instance:*"
      ],
      "Condition": {
        "StringEquals": {
          "swr:TargetRegion": [
            "${region-b}"
          ],
          "swr:SourceRegion": [
            "${region-a}"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "swr:instance:createReplicationPolicy"
      ],
      "Resource": [
        "swr:*:*:instance:*"
      ],
      "Condition": {
        "ForAnyValue:StringEquals": {
          "swr:SourceUrls": [
            "All repository addresses in region a"
          ],
          "swr:TargetUrls": [
            "All repository addresses in region b"
          ]
        }
      }
    }
  ]
}