Updated on 2024-05-25 GMT+08:00

Creating a Custom CAE Policy

Custom policies supplement the system-defined policies of CAE.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. This section provides examples of common custom CAE policies.

Example Custom Policy

This procedure creates a policy that an IAM user is prohibited to delete components.

{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cae:*:*"
                        ],
                        "Effect": "Allow"
                },
                {
                        "Action": [
                                "cae:application:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}

A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

After authorization, users in the group can verify their permissions using the console or REST APIs.

The following uses the custom policy as an example to describe how to log in to the CAE console to verify that a user is not allowed to delete components.

  1. Log in to Huawei Cloud as an IAM user.
    • Tenant name: Name of the account used to create the IAM user
    • IAM username and password: Username and password specified during the IAM user creation using the tenant name
  2. On the Components page, create a component for test, and click More > Delete in the Operation column of the component. If a message is displayed indicating that you do not have the operation permissions, the permissions configuration is correct and has taken effect.