Updated on 2024-05-11 GMT+08:00

CodeArts

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by the CodeArts console, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by the CodeArts console, see Conditions.

The following table lists the actions that you can define in SCP statements for the CodeArts console.

Table 1 Actions supported by the CodeArts console

Action

Description

Access Level

Resource Type (*: required)

Condition Key

codearts:projectman:viewUsage

Grants permission to check CodeArts Req resource usage on the console.

read

-

-

codearts:codehub:viewUsage

Grants permission to check CodeArts Repo resource usage on the console.

read

-

-

codearts:cloudbuild:viewUsage

Grants permission to check CodeArts Build resource usage on the console.

read

-

-

codearts:codecheck:viewUsage

Grants permission to check CodeArts Check resource usage on the console.

read

-

-

codearts:cloudtest:viewUsage

Grants permission to check CodeArts TestPlan (Test Management) resource usage on the console.

read

-

-

codearts:apitest:viewUsage

Grants permission to check CodeArts TestPlan (APITest) resource usage on the console.

read

-

-

codearts:cloudrelease:viewUsage

Grants permission to check CodeArts Artifact resource usage on the console.

read

-

-

codearts:cloudide:viewUsage

Grants permission to check CodeArts IDE resource usage on the console.

read

-

-

codearts:classroom:viewUsage

Grants permission to check Classroom resource usage on the console.

read

-

-

codearts:monthlyPackage:changeSpecification

Grants permission to change package specifications on the console.

write

-

-

codearts:monthlyPackage:subscribe

Grants permission to purchase packages on the console.

write

-

-

codearts:projectman:subscribeService

Grants permission to subscribe to CodeArts Req in pay-per-use mode on the console.

write

-

-

codearts:codehub:subscribeService

Grants permission to subscribe to CodeArts Repo in pay-per-use mode on the console.

write

-

-

codearts:cloudbuild:subscribeService

Grants permission to subscribe to CodeArts Build in pay-per-use mode on the console.

write

-

-

codearts:codecheck:subscribeService

Grants permission to subscribe to CodeArts Check in pay-per-use mode on the console.

write

-

-

codearts:cloudtest:subscribeService

Grants permission to subscribe to CodeArts TestPlan (Test Management) in pay-per-use mode on the console.

write

-

-

codearts:apitest:subscribeService

Grants permission to subscribe to CodeArts TestPlan (APITest) in pay-per-use mode on the console.

write

-

-

codearts:cloudrelease:subscribeService

Grants permission to subscribe to CodeArts Artifact in pay-per-use mode on the console.

write

-

-

codearts:package:subscribeService

Grants permission to subscribe to a pay-per-use package on the console.

write

-

-

codearts:cloudide:subscribeService

Grants permission to subscribe to CodeArts IDE in pay-per-use mode on the console.

write

-

-

codearts:classroom:subscribeService

Grants permission to subscribe to Classroom in pay-per-use mode on the console.

write

-

-

codearts:projectman:unsubscribeService

Grants permission to unsubscribe from CodeArts Req in pay-per-use mode on the console.

write

-

-

codearts:codehub:unsubscribeService

Grants permission to unsubscribe from CodeArts Repo in pay-per-use mode on the console.

write

-

-

codearts:cloudbuild:unsubscribeService

Grants permission to unsubscribe from CodeArts Build in pay-per-use mode on the console.

write

-

-

codearts:codecheck:unsubscribeService

Grants permission to unsubscribe from CodeArts Check in pay-per-use mode on the console.

write

-

-

codearts:cloudtest:unsubscribeService

Grants permission to unsubscribe from CodeArts TestPlan (Test Management) in pay-per-use mode on the console.

write

-

-

codearts:apitest:unsubscribeService

Grants permission to unsubscribe from CodeArts TestPlan (APITest) in pay-per-use mode on the console.

write

-

-

codearts:cloudrelease:unsubscribeService

Grants permission to unsubscribe from CodeArts Artifact in pay-per-use mode on the console.

write

-

-

codearts:package:unsubscribeService

Grants permission to unsubscribe from a pay-per-use package on the console.

write

-

-

codearts:cloudide:unsubscribeService

Grants permission to unsubscribe from CodeArts IDE in pay-per-use mode on the console.

write

-

-

codearts:classroom:unsubscribeService

Grants permission to unsubscribe from Classroom in pay-per-use mode on the console.

write

-

-

codearts:authorization:list

Grants permission to view the authorization list on the console.

list

-

-

codearts:payPerUsePackage:listResourceDetail

Grants permission to view details of a pay-per-use package on the console.

list

-

-

codearts:monthlyPackage:listResourceDetail

Grants permission to view package resources on the console.

list

-

-

codearts:projectman:listResourceDetail

Grants permission to view CodeArts Req resources on the console.

list

-

-

codearts:codehub:listResourceDetail

Grants permission to view CodeArts Repo resources on the console.

list

-

-

codearts:cloudbuild:listResourceDetail

Grants permission to view CodeArts Build resources on the console.

list

-

-

codearts:codecheck:listResourceDetail

Grants permission to view CodeArts Check resources on the console.

list

-

-

codearts:cloudtest:listResourceDetail

Grants permission to view CodeArts TestPlan (Test Management) resources on the console.

list

-

-

codearts:cloudrelease:listResourceDetail

Grants permission to view CodeArts Artifact resources on the console.

list

-

-

codearts:cloudide:listResourceDetail

Grants permission to view CodeArts IDE resources on the console.

list

-

-

codearts:classroom:listResourceDetail

Grants permission to view Classroom resources on the console.

list

-

-

codearts:agileDevopsTrainingServices:listResourceDetail

Grants permission to view resources of the Agile and DevOps Training Service on the console.

list

-

-

codearts:projectman:listSubscriptionHistory

Grants permission to view CodeArts Req subscription history on the console.

list

-

-

codearts:codehub:listSubscriptionHistory

Grants permission to view CodeArts Repo subscription history on the console.

list

-

-

codearts:cloudbuild:listSubscriptionHistory

Grants permission to view CodeArts Build subscription history on the console.

list

-

-

codearts:codecheck:listSubscriptionHistory

Grants permission to view CodeArts Check subscription history on the console.

list

-

-

codearts:cloudtest:listSubscriptionHistory

Grants permission to view CodeArts TestPlan (Test Management) subscription history on the console.

list

-

-

codearts:apitest:listSubscriptionHistory

Grants permission to view CodeArts TestPlan (APITest) subscription history on the console.

list

-

-

codearts:cloudrelease:listSubscriptionHistory

Grants permission to view CodeArts Artifact subscription history on the console.

list

-

-

codearts:package:listSubscriptionHistory

Grants permission to view pay-per-use package subscription history on the console.

list

-

-

codearts:cloudide:listSubscriptionHistory

Grants permission to view CodeArts IDE subscription history on the console.

list

-

-

codearts:classroom:listSubscriptionHistory

Grants permission to view Classroom subscription history on the console.

list

-

-

codearts:authorization:create

Grants permission to authorize enterprise accounts on the console.

permissions

-

-

codearts:authorization:cancel

Grants permission to cancel the authorization granted to enterprise accounts on the console.

permissions

-

-

codearts:authorization:update

Grants permission to accept or reject authorization from an enterprise account on the console.

permissions

-

-

Resources

The CodeArts console does not support resource-level authorization. To allow access to the CodeArts console, use a wildcard (*) in the Resource element of the SCP, indicating that the SCP will be applied to all resources.

Conditions

The CodeArts console does not support service-specific condition keys in SCPs.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.