Actions Supported by Policy-based Authorization

This section describes the actions supported policy-based authorization for Organizations.

Supported Actions

Organizations provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The common concepts related to policies are as follows:

Permissions: statements in a policy that allow or deny certain operations
APIs: REST APIs that can be called by a user who has been granted specific permissions
Actions: specific operations that are allowed or denied
Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management

Organization Management

Permission	API	Action	IAM Project	Enterprise Project
Creating an organization	POST /v1/organizations	organizations:organizations:create iam:agencies:createServiceLinkedAgencyV5	Not supported	Not supported
Getting organization information	GET /v1/organizations	organizations:organizations:get	Not supported	Not supported
Deleting an organization	DELETE /v1/organizations	organizations:organizations:delete	Not supported	Not supported
Leaving the current organization	POST /v1/organizations/leave	organizations:organizations:leave	Not supported	Not supported
Listing roots of an organization	GET /v1/organizations/roots	organizations:roots:list	Not supported	Not supported

OU Management

Permission	API	Action	IAM Project	Enterprise Project
Creating an OU	POST /v1/organizations/organizational-units	organizations:ous:create organizations:resources:tag (if tag information is requested)	Not supported	Not supported
Listing OUs	GET /v1/organizations/organizational-units	organizations:ous:list	Not supported	Not supported
Getting OU information	GET /v1/organizations/organizational-units/{organizational_unit_id}	organizations:ous:get	Not supported	Not supported
Renaming an OU	PATCH /v1/organizations/organizational-units/{organizational_unit_id}	organizations:ous:update	Not supported	Not supported
Deleting an OU	DELETE /v1/organizations/organizational-units/{organizational_unit_id}	organizations:ous:delete	Not supported	Not supported

Account Management

Permission	API	Action	IAM Project	Enterprise Project
Creating an account	POST /v1/organizations/accounts	organizations:accounts:create organizations:resources:tag (if tag information is requested)	Not supported	Not supported
Closing an account	POST /v1/organizations/accounts/{account_id}/close	organizations:accounts:close	Not supported	Not supported
Modifying an account	PATCH /v1/organizations/accounts/{account_id}	organizations:accounts:update	Not supported	Not supported
Listing statuses of closed accounts	GET /v1/organizations/close-account-status	organizations:closeAccountStatuses:list	Not supported	Not supported
Listing accounts in an organization	GET /v1/organizations/accounts	organizations:accounts:list	Not supported	Not supported
Getting account information	GET /v1/organizations/accounts/{account_id}	organizations:accounts:get	Not supported	Not supported
Removing the specified account	POST /v1/organizations/accounts/{account_id}/remove	organizations:accounts:remove	Not supported	Not supported
Moving an account	POST /v1/organizations/accounts/{account_id}/move	organizations:accounts:move	Not supported	Not supported
Inviting an account to join an organization	POST /v1/organizations/invite-account	organizations:accounts:invite organizations:resources:tag (if tag information is requested)	Not supported	Not supported
Querying CreateAccount requests in the specified state	GET /v1/organizations/create-account-statuses	organizations:createAccountStatuses:list	Not supported	Not supported
Getting the account creation status	GET /v1/organizations/create-account-statuses/{create_account_status_id}	organizations:createAccountStatuses:get	Not supported	Not supported

Invitation Management

Permission	API	Action	IAM Project	Enterprise Project
Getting invitation information	GET /v1/organizations/handshakes/{handshake_id}	organizations:handshakes:get	Not supported	Not supported
Accepting an invitation	POST/v1/received-handshakes/{handshake_id}/accept	organizations:handshakes:accept iam:agencies:createServiceLinkedAgencyV5	Not supported	Not supported
Declining an invitation	POST /v1/received-handshakes/{handshake_id}/decline	organizations:handshakes:decline	Not supported	Not supported
Canceling an invitation	POST /v1/organizations/handshakes/{handshake_id}/cancel	organizations:handshakes:cancel	Not supported	Not supported
Listing received invitations	GET /v1/received-handshakes	organizations:receivedHandshakes:list	Not supported	Not supported
Listing sent invitations	GET /v1/organizations/handshakes	organizations:handshakes:list	Not supported	Not supported

Management of Trusted Services

Permission	API	Action	IAM Project	Enterprise Project
Enabling a trusted service	POST /v1/organizations/enable-trusted-service	organizations:trustedServices:enable	Not supported	Not supported
Disabling a trusted service	POST /v1/organizations/disable-trusted-service	organizations:trustedServices:disable	Not supported	Not supported
Listing trusted services	GET /v1/organizations/trusted-services	organizations:trustedServices:list	Not supported	Not supported

Management of Delegated Administrators

Permission	API	Action	IAM Project	Enterprise Project
Registering a delegated administrator	POST /v1/organizations/delegated-administrators/register	organizations:delegatedAdministrators:register	Not supported	Not supported
Deregistering a delegated administrator	POST /v1/organizations/delegated-administrators/deregister	organizations:delegatedAdministrators:deregister	Not supported	Not supported
Listing services managed by a delegated administrator account	GET /v1/organizations/accounts/{account_id}/delegated-services	organizations:delegatedServices:list	Not supported	Not supported
Listing delegated administrator accounts	GET /v1/organizations/delegated-administrators	organizations:delegatedAdministrators:list	Not supported	Not supported

Policy Management

Permission	API	Action	IAM Project	Enterprise Project
Creating a policy	POST /v1/organizations/policies	organizations:policies:create organizations:resources:tag (if tag information is requested)	Not supported	Not supported
Listing policies	GET /v1/organizations/policies	organizations:policies:list	Not supported	Not supported
Getting policy information	GET /v1/organizations/policies/{policy_id}	organizations:policies:get	Not supported	Not supported
Updating a policy	PATCH /v1/organizations/policies/{policy_id}	organizations:policies:update	Not supported	Not supported
Deleting a policy	DELETE /v1/organizations/policies/{policy_id}	organizations:policies:delete	Not supported	Not supported
Enabling a policy type for a root	POST /v1/organizations/policies/enable	organizations:policies:enable	Not supported	Not supported
Disabling a policy type in a root	POST /v1/organizations/policies/disable	organizations:policies:disable	Not supported	Not supported
Attaching a policy to a principal	POST /v1/organizations/policies/{policy_id}/attach	organizations:policies:attach	Not supported	Not supported
Detaching a policy from a principal	POST /v1/organizations/policies/{policy_id}/detach	organizations:policies:detach	Not supported	Not supported
Listing entities for the specified policy	GET /v1/organizations/policies/{policy_id}/attached-entities	organizations:attachedEntities:list	Not supported	Not supported

Tag Management

Permission	API	Action	IAM Project	Enterprise Project
Listing tags for the specified resource	GET /v1/organizations/resources/{resource_id}/tags	organizations:tags:list	Not supported	Not supported
Adding tags to the specified resource	POST /v1/organizations/resources/{resource_id}/tag	organizations:resources:tag	Not supported	Not supported
Removing tags from the specified resource	POST /v1/organizations/resources/{resource_id}/untag	organizations:resources:untag	Not supported	Not supported
Listing tags for the specified resource	GET /v1/organizations/{resource_type}/{resource_id}/tags	organizations:tags:list	Not supported	Not supported
Adding tags to the specified resource	POST /v1/organizations/{resource_type}/{resource_id}/tags/create	organizations:resources:tag	Not supported	Not supported
Removing tags from the specified resource	POST /v1/organizations/{resource_type}/{resource_id}/tags/delete	organizations:resources:untag	Not supported	Not supported
Listing instances by resource type and tag	POST /v1/organizations/{resource_type}/resource-instances/filter	organizations:resources:listByTag	Not supported	Not supported
Querying the number of instances by resource type and tag	POST /v1/organizations/{resource_type}/resource-instances/count	organizations:resources:countByTag	Not supported	Not supported
Querying resource tags	GET /v1/organizations/{resource_type}/tags	organizations:resources:list	Not supported	Not supported

Others

Permission	API	Action	IAM Project	Enterprise Project
Querying the effective policy	GET /v1/organizations/entities/effective-policies	organizations:effectivePolicies:get	Not supported	Not supported
Listing entities in an organization	GET /v1/organizations/entities	organizations:entities:list	Not supported	Not supported
Listing cloud services integrable with Organizations	GET /v1/organizations/services	organizations:services:list	Not supported	Not supported
Listing resource types that support tag policy enforcement	GET /v1/organizations/tag-policy-services	organizations:tagPolicyServices:list	Not supported	Not supported
Listing organization quotas	GET /v1/organizations/quotas	organizations:quotas:list	Not supported	Not supported

Parent topic: Permissions and Supported Actions

Previous topic: Introduction

Next topic: Actions Supported by Identity Policy-based Authorization

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot