ROMA Connect Custom Policies

Create custom permissions policies for ROMA Connect if the preset ones cannot satisfy your needs. For the actions that can be added to custom policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.

For details about how to create a custom policy, see Creating a Custom Policy. This section provides examples of common custom policies of ROMA Connect.

Example Custom Policies

Example 1: Allow users to create, start/stop, and view integration tasks.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "roma:tasks:create",
                "roma:tasks:operate",
                "roma:tasks:list",
                "roma:tasks:get"
            ]
        }
    ]
}

Example 2: Grant users all permissions for service integration, including connector permissions.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "roma:tasks:*",
                "roma:connectors:*"
            ]
        }
    ]
}

Example 3: Deny the deletion of ROMA Connect instances.
A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the ROMA FullAccess policy to a user but you want to prevent the user from deleting instances. Create a custom policy for denying instance deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on ROMA Connect except deleting instances. The following is an example of a deny policy:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "roma:instances:delete"
            ]
        }
    ]
}
```

Example 4: Allow users to view and perform operations only on data integration tasks created by themselves.

To do so, you can add conditions to the custom policy so that the authorized items take effect only for the resources created by yourself. The following is an example of a condition policy:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "roma:tasks:create",
                "roma:tasks:operate",
            ]
        }
        {
            "Effect": "Allow",
            "Action": [
                "roma:tasks:get",
                "roma:tasks:list"
            ],
            "Condition": {
                "StringEquals": {
                    "roma:ResourceCreator": [
                        "${g:UserId}"
                    ]
                }
            }
        }
    ]
}

Example Custom Policy for ROMA Business Flows

Example 1: Authorize a user to create, query, and update business flow graphs but not to manage or delete them.

{
    "Version": "1.1",
    "Statement": [
        {    
            "Action": [
                "romabfs:graph:get",
                "roma:graph:list",
                "roma:graph:update"
            ],
            "Effect": "Allow"
        }
    ]
}

Parent topic: Permissions

Previous topic: Assigning ROMA Connect Permissions