Updated on 2022-12-05 GMT+08:00

Creating a Custom Policy

Custom policies can be created as a supplement to the system policies of ServiceStage.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following section contains examples of common ServiceStage custom policies.

Example Custom Policy

This procedure creates a policy that an IAM user is prohibited to create and modify a microservice engine.
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cse:*:*"
                        ],
                        "Effect": "Allow"
                },
                {
                        "Action": [
                                "cse:engine:create",
                                "cse:engine:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}

A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

After authorization, users in the group can verify their permissions using the console or REST APIs.

The following uses the custom policy as an example to describe how to log in to the ServiceStage console to verify that a user is not allowed to create microservice engines.

  1. Log in to the cloud service console as an IAM user.
    • Tenant name: Name of the cloud service account used to create the IAM user
    • IAM username and password: Username and password specified during the IAM user creation using the tenant name
  2. On the ServiceStage console, choose Infrastructure > Cloud Service Engines, and create a microservice engine. If error 403 is returned, the permissions are correct and have already taken effect.