Impact of Associating a Single Identity Policy Action with Multiple Policy Actions
CDN's identity policy actions combine some policy actions with the same functions. Therefore, an identity policy action may correspond to multiple policy actions. That is, an action listed in Table 1 has multiple aliases. If both the identity policy action and policy action are configured, permissions may be expanded or reduced, affecting authentication.
For details, see the following table.
|
Action |
API |
Policy Authorization Result |
Identity Policy Authorization Result |
Description |
|---|---|---|---|---|
|
Policy action: allow: cdn:statistics:queryTopUrl |
/cdn/statistics/top-url |
Allow |
Allow |
Permissions are expanded. Because cdn:statistics:queryTopUrl is the alias of cdn:statistics:queryStats, users can call all APIs corresponding to cdn:statistics:queryStats. |
|
/cdn/statistics/flux-detail |
Deny |
Allow |
||
|
Policy action: deny: cdn:statistics:queryTopUrl Policy action: allow: cdn:statistics:queryDomainSummaryDetail Identity policy action: allow: cdn:statistics:queryStats |
/cdn/statistics/top-url |
Deny |
Deny |
Permissions are reduced. Calling of all APIs associated with cdn:statistics:queryStats in identity policy authorization fails to be authenticated because an alias of cdn:statistics:queryStats is set to deny. |
|
/cdn/statistics/flux-detail |
Allow |
Deny |
||
|
Policy action: deny: cdn:statistics:queryTopUrl Identity policy action: allow: cdn:statistics:queryStats |
/cdn/statistics/top-url |
Allow |
Deny |
Permissions are reduced. Calling of all APIs that use cdn:statistics:queryStats in identity policy authorization fails to be authenticated because the policy cdn:statistics:queryTopUrl is set to deny. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
