Help Center/ IoT Device Access/ User Guide/ Permissions Management/ IoTDA Custom Policies
Updated on 2024-12-11 GMT+08:00
View PDF
Share

IoTDA Custom Policies

Custom policies can be created to supplement the system-defined policies of IoTDA. For the actions that can be added to custom policies, see List of Supported Actions.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following lists examples of common IoTDA custom policies.

Example Custom Policies

Example 1: Granting permission to operate an instance

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iotda:*:*",
            ],
            "Resource": [
                "IoTDA:*:*:app:*",
                "IoTDA:*:*:instance:instanceId1"
            ]
        }
    ]
}

Example 2: Granting permission to deny IoTDA instance deletion

Assume that you want to grant the permissions of the IoTDA FullAccess policy to a user but want to prevent them from deleting IoTDA instances. You can create a custom policy for denying IoTDA instance deletion, and attach this policy together with the IoTDA FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on IoTDA resources excepting deleting instances. Example policy denying IoTDA instance deletion:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "iotda:instance:delete"
            ]
        }
    ]
}

Example 3: Creating a custom policy containing multiple actions

A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). Example policy containing multiple actions:

{ 
        "Version": "1.1", 
        "Statement": [ 
                { 
                        "Action": [ 
                                "iotda:instance:query", 
                                "iotda:app:query", 
                                "ecs:cloudServers:query", 
                                "ims:images:list", 
                                "ims:serverImages:create" 
                        ], 
                        "Effect": "Allow" 
                } 
        ] 
}
Parent topic: Permissions Management