Actions Supported by Policy-based Authorization
This section describes the actions supported policy-based authorization for HSS.
Supported Actions
HSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. The following are related concepts:
- Permissions: statements in a policy that allow or deny certain operations
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: Specific operations that are allowed or denied in a custom policy.
- Related actions: Actions on which a specific action depends to take effect. When assigning permissions for the action to a user, you also need to assign permissions for the dependent actions.
- IAM or enterprise projects: Type of projects for which an action will take effect. For example, if you set the authorization scope of a custom policy to both IAM projects and enterprise projects, the policy takes effect for user groups in either IAM or enterprise projects. If an action supports only IAM projects, the custom policy that contains this action will take effect only for user groups in IAM. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. "√" indicates that the action supports the project and "×" indicates that the action does not support the project. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.
HSS supports the following actions that can be defined in custom policies:
Actions describes the HSS actions, such as querying the HSS list, enabling or disabling HSS for a server, and manual detection.
Actions
|
Permission |
API |
Action |
Related action |
IAM project |
Enterprise project |
|---|---|---|---|---|---|
|
Creating a server group |
POST /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
None. |
√ |
√ |
|
Unblocking an IP address |
PUT /v5/{project_id}/event/blocked-ip |
hss:accountCrack:unblock |
None. |
√ |
√ |
|
Querying the backup policy bound to HSS protection vault |
GET /v5/{project_id}/backup/policy |
hss:antiransomware:list |
None. |
√ |
√ |
|
Querying the container node list |
GET /v5/{project_id}/container/nodes |
hss:containers:list |
None. |
√ |
√ |
|
Querying the server group list |
GET /v5/{project_id}/host-management/groups |
hss:hostGroup:get |
None. |
√ |
√ |
|
Querying the policy group list. |
GET /v5/{project_id}/policy/groups |
hss:policy:get |
None. |
√ |
√ |
|
Querying the protection policy list |
GET /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:list |
None. |
√ |
√ |
|
Querying static WTP status of a server |
GET /v5/{project_id}/webtamper/static/protect-history |
hss:wtpReports:list |
None. |
√ |
√ |
|
Querying dynamic WTP status of a server |
GET /v5/{project_id}/webtamper/rasp/protect-history |
hss:wtpReports:list |
None. |
√ |
√ |
|
Querying the protection list |
GET /v5/{project_id}/webtamper/hosts |
hss:wtpHosts:list |
vpc:ports:list |
√ |
√ |
|
Enabling or disabling WTP |
POST /v5/{project_id}/webtamper/static/status |
hss:wtpProtect:switch |
None. |
√ |
√ |
|
Enabling or disabling dynamic WTP |
POST /v5/{project_id}/webtamper/rasp/status |
hss:wtpProtect:switch |
None. |
√ |
√ |
|
Enabling ransomware prevention |
POST /v5/{project_id}/ransomware/protection/open |
hss:antiransomware:set |
None. |
√ |
√ |
|
Disabling ransomware prevention |
POST /v5/{project_id}/ransomware/protection/close |
hss:antiransomware:set |
None. |
√ |
√ |
|
Modifying the backup policy associated with the vault. |
PUT /v5/{project_id}/backup/policy |
hss:antiransomware:set |
None. |
√ |
√ |
|
Modifying a policy |
PUT /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:set |
None. |
√ |
√ |
|
Collecting asset statistics, including accounts, ports, and processes |
GET /v5/{project_id}/asset/statistics |
hss:assets:list |
None. |
√ |
√ |
|
Obtaining the historical change records of software information |
GET /v5/{project_id}/asset/app/change-history |
hss:softwares:list |
None. |
√ |
√ |
|
Querying the server list of the software |
GET /v5/{project_id}/asset/apps |
hss:softwares:list |
None. |
√ |
√ |
|
Querying the software list |
GET /v5/{project_id}/asset/app/statistics |
hss:softwares:list |
None. |
√ |
√ |
|
Obtaining the historical change records of auto-started items |
GET /v5/{project_id}/asset/auto-launch/change-history |
hss:assets:list |
None. |
√ |
√ |
|
Querying the service list of auto-started items |
GET /v5/{project_id}/asset/auto-launchs |
hss:launch:list |
None. |
√ |
√ |
|
Querying auto startup item information |
GET /v5/{project_id}/asset/auto-launch/statistics |
hss:launch:list |
None. |
√ |
√ |
|
Querying the server list of a specified middleware |
GET /v5/{project_id}/asset/midwares/detail |
hss:assets:list |
None. |
√ |
√ |
|
Querying the open port list of a single server |
GET /v5/{project_id}/asset/ports |
hss:ports:list |
None. |
√ |
√ |
|
Querying open port statistics |
GET /v5/{project_id}/asset/port/statistics |
hss:ports:list |
None. |
√ |
√ |
|
Querying the process list |
GET /v5/{project_id}/asset/process/statistics |
hss:processes:list |
None. |
√ |
√ |
|
Obtaining the account change history |
GET /v5/{project_id}/asset/user/change-history |
hss:accounts:list |
None. |
√ |
√ |
|
Querying the server list of an account |
GET /v5/{project_id}/asset/users |
hss:accounts:list |
None. |
√ |
√ |
|
Querying the account list |
GET /v5/{project_id}/asset/user/statistics |
hss:accounts:list |
None. |
√ |
√ |
|
Ignoring, unignoring, repairing, or verifying the failed configuration check items |
POST /v5/{project_id}/baseline/check-rule/action |
hss:configDetects:operate |
None. |
√ |
√ |
|
Querying the report of configuration check items. |
GET /v5/{project_id}/baseline/check-rule/detail |
hss:configDetects:list |
None. |
√ |
√ |
|
Querying the check result of a specified security configuration item |
GET /v5/{project_id}/baseline/risk-config/{check_name}/detail |
hss:configDetects:list |
None. |
√ |
√ |
|
Querying password complexity policy scan reports |
GET /v5/{project_id}/baseline/password-complexity |
hss:complexityPolicy:list |
None. |
√ |
√ |
|
Querying the checklist of a specified security configuration item |
GET /v5/{project_id}/baseline/risk-config/{check_name}/check-rules |
hss:configDetects:list |
None. |
√ |
√ |
|
Querying the list of affected servers of a specified security configuration item |
GET /v5/{project_id}/baseline/risk-config/{check_name}/hosts |
hss:riskConfigHost:list |
None. |
√ |
√ |
|
Querying the result list of a tenant's server security configuration detection |
GET /v5/{project_id}/baseline/risk-configs |
hss:configDetects:list |
None. |
√ |
√ |
|
Querying the list of weak password detection results |
GET /v5/{project_id}/baseline/weak-password-users |
hss:weakPwds:list |
None. |
√ |
√ |
|
Handling alarm events |
POST /v5/{project_id}/event/operate |
hss:event:set |
None. |
√ |
√ |
|
Restoring isolated files |
PUT /v5/{project_id}/event/isolated-file |
hss:event:set |
None. |
√ |
√ |
|
Querying the alarm whitelist |
GET /v5/{project_id}/event/white-list/alarm |
hss:event:get |
None. |
√ |
√ |
|
Querying the list of blocked IP addresses |
GET /v5/{project_id}/event/blocked-ip |
hss:accountCrack:list |
None. |
√ |
√ |
|
Querying the list of isolated files |
GET /v5/{project_id}/event/isolated-file |
hss:event:get |
None. |
√ |
√ |
|
Querying intrusion events |
GET /v5/{project_id}/event/events |
hss:event:get |
None. |
√ |
√ |
|
Editing a server group |
PUT /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
None. |
√ |
√ |
|
Deleting a server group |
DELETE /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
None. |
√ |
√ |
|
Querying ECSs |
GET /v5/{project_id}/host-management/hosts |
hss:hosts:list |
vpc:ports:list;eip:publicIps:list |
√ |
√ |
|
Changing protection status |
POST /v5/{project_id}/host-management/protection |
hss:hosts:switchVersion |
None. |
√ |
√ |
|
Applying a policy |
POST /v5/{project_id}/policy/deploy |
hss:policy:set |
None. |
√ |
√ |
|
Creating labels in batches |
POST /v5/{project_id}/{resource_type}/{resource_id}/tags/create |
hss:quotas:set |
None. |
√ |
√ |
|
Deleting a resource label |
DELETE /v5/{project_id}/{resource_type}/{resource_id}/tags/{key} |
hss:quotas:set |
None. |
√ |
√ |
|
Querying quotas |
GET /v5/{project_id}/billing/quotas |
hss:quotas:get |
None. |
√ |
√ |
|
Querying quota details |
GET /v5/{project_id}/billing/quotas-detail |
hss:quotas:get |
None. |
√ |
√ |
|
Changing the status of a vulnerability |
PUT /v5/{project_id}/vulnerability/status |
hss:vuls:set |
None. |
√ |
√ |
|
Querying the servers affected by a vulnerability |
GET /v5/{project_id}/vulnerability/hosts |
hss:vuls:list |
None. |
√ |
√ |
|
Querying the vulnerability list |
GET /v5/{project_id}/vulnerability/vulnerabilities |
hss:vuls:list |
None. |
√ |
√ |
|
Querying the list of servers protected against ransomware |
GET /v5/{project_id}/ransomware/server |
hss:antiransomware:list |
None. |
√ |
√ |
|
Querying vulnerability management statistics |
GET /v5/{project_id}/vulnerability/statistics |
hss:vuls:list |
None. |
√ |
√ |
|
Querying the list of image security configuration detection results |
GET /v5/{project_id}/image/baseline/risk-configs |
hss:image:list |
None. |
√ |
√ |
|
Querying the image configuration check report |
GET /v5/{project_id}/image/baseline/check-rule/detail |
hss:image:list |
None. |
√ |
√ |
|
Querying vulnerability information about a server |
GET /v5/{project_id}/vulnerability/host/{host_id} |
hss:vuls:list |
None. |
√ |
√ |
|
Querying the image list in the SWR image repository |
GET /v5/{project_id}/image/swr-repository |
hss:images:list |
None. |
√ |
√ |
|
Scanning images in the image repository in batches |
POST /v5/{project_id}/image/batch-scan |
hss:images:set |
None. |
√ |
√ |
|
Querying image vulnerability information |
GET /v5/{project_id}/image/{image_id}/vulnerabilities |
hss:images:list |
None. |
√ |
√ |
|
Querying CVE information of a vulnerability |
GET /v5/{project_id}/image/vulnerability/{vul_id}/cve |
hss:images:list |
None. |
√ |
√ |
|
Querying the check item list of a specified security configuration item of an image |
GET /v5/{project_id}/image/baseline/risk-configs/{check_name}/rules |
hss:images:list |
None. |
√ |
√ |
|
Synchronizing the image list from SWR |
POST /v5/{project_id}/image/synchronize |
hss:images:set |
None. |
√ |
√ |
|
Querying a vulnerability scan policy |
GET /v5/{project_id}/vulnerability/scan-policy |
hss:vuls:list |
None. |
√ |
√ |
|
Modifying a vulnerability scan policy |
PUT /v5/{project_id}/vulnerability/scan-policy |
hss:vuls:set |
None. |
√ |
√ |
|
Asset fingerprints - process - server list |
GET /v5/{project_id}/asset/processes/detail |
hss:processes:list |
None. |
√ |
√ |
|
Asset fingerprints - port - server list |
GET /v5/{project_id}/asset/ports/detail |
hss:ports:list |
None. |
√ |
√ |
|
Creating a scan job |
POST /v5/{project_id}/vulnerability/scan-task |
hss:hosts:manualDetect |
None. |
√ |
√ |
|
Querying the vulnerability scan tasks |
GET /v5/{project_id}/vulnerability/scan-tasks |
hss:vuls:list |
None. |
√ |
√ |
|
Querying the list of servers corresponding to a vulnerability scan task |
GET /v5/{project_id}/vulnerability/scan-task/{task_id}/hosts |
hss:vuls:list |
None. |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
