Cloud Eye (CES)
The Organizations service provides Service Control Policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.
This topic describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.
For details about how to use these elements to create a custom SCP, see Creating an SCP.
Actions
Actions are specific operations that are allowed or denied in an SCP.
- The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by Cloud Eye, see Resources.
- The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by Cloud Eye, see Conditions.
The following table lists the actions that you can define in SCP statements for Cloud Eye.
|
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
|---|---|---|---|---|
|
ces:widgets:put |
Grants permission to batch update graphs. |
write |
dashboard |
- |
|
ces:widgets:create |
Grants permission to create a graph. |
write |
dashboard |
- |
|
ces:widgets:put |
Grants permission to update a graph. |
write |
dashboard |
- |
|
ces:widgets:delete |
Grants permission to delete a graph. |
write |
dashboard |
- |
|
ces:dashboards:create |
Grants permission to create a dashboard. |
write |
dashboard |
g:EnterpriseProjectId |
|
ces:dashboards:list |
Grants permission to query dashboards. |
list |
dashboard |
g:EnterpriseProjectId |
|
ces:dashboards:put |
Grants permission to update a dashboard. |
write |
dashboard |
g:EnterpriseProjectId |
|
ces:widgets:list |
Grants permission to query graphs added to a dashboard. |
list |
dashboard |
- |
|
ces:widgets:create |
Grants permission to add a graph to a dashboard. |
write |
dashboard |
- |
|
ces:dashboards:delete |
Grants permission to batch delete dashboards. |
write |
dashboard |
g:EnterpriseProjectId |
|
ces:widgets:get |
Grants permission to query a graph. |
read |
dashboard |
- |
|
ces:dashboards:delete |
Grants permission to delete a dashboard. |
write |
dashboard |
g:EnterpriseProjectId |
|
ces:metrics:list |
Grants permission to query metrics. |
list |
- |
- |
|
ces:metricData:get |
Grants permission to query a metric. |
read |
- |
- |
|
ces:metricData:create |
Grants permission to report metrics. |
write |
- |
- |
|
ces:namespacesDimensions:listAgentDimensions |
Grants permission to query Agent-related metrics of a server. |
list |
- |
- |
|
ces:namespacesDimensions:list |
Grants permission to query dimensions of a cloud service. |
list |
- |
- |
|
ces:metaData:get |
Grants permission to batch query metadata of dimensions. |
read |
- |
- |
|
ces:metricData:list |
Grants permission to batch query metric data. |
list |
- |
- |
|
ces:namespacesDimensions:list |
Grants permission to query metric data of top N resources from a specific dimension. |
list |
- |
- |
|
ces:alarms:list |
Grants permission to query alarm rules. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:create |
Grants permission to create an alarm rule. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:put |
Grants permission to update an alarm rule. |
write |
alarm |
|
|
ces:alarms:get |
Grants permission to query an alarm rule. |
read |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:putAction |
Grants permission to enable or disable an alarm rule. |
write |
alarm |
|
|
ces:alarms:delete |
Grants permission to batch delete alarm rules. |
write |
alarm |
|
|
ces:alarms:listOneClickAlarms |
Grants permission to query services and resources that support one-click monitoring. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:putOneClickAlarms |
Grants permission to modify alarm notifications for an alarm rule in one-click monitoring. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:list |
Grants permission to query alarm rules. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:create |
Grants permission to create an alarm rule. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:putAlarmNotifications |
Grants permission to modify alarm notification information in an alarm rule. |
write |
alarm |
|
|
ces:alarms:getPolicies |
Grants permission to query policies in an alarm rule. |
read |
alarm |
|
|
ces:alarms:updatePolicies |
Grants permission to update policies of an alarm rule. |
write |
alarm |
|
|
ces:alarms:getResources |
Grants permission to query monitored resources in an alarm rule. |
read |
alarm |
|
|
ces:alarms:addResources |
Grants permission to batch add resources to an alarm rule. |
write |
alarm |
|
|
ces:alarms:deleteResources |
Grants permission to batch delete resources from an alarm rule. |
write |
alarm |
|
|
ces:alarms:putNotificationMaskRules |
Grants permission to modify an alarm notification masking rule. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:listNotificationMaskResources |
Grants permission to query resources for which alarm notifications have been masked. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:deleteNotificationMaskRules |
Grants permission to batch delete alarm notification masking rules. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:listNotificationMaskRules |
Grants permission to batch query alarm notification masking rules. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:createOneClickAlarms |
Grants permission to enable one-click monitoring. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:putOneClickAlarmPolicies |
Grants permission to batch enable or disable alarm policies in alarm rules for one service that has one-click monitoring enabled. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:putOneClickAlarmNotifications |
Grants permission to batch modify alarm notifications for one service in one-click monitoring. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:deleteOneClickAlarms |
Grants permission to batch disable one-click monitoring. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:list |
Grants permission to query alarms. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:alarmHistory:list |
Grants permission to query alarm records. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:create |
Grants permission to create a custom alarm template. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:delete |
Grants permission to delete a custom alarm template. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:list |
Grants permission to query custom alarm templates. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:listAssociatedAlarms |
Grants permission to query alarm rules associated with a custom alarm template. |
read |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:put |
Grants permission to update a custom alarm template. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:quotas:get |
Grants permission to query a quota. |
read |
- |
- |
|
ces:quotas:get |
Grants permission to query quotas. |
read |
- |
- |
|
ces:events:get |
Grants permission to query details of an event. |
read |
- |
- |
|
ces:events:list |
Grants permission to query events. |
list |
- |
- |
|
ces:agent:listTaskInvocations |
Grants permission to batch query Agent tasks of a server. |
list |
- |
- |
|
ces:agent:createAgentInvocations |
Grants permission to batch create Agent tasks. |
write |
- |
- |
|
ces:events:post |
Grants permission to report events. |
write |
- |
- |
|
ces:resourceGroups:addResources |
Grants permission to batch add resources to a resource group. |
write |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:create |
Grants permission to create a resource group. |
write |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:delete |
Grants permission to delete a resource group. |
write |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:deleteResources |
Grants permission to batch delete resources from a resource group. |
write |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:get |
Grants permission to query a resource group. |
read |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:getServiceResources |
Grants permission to query resources of a specified dimension and a specified service type in a resource group. |
read |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:put |
Grants permission to update a resource group. |
write |
- |
g:EnterpriseProjectId |
|
ces:tags:list |
Grants permission to batch query Cloud Eye tags. |
list |
- |
- |
|
ces:eventData:get |
Grants permission to query the server configuration. |
list |
- |
- |
|
ces:resourceGroups:list |
Grants permission to query all resource groups. |
list |
- |
g:EnterpriseProjectId |
|
ces:resourceGroups:get |
Grants permission to query a resource group. |
read |
- |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:list |
Grants permission to query custom alarm templates. |
list |
alarm |
g:EnterpriseProjectId |
|
ces:customAlarmTemplates:get |
Grants permission to query a custom alarm template. |
read |
alarm |
g:EnterpriseProjectId |
|
ces:alarms:create |
Grants permission to create an alarm rule. |
write |
alarm |
g:EnterpriseProjectId |
|
ces:dashboards:put |
Grants permission to update a cloud service dashboard. |
write |
dashboard |
- |
|
ces:namespacesDimensions:list |
Grants permission to query metric data of top N resources from a specific dimension. |
list |
- |
- |
|
ces:namespacesDimensions:list |
Grants permission to query dimensions of a cloud service. |
list |
- |
- |
Each API of Cloud Eye usually supports one or more actions. Table 2 lists the supported actions and dependencies.
|
API |
Action |
Dependencies |
|---|---|---|
|
POST /v2/{project_id}/dashboards |
ces:dashboards:create |
- |
|
GET /v2/{project_id}/dashboards |
ces:dashboards:list |
- |
|
PUT /v2/{project_id}/dashboards/{dashboard_id} |
ces:dashboards:put |
- |
|
GET /v2/{project_id}/dashboards/{dashboard_id}/widgets |
ces:widgets:list |
- |
|
POST /v2/{project_id}/dashboards/{dashboard_id}/widgets |
ces:widgets:create |
- |
|
POST /v2/{project_id}/dashboards/batch-delete |
ces:dashboards:delete |
- |
|
GET /v2/{project_id}/widgets/{widget_id} |
ces:widgets:get |
- |
|
DELETE /v2/{project_id}/widgets/{widget_id} |
ces:widgets:delete |
- |
|
POST /v2/{project_id}/widgets/batch-update |
ces:widgets:put |
- |
|
GET /V1.0/{project_id}/metrics |
ces:metrics:list |
- |
|
GET /V1.0/{project_id}/metric-data |
ces:metricData:get |
ces:metricData:list |
|
POST /V1.0/{project_id}/metric-data |
ces:metricData:create |
- |
|
POST /V1.0/{project_id}/batch-query-metric-data |
ces:metricData:list |
- |
|
GET /v2/{project_id}/instances/{instance_id}/agent-dimensions |
ces:namespacesDimensions:listAgentDimensions |
ces:namespacesDimensions:list |
|
GET /V1.0/{project_id}/alarms |
ces:alarms:list |
- |
|
POST /V1.0/{project_id}/alarms |
ces:alarms:create |
- |
|
PUT /V1.0/{project_id}/alarms/{alarm_id} |
ces:alarms:put |
ces:alarmsonoff:put |
|
DELETE /V1.0/{project_id}/alarms/{alarm_id} |
ces:alarms:delete |
- |
|
GET /V1.0/{project_id}/alarms/{alarm_id} |
ces:alarms:get |
ces:alarms:list |
|
PUT /V1.0/{project_id}/alarms/{alarm_id}/action |
ces:alarms:putAction |
ces:alarms:put |
|
GET /v2/{project_id}/alarms |
ces:alarms:list |
- |
|
POST /v2/{project_id}/alarms |
ces:alarms:create |
- |
|
PUT /v2/{project_id}/alarms/{alarm_id}/notifications |
ces:alarms:putAlarmNotifications |
ces:alarms:put |
|
GET /v2/{project_id}/alarms/{alarm_id}/policies |
ces:alarms:getPolicies |
ces:alarms:get |
|
PUT /v2/{project_id}/alarms/{alarm_id}/policies |
ces:alarms:updatePolicies |
ces:alarms:put |
|
GET /v2/{project_id}/alarms/{alarm_id}/resources |
ces:alarms:getResources |
- |
|
POST /v2/{project_id}/alarms/{alarm_id}/resources/batch-create |
ces:alarms:addResources |
ces:alarms:put |
|
POST /v2/{project_id}/alarms/{alarm_id}/resources/batch-delete |
ces:alarms:delete |
ces:alarms:put |
|
POST /v2/{project_id}/alarms/action |
ces:alarms:putAction |
ces:alarms:put |
|
PUT /v2/{project_id}/notification-masks |
ces:alarms:putNotificationMaskRules |
ces:notificationMasks:update |
|
PUT /v2/{project_id}/notification-masks/{notification_mask_id} |
ces:alarms:putNotificationMaskRules |
ces:notificationMasks:update |
|
GET /v2/{project_id}/notification-masks/{notification_mask_id}/resources |
ces:alarms:listNotificationMaskResources |
ces:notificationMasks:list |
|
POST /v2/{project_id}/notification-masks/batch-delete |
ces:alarms:deleteNotificationMaskRules |
ces:notificationMasks:delete |
|
POST /v2/{project_id}/notification-masks/batch-query |
ces:alarms:listNotificationMaskRules |
ces:notificationMasks:list |
|
POST /v2/{project_id}/notification-masks/batch-update |
ces:alarms:putNotificationMaskRules |
ces:notificationMasks:update |
|
GET /v2/{project_id}/one-click-alarms |
ces:alarms:listOneClickAlarms |
ces:oneClickAlarms:list |
|
POST /v2/{project_id}/one-click-alarms |
ces:alarms:createOneClickAlarms |
ces:oneClickAlarms:post |
|
PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarm-rules/action |
ces:alarms:putOneClickAlarms |
ces:oneClickAlarms:put |
|
GET /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarms |
ces:alarms:listOneClickAlarms |
ces:oneClickAlarms:list |
|
PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/alarms/{alarm_id}/policies/action |
ces:alarms:putOneClickAlarmPolicies |
ces:oneClickAlarms:put |
|
PUT /v2/{project_id}/one-click-alarms/{one_click_alarm_id}/notifications |
ces:alarms:putOneClickAlarmNotifications |
ces:oneClickAlarms:updateNotifications |
|
POST /v2/{project_id}/one-click-alarms/batch-delete |
ces:alarms:deleteOneClickAlarms |
ces:oneClickAlarms:delete |
|
POST /v2/{project_id}/alarms/batch-delete |
ces:alarms:deleteResources |
ces:alarms:put |
|
GET /V1.0/{project_id}/alarm-histories |
ces:alarmHistory:list |
- |
|
GET /v2/{project_id}/alarm-histories |
ces:alarmHistory:list |
- |
|
POST /V1.0/{project_id}/alarm-template |
ces:customAlarmTemplates:create |
- |
|
POST /v2/{project_id}/alarm-templates |
ces:customAlarmTemplates:create |
- |
|
DELETE /V1.0/{project_id}/alarm-template/{template_id} |
ces:customAlarmTemplates:delete |
- |
|
POST /v2/{project_id}/alarm-templates/batch-delete |
ces:customAlarmTemplates:delete |
- |
|
GET /v2/{project_id}/alarm-templates/{template_id} |
ces:customAlarmTemplates:get |
ces:customAlarmTemplates:list |
|
GET /V1.0/{project_id}/alarm-template |
ces:customAlarmTemplates:list |
- |
|
GET /v2/{project_id}/alarm-templates |
ces:customAlarmTemplates:list |
- |
|
GET /v2/{project_id}/alarm-templates/{template_id}/association-alarms |
ces:customAlarmTemplates:listAssociatedAlarms |
ces:customAlarmTemplates:list |
|
PUT /V1.0/{project_id}/alarm-template/{template_id} |
ces:customAlarmTemplates:put |
- |
|
PUT /v2/{project_id}/alarm-templates/{template_id} |
ces:customAlarmTemplates:put |
- |
|
GET /V1.0/{project_id}/quotas |
ces:quotas:get |
- |
|
GET /V1.0/{project_id}/event/{event_name} |
ces:events:get |
- |
|
GET /V1.0/{project_id}/events |
ces:events:list |
- |
|
GET /v3/{project_id}/agent-invocations |
ces:agent:listTaskInvocations |
ces:taskInvocation:get |
|
POST /v3/{project_id}/agent-invocations/batch-create |
ces:agent:createAgentInvocations |
ces:taskInvocation:post |
|
POST /V1.0/{project_id}/events |
ces:events:post |
- |
|
POST /v2/{project_id}/resource-groups/{group_id}/resources/batch-create |
ces:resourceGroups:addResources |
ces:resourceGroups:put |
|
POST /V1.0/{project_id}/resource-groups |
ces:resourceGroups:create |
- |
|
POST /v2/{project_id}/resource-groups |
ces:resourceGroups:create |
- |
|
DELETE /V1.0/{project_id}/resource-groups/{group_id} |
ces:resourceGroups:delete |
- |
|
POST /v2/{project_id}/resource-groups/batch-delete |
ces:resourceGroups:delete |
- |
|
POST /v2/{project_id}/resource-groups/{group_id}/resources/batch-delete |
ces:resourceGroups:deleteResources |
ces:resourceGroups:put |
|
GET /V1.0/{project_id}/resource-groups/{group_id} |
ces:resourceGroups:get |
- |
|
GET /v2/{project_id}/resource-groups/{group_id} |
ces:resourceGroups:get |
- |
|
GET /v2/{project_id}/resource-groups/{group_id}/services/{service}/resources |
ces:resourceGroups:getServiceResources |
ces:resourceGroups:get |
|
GET /V1.0/{project_id}/resource-groups |
ces:resourceGroups:list |
ces:resourceGroups:get |
|
GET /v2/{project_id}/resource-groups |
ces:resourceGroups:list |
ces:resourceGroups:get |
|
PUT /V1.0/{project_id}/resource-groups/{group_id} |
ces:resourceGroups:put |
- |
|
PUT /v2/{project_id}/resource-groups/{group_id} |
ces:resourceGroups:put |
- |
|
GET /v2/{project_id}/{resource_type}/tags |
ces:tags:list |
- |
|
GET /V1.0/{project_id}/event-data |
ces:eventData:get |
ces:sapEventData:list |
|
POST /v3/{project_id}/agent-status/batch-query |
ces:agent:listStatuses |
- |
Resources
A resource type indicates the resources that an SCP is applied. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP policy to define resource types.
The following table lists the resource types that you can specify in SCP statements for Cloud Eye.
Conditions
Cloud Eye does not support service-specific condition keys in an SCP.
It can only use global condition keys applicable to all services. For details, see Global Condition Keys.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
