Help Center/ System Permissions/ User Guide/ Identity Policy–based Authorization/ Customer Services/ Customer Operation Capabilities
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Customer Operation Capabilities

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted IAM permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM policies are different from Organizations SCPs, see What Are the Differences Between IAM Policies and Organizations SCPs?

This section describes the authorization elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (list, read, or write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by BSS, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about condition keys defined by BSS, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements.

The billing:contract:viewDiscount permission code only affects the discount information returned in the response, but it does not affect the API call. When there is no permission, the API can still be accessed normally, but it will not return the discount information.

Table 1 Actions supported by BSS

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

billing:contract:viewDiscount

Grants the permission to view discounts

read

-

-

-

billing:balance:view

Grants the permission to view income and expense details, historical payment records, consumption quotas, adjustment records, and arrears.

list

-

-

-

billing:coupon:view

Grants the permission to view coupons, stored value cards, and cash coupons.

read

-

-

-

billing:order:view

Grants the permission to view order information and pay-per-use packages.

list

-

-

-

billing:order:pay

Grants the permission to pay orders.

write

-

-

-

billing:subscription:renew

Grants the permission to renew subscriptions, enable auto-renewal, set expiration policies, and change pay-per-use subscriptions to yearly/monthly.

write

-

-

-

billing:subscription:unsubscribe

Grants the permission to view unsubscribed resources, unsubscribe from resources, cancel delivery, and return or replace hardware.

write

-

-

-

billing:resourcePackages:view

Grants the permission to view resource packages and remaining amount and query or export usage details.

list

-

-

-

billing:billDetail:view

Grants the permission to view order details.

read

-

-

-

billing:bill:view

Grants the permission to view bills, expenditures of the current month, paid resources in the last seven days, and expenditure trends.

list

-

-

-

costCenter:costAnalysis:listCosts

Grants the permission to view cost analysis.

read

-

-

-

billing:invoice:update

Grants the permission to manage invoices, request invoices, and manage invoice titles and addresses.

write

-

-

-

Each API usually supports one or more actions. Table APIs and actions lists the supported actions and dependencies.

Table 2 APIs and actions

If fine-grained authentication fails, the value of encoded_authorization_message in the response can be viewed only after being decrypted by calling the API provided by STS. APIE address of the decryption API: Decoding the Authentication Failure Cause.

Note: The caller must have the sts::decodeAuthorizationMessage permission to call the decryption API on APIE. Otherwise, the error message "STS5.1001" is displayed.

Scenario

Sub-Scenario

API

API URL

Action

Action

Dependency

Managing products

Querying product price

Querying pay-per-use product price

POST /v2/bills/ratings/on-demand-resources

billing:contract:viewDiscount

Viewing discount and price information

-

Querying yearly/monthly product price

POST /v2/bills/ratings/period-resources/subscribe-rate

billing:contract:viewDiscount

View discount and price information.

-

Querying the renewal amount of yearly/monthly resources

POST /v2/bills/ratings/period-resources/renew-rate

billing:contract:viewDiscount

Viewing discount and price information

-

Managing products

Querying product price

Querying yearly/monthly resource refunds before unsubscription

POST /v2/bills/ratings/period-resources/unsubscribe-rate

billing:contract:viewDiscount

Viewing discount and price information

-

Managing accounts

Managing accounts

Querying account balance

GET /v2/accounts/customer-accounts/balances

billing:balance:view

View account information.

-

Querying consumption quota

GET /v2/accounts/customer-accounts/expenditure-quota

billing:balance:view

Grants the permission to view income and expense details, historical payment records, consumption quotas, adjustment records, and arrears.

-

Managing transactions

Managing coupons

Listing coupons

GET /v2/promotions/benefits/coupons

billing:coupon:view

View discount, cash, and flexi-purchase coupons.

-

Managing yearly/monthly orders

Listing orders

GET /v2/orders/customer-orders

billing:order:view

View order information.

-

Querying order details

GET /v2/orders/customer-orders/details/{order_id}

billing:order:view

View order information.

-

Paying yearly/monthly orders

POST /v2/orders/customer-orders/pay

billing:order:pay

Pay orders.

-

Querying available discounts

GET /v2/orders/customer-orders/order-discounts

billing:contract:viewDiscount

Viewing discount and price information

-

Paying yearly/monthly orders

POST /v3/orders/customer-orders/pay

billing:order:pay

Pay orders.

-

Querying refund order amount

GET /v2/orders/customer-orders/refund-orders

billing:order:view

View order information.

-

Managing yearly/monthly resources

Listing yearly/monthly resources

POST /v2/orders/suscriptions/resources/query
  • billing:subscription:view
  • billing:order:view (to be brought offline)

View order information.

-

Renewing subscriptions to yearly/monthly resources

POST /v2/orders/subscriptions/resources/renew

billing:subscription:renew

Place orders, cancel orders, and modify recipient information.

-

Unsubscribing from yearly/monthly resources

POST /v2/orders/subscriptions/resources/unsubscribe

billing:subscription:unsubscribe

Place orders, cancel orders, and modify recipient information.

For details, see FAQs About Cloud Service Unsubscription Authentication.

-

Enabling automatic renewal for yearly/monthly resources

POST /v2/orders/subscriptions/resources/autorenew/**

billing:subscription:renew

Place orders, cancel orders, and modify recipient information.

-

Disabling automatic renewal for yearly/monthly resources

DELETE /v2/orders/subscriptions/resources/autorenew/{resource_id}

billing:subscription:renew

Place orders, cancel orders, and modify recipient information.

-

Enabling/Canceling the change from yearly/monthly to pay-per-use upon expiration

POST /v2/orders/subscriptions/resources/to-on-demand

billing:subscription:renew

Place orders, cancel orders, and modify recipient information.

-

Setting a deduction date for auto-renewal of yearly/monthly resources and a same expiration date for renewed resources

POST /v2/orders/subscriptions/resources/renew/config

billing:subscription:renew

Place orders, cancel orders, and modify recipient information.

-

Managing resource packages

Listing resource packages

POST /v3/payments/free-resources/query

billing:resourcePackages:view

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Querying resource package usage details

GET /v2/bills/customer-bills/free-resources-usage-records
  • billing:resourcePackages:view
  • billing:billDetail:view (to be brought offline)

View expenditure details, resource expenditures, bill analysis, and historical payments.

-

Querying resource package usage

POST /v2/payments/free-resources/usages/details/query

billing:resourcePackages:view

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Managing bills

Managing bills

Viewing bill details

POST /v2/bills/customer-bills/res-records/query

billing:billDetail:view

View expenditure details, resource expenditures, bill analysis, and historical payments.

-

Querying bill summary

GET /v2/bills/customer-bills/monthly-sum

billing:bill:view

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Querying expenditure records

GET /v2/bills/customer-bills/res-fee-records
  • billing:billDetail:view
  • billing:bill:view (to be brought offline)

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Managing bills

Managing bills

Querying expenditure records for iQIYI

GET /v2/bills/customer-bills/res-fee-details

billing:bill:view

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Querying bill details of a device resource

GET /v2/bills/customer-bills/res-merge-records

billing:billDetail:view

View expenditure details, resource expenditures, bill analysis, and historical payments.

-

Querying expenditure summary of customer resources by day

POST /v1.0/{domain_id}/customer/account-mgr/bill/resource-daily

billing:bill:view

View bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends.

-

Managing costs

Managing costs

Querying cost data

POST /v4/costs/cost-analysed-bills/query

costCenter:costAnalysis:listCosts

View cost analysis.

-

Managing an enterprise

Managing enterprise member accounts

Querying enterprise member accounts

GET /v2/enterprises/multi-accounts/sub-customers

businessUnitCenter:businessUnit:view

View organizations and accounts in the Enterprise Center.

-

Managing costs

Managing costs

Querying cost analysis results

POST /v3/costs/cost-analysed-bills/query

costCenter:costAnalysis:listCosts

View cost analysis.

-

Querying cost analysis results

POST /v2/costs/cost-analysed-bills/query

costCenter:costAnalysis:listCosts

View cost analysis.

-

Managing an enterprise

Managing enterprise accounts

Changing the fund quota of enterprise projects

PUT /v1.0/{domain_id}/customer/enterprise-project/fund-quotas

Billing::updateEPFundQuota

Change the enterprise project fund quota.

-

Querying enterprise project fund quotas

POST /v1.0/{domain_id}/customer/enterprise-project/fund-quotas/batch-query

Billing::viewEPFundQuota

Query the enterprise project fund quota.

-

Disabling the enterprise project fund quota

DELETE /v1.0/{domain_id}/customer/enterprise-project/fund-quotas

Billing::activeEPFundQuota

Change the enterprise project fund quota.

-

Enabling the enterprise project fund quota

POST /v1.0/{domain_id}/customer/enterprise-project/fund-quotas

Billing::activeEPFundQuota

Change the enterprise project fund quota.

-

Managing invoices

Managing invoices

Listing invoices

GET /v1.0/{domain_id}/payments/intl-invoices

billing:invoice:manage

Request invoices and view invoice information.

-

Resources

BSS does not support resource-specific permission control in identity policies. If you want to allow access to BSS, use the wildcard (*) for the Resource element to apply policies to all resources.

Conditions

A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, BSS:) only apply to operations of the BSS service. For details, see Table 2.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see .

The following table lists the condition keys that you can define in identity policies for BSS. You can include these condition keys to specify conditions for when your identity policy is in effect.

Table 2 Service-specific condition keys supported by BSS

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

billing:cloudServiceType

string

Multi-value

Filter access based on the cloud service type specified in the request parameter. FAQs

Condition Key Examples

  • billing:cloudServiceType

    Example: Only orders of cloud service resources whose service type is hws.service.type.ebs can be unsubscribed from.

    {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"billing:subscription:unsubscribe"
		],
		"Condition": {
			"ForAnyValue:StringEquals": {
				"billing:cloudServiceType": [
                                 "hws.service.type.ebs"
                             ]
			}
		}
	}]
}
Parent topic: Customer Services