Optimization Advisor
IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.
In addition to IAM, the Organizations service also provides service control policies (SCPs) for access control.
SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.
To learn more about how IAM policies are different from Organizations SCPs, see What Are the Differences Between IAM Policies and Organizations SCPs?
This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.
- For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
- For details about how to use these elements to edit a custom SCP policy, see Creating an SCP.
Actions
Actions are specific operations that are allowed or denied in an identity policy.
- The Access Level column describes how the action is classified (such as list, read, or write). This classification helps you understand the level of access that an action grants when you use it in a policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by OA, see Resources.
- The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by OA, see Conditions.
- The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.
The following table lists the actions that you can define in identity policy statements for OA.
|
Action |
Description |
Access Level |
Resource Type (*: Required) |
Condition Key |
Alias |
|---|---|---|---|---|---|
|
oa::listAuthorizations |
Grants permission to obtain the user authorization list. |
read |
- |
- |
oa:authorizations:list |
|
oa::updateAuthorizations |
Grants permission to modify user authorizations. |
write |
- |
- |
oa:authorizations:update |
|
oa::deleteAuthorizations |
Grants permission to delete user authorizations. |
write |
- |
- |
oa:authorizations:delete |
|
oa:monthReports:list |
Grants permission to obtain the monthly report list. |
read |
- |
- |
- |
|
oa:monthReports:get |
Grants permission to get details about a monthly report. |
read |
- |
- |
- |
|
oa:monthReports:download |
Grants permission to download a monthly report. |
read |
- |
- |
- |
|
oa:checkItemRules:update |
Grants permission to modify check item rules. |
write |
- |
- |
- |
|
oa:checkItemRules:list |
Grants permission to obtain check item rules. |
read |
- |
- |
- |
|
oa:autoCheckRule:update |
Grants permission to modify auto check rules. |
write |
- |
- |
- |
|
oa:autoCheckRule:get |
Grants permission to get auto check rules. |
read |
- |
- |
- |
|
oa:riskItemsCheck:createTask |
Grants permission to create a risk check task. |
write |
- |
- |
- |
|
oa:riskItemsCheck:getTaskProgress |
Grants permission to obtain the progress of a risk check task. |
read |
- |
- |
- |
|
oa:riskItemsCheck:getTaskResult |
Grants permission to obtain the risk check results. |
read |
- |
- |
- |
|
oa:riskItemsCheck:getTaskResultDimension |
Grants permission to obtain the dimensions of risk check results. |
read |
- |
- |
- |
|
oa:riskItemsCheck:listReportSubscriptions |
Grants permission to obtain subscriptions to risk check reports. |
read |
- |
- |
- |
|
oa:riskItemsCheck:getReportSubscriptionRule |
Grants permission to obtain the subscription rules for risk check reports. |
read |
- |
- |
- |
|
oa:riskItemsCheck:updateReportSubscriptionRule |
Grants permission to modify the subscription rules for risk check reports. |
write |
- |
- |
- |
|
oa:riskItemsCheck:getRiskItemNum |
Grants permission to obtain the number of risky items. |
read |
- |
- |
- |
|
oa:riskItemsCheck:exportCheckItemResult |
Grants permission to export a risk check report. |
read |
- |
- |
- |
|
oa:riskItemsCheck:getExportProgress |
Grants permission to obtain the progress of exporting a risk check report. |
read |
- |
- |
- |
|
oa:riskItemsCheck:downloadCheckItemResult |
Grants permission to download a risk check report. |
read |
- |
- |
- |
|
oa:riskItemCheck:createTask |
Grants permission to create a single-item risk check task. |
write |
- |
- |
- |
|
oa:riskItemCheck:getTaskProgress |
Grants permission to obtain the progress of a single-item risk check task. |
read |
- |
- |
- |
|
oa:riskItemCheck:getTaskResult |
Grants permission to obtain the check results of a single risky item. |
read |
- |
- |
- |
|
oa:riskItemCheck:listTaskResultRegions |
Grants permission to obtain the list of sites for a single-item risk check report. |
read |
- |
- |
- |
|
oa:riskItemsCheck:listCheckItems |
Grants permission to obtain the list of check item rules. |
read |
- |
- |
- |
|
oa::saveWellArchitectedRecord |
Grants permission to save the well-architected questionnaire. |
write |
- |
- |
oa:wellArchitected:saveRecord |
|
oa::deleteWellArchitectedRecord |
Grants permission to delete the well-architected questionnaire. |
write |
- |
- |
oa:wellArchitected:deleteRecord |
|
oa::listWellArchitectedRecord |
Grants permission to view the well-architected questionnaire list. |
read |
- |
- |
oa:wellArchitected:listRecord |
|
oa::getWellArchitectedRecordDetail |
Grants permission to obtain well-architected questionnaire details. |
read |
- |
- |
oa:wellArchitected:getRecordDetail |
|
oa::generateWellArchitectedReport |
Grants permission to generate a well-architected report. |
write |
- |
- |
oa:wellArchitected:generateReport |
|
oa::getWellArchitectedReportDetail |
Grants permission to view well-architected report details. |
read |
- |
- |
oa:wellArchitected:getReportDetail |
|
oa::listOrgAccounts |
Grants permission to obtain the list of organization member accounts. |
read |
- |
- |
oa:riskItemsCheck:listOrgAccounts |
|
oa:capacityAnalysis:getConfig |
Grants permission to obtain capacity optimization analysis settings. |
read |
- |
- |
- |
|
oa:capacityAnalysis:updateConfig |
Grants permission to modify capacity optimization analysis settings. |
write |
- |
- |
- |
|
oa:capacityAnalysis:listResourceTypes |
Grants permission to obtain the resource types for applying the capacity optimization analysis settings. |
read |
- |
- |
- |
|
oa:capacityAnalysis:listResources |
Grants permission to obtain the resources for applying the capacity optimization analysis settings. |
read |
- |
- |
- |
|
oa:capacityAnalysis:listResourceGroups |
Grants permission to obtain the resource groups for applying the capacity optimization analysis settings. |
read |
- |
- |
- |
|
oa:capacityAnalysis:createJob |
Grants permission to create a capacity optimization analysis task. |
write |
- |
- |
- |
|
oa:capacityAnalysis:getJobProgress |
Grants permission to obtain the progress of a capacity optimization analysis task. |
read |
- |
- |
- |
|
oa:capacityAnalysis:stopJob |
Grants permission to stop a capacity optimization analysis task. |
write |
- |
- |
- |
|
oa:capacityAnalysis:getResultSummary |
Grants permission to obtain the summary of capacity optimization analysis results. |
read |
- |
- |
- |
|
oa:capacityAnalysis:listResultDetails |
Grants permission to obtain the details of capacity optimization analysis results. |
read |
- |
- |
- |
|
oa:capacityAnalysis:deleteResultDetails |
Grants permission to delete the details of capacity optimization analysis results. |
write |
- |
- |
- |
|
oa:capacityAnalysis:listReports |
Grants permission to obtain the list of capacity optimization analysis reports. |
read |
- |
- |
- |
|
oa:capacityAnalysis:deleteReport |
Grants permission to delete a capacity optimization analysis report. |
write |
- |
- |
- |
|
oa:capacityAnalysis:getReportExportProgress |
Grants permission to obtain the progress for exporting a capacity optimization analysis report. |
read |
- |
- |
- |
|
oa:capacityAnalysis:downloadReport |
Grants permission to download a capacity optimization analysis report. |
read |
- |
- |
- |
|
oa:capacityAnalysis:exportReport |
Grants permission to export a capacity optimization analysis report. |
read |
- |
- |
- |
|
oa:capacityAnalysis:exportExpertReport |
Grants permission to export an expert analysis report on capacity optimization. |
read |
- |
- |
- |
|
oa:applications:list |
Grants permission to obtain the list of architecture diagrams. |
read |
- |
- |
- |
|
oa:applications:get |
Grants permission to obtain architecture diagram details. |
read |
- |
- |
- |
|
oa:applications:update |
Grants permission to modify basic information about an architecture diagram. |
write |
- |
- |
- |
|
oa:applications:delete |
Grants permission to delete an architecture diagram. |
write |
- |
- |
- |
|
oa:applications:updateView |
Grants permission to modify the settings of architecture diagram elements. |
write |
- |
- |
- |
|
oa:applications:listServiceConfigs |
Grants permission to obtain the service configuration list of an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:getResourceConfig |
Grants permission to obtain resource parsing settings of an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:updateRiskSwitchStatus |
Grants permission to enable or disable risk statistics of an architecture diagram. |
write |
- |
- |
- |
|
oa:applications:listRisks |
Grants permission to obtain the number of risks in an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:listHistorys |
Grants permission to obtain the list of historical records of an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:getHistory |
Grants permission to obtain the details of historical records of an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:restoreHistory |
Grants permission to restore a historical architecture diagram. |
write |
- |
- |
- |
|
oa:applications:deleteHistory |
Grants permission to delete the historical records of an architecture diagram. |
write |
- |
- |
- |
|
oa:applications:listRecycleApplications |
Grants permission to list architecture diagrams in the recycle bin. |
read |
- |
- |
- |
|
oa::listSystemCesMetrics |
Grants permission to obtain Cloud Eye metrics. |
read |
- |
- |
oa:system:listCesMetrics |
|
oa::listSystemCesMetricData |
Grants permission to obtain Cloud Eye metric details. |
read |
- |
- |
oa:system:listCesMetricData |
|
oa::getSystemConfigItem |
Grants permission to obtain configuration items in the configuration center. |
read |
- |
- |
oa:system:getConfigItem |
|
oa:capacityAnalysis:listHistoryReports |
Grants permission to obtain the list of historical capacity optimization analysis records. |
read |
- |
- |
- |
|
oa:capacityAnalysis:listMetrics |
Grants permission to obtain metrics of risky resources for capacity optimization. |
read |
- |
- |
- |
|
oa:capacityAnalysis:listMonitor |
Grants permission to obtain the monitoring data of risky resources for capacity optimization. |
read |
- |
- |
- |
|
oa::getAutoloadData |
Grants permission to obtain the auto-loaded data. |
read |
- |
- |
oa:system:getAutoloadData |
|
oa:capacityAnalysis:listResultMonitorData |
Grants permission to obtain the monitoring data from KEA risk analysis results. |
read |
- |
- |
- |
|
oa:applications:getSummary |
Grants permission to obtain the architecture diagram summary. |
read |
- |
- |
- |
|
oa:applications:listCapacityAnalysisSupportedServices |
Grants permission to obtain supported services from the capacity optimization dashboard. |
read |
- |
- |
- |
|
oa:applications:listCapacityAnalysisResults |
Grants permission to obtain the analysis results from the capacity optimization dashboard. |
read |
- |
- |
- |
|
oa:applications:startAutomaticDrawAnalysis |
Grants permission to create an automatic drawing analysis task. |
write |
- |
- |
- |
|
oa:applications:getAutomaticDrawAnalysisProgress |
Grants permission to obtain the progress of an automatic drawing analysis task. |
read |
- |
- |
- |
|
oa:applications:getAutomaticDrawAnalysisResult |
Grants permission to obtain the result of an automatic drawing analysis task. |
read |
- |
- |
- |
|
oa:applications:getVpcFlowLogsDockingStatus |
Grants permission to obtain the interconnection status of VPC flow logs. |
read |
- |
- |
- |
|
oa::listResourceGroups |
Grants permission to obtain the resource group list. |
read |
- |
- |
oa:resourceGroups:list |
|
oa::getResourceGroups |
Grants permission to obtain resource group details. |
read |
- |
- |
oa:resourceGroups:get |
|
oa::updateResourceGroups |
Grants permission to modify a resource group. |
write |
- |
- |
oa:resourceGroups:update |
|
oa::deleteResourceGroups |
Grants permission to delete a resource group. |
write |
- |
- |
oa:resourceGroups:delete |
|
oa::listResourceGroupsRegions |
Grants permission to list the regions that the resource groups belong to. |
read |
- |
- |
oa:resourceGroups:listRegions |
|
oa::listResourceGroupsResources |
Grants permission to list the resources in a resource group. |
read |
- |
- |
oa:resourceGroups:listResources |
|
oa::listEnterpriseProjectResources |
Grants permission to list the resources of an enterprise project. |
read |
- |
- |
oa:resourceGroups:listEnterpriseProjectResources |
|
oa::listServiceMetrics |
Grants permission to list metrics of a cloud service. |
read |
- |
- |
oa:system:listServiceMetrics |
|
oa::listAlarmMetrics |
Grants permission to list alarm metrics. |
read |
- |
- |
oa:system:listAlarmMetrics |
|
oa:applications:listServiceResources |
Grants permission to list cloud service resources of an architecture design. |
read |
- |
- |
- |
|
oa:applications:saveResourceGroup |
Grants permission to save resource groups of an architecture design. |
write |
- |
- |
- |
|
oa::listResourceTypes |
Grants permission to list resource types. |
read |
- |
- |
oa:system:listResourceTypes |
|
oa::listAllResourceGroups |
Grants permission to list all resource groups. |
read |
- |
- |
oa:resourceGroups:listAll |
|
oa:applications:downloadResourceTemplate |
Grants permission to download the resource import template for an architecture design. |
read |
- |
- |
oa:applications:downloadResourceTemplate |
|
oa:applications:importResources |
Grants permission to import resources for an architecture design. |
read |
- |
- |
- |
|
oa:applications:getResourcesImportResult |
Grants permission to obtain the resource import results of an architecture design. |
read |
- |
- |
- |
|
oa:applications:saveResourceGroupsBatch |
Grants permission to save resource groups in an architecture design in batches. |
write |
- |
- |
- |
|
oa:applications:getBatchSaveResourceGroupsResult |
Grants permission to obtain the results for batch saving resource groups in an architecture design. |
read |
- |
- |
- |
|
oa::downloadResourceTemplate |
Grants permission to download the resource import template for a resource group. |
read |
- |
- |
oa:resourceGroups:downloadResourceTemplate |
|
oa::importResourceGroups |
Grants permission to import resources to a resource group. |
read |
- |
- |
oa:resourceGroups:importResources |
|
oa::getResourcesGroupsImportResult |
Grants permission to obtain the resource import results of a resource group. |
read |
- |
- |
oa:resourceGroups:getResourcesImportResult |
|
oa:applications:startServiceRecommendAnalysis |
Grants permission to start service recommendation analysis. |
write |
- |
- |
- |
|
oa:applications:getServiceRecommendAnalysisResult |
Grants permission to obtain the service recommendation analysis results. |
read |
- |
- |
- |
|
oa:applications:listAttachedResources |
Grants permission to list resources associated with an architecture diagram. |
read |
- |
- |
- |
|
oa:applications:listNodeAttachedResources |
Grants permission to list resources corresponding to a diagram element. |
read |
- |
- |
- |
|
oa:applications:downloadAttachedResources |
Grants the permission to export resources from an architecture diagram. |
write |
- |
- |
- |
|
oa::getAutoloadConfigs |
Grants permission to obtain system auto-loaded configurations |
read |
- |
- |
oa:system:getAutoloadConfigs |
|
oa::listRiskItemsCheckReportsV4 |
Grants permission to obtain risk check reports. |
read |
- |
- |
oa:riskItemsCheck:listReportsV4 |
|
oa::getResources |
Grants permission to obtain auto-access resource data. |
read |
- |
- |
oa:system:getAutoloadResources |
|
oa:capacityAnalysis:getListMetrics |
Grants permission to obtain metrics of risky resources for capacity optimization. |
read |
- |
- |
- |
|
oa:capacityAnalysis:getListMonitor |
Grants permission to obtain the monitoring data of risky resources for capacity optimization. |
read |
- |
- |
- |
Resources
OA does not support resource-level authorization. To allow access to OA, use a wildcard (*) in the Resource element of the identity policy, indicating that the policy will be applied to all resources.
Conditions
OA does not support service-specific condition keys in identity policies. It can only use global condition keys applicable to all services. For details, see Global Condition Keys.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
