SecMaster权限及授权项
如果您需要对您所拥有的安全云脑(SecMaster)进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,IAM),如果账号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用SecMaster服务的其它功能。
默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略或角色,才能使用户组中的用户获得相应的权限,这一过程称为授权。授权后,用户就可以基于已有权限对云服务进行操作。
权限根据授权的精细程度,分为角色和策略。角色以服务为粒度,是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。策略授权更加精细,可以精确到某个操作、资源和条件,能够满足企业对权限最小化的安全管控要求。
约束与限制
安全云脑的所有授权项(Action)仅支持IAM项目,不支持企业项目。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。
- 权限:允许或拒绝某项操作。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
|
权限 |
授权项 (Action) |
|---|---|
|
Get the statistics of playbook |
secmaster:playbook:getStatistics |
|
Query playbook details |
secmaster:playbook:getInstance |
|
Show subscription version |
secmaster:subscription:getVersion |
|
Query search condition details |
secmaster:searchCondition:get |
|
export indicator |
secmaster:indicator:export |
|
Export emergency vulnerabilities |
secmaster:emergencyVulnerability:export |
|
Get incident details |
secmaster:incident:get |
|
Query alert rule template details |
secmaster:alertRuleTemplate:get |
|
Get field details |
secmaster:dataclass:getField |
|
Show vulnerabilities group info |
secmaster:vulnerability:getGroup |
|
Get workflow details |
secmaster:workflow:get |
|
Get alert details |
secmaster:alert:get |
|
Query the indicator list |
secmaster:indicator:list |
|
Query pipe details |
secmaster:pipe:get |
|
Get classifier details |
secmaster:mapping:getClassifier |
|
Get playbook details |
secmaster:playbook:get |
|
Get pipe consumption |
secmaster:pipe:getConsumption |
|
download indicator template |
secmaster:indicator:downloadTemplate |
|
Get the monitor of playbook |
secmaster:playbook:getMonitor |
|
export playbook |
secmaster:playbook:export |
|
Query the dataclass details |
secmaster:dataclass:get |
|
Query alert rule details |
secmaster:alertRule:get |
|
Get mapper details |
secmaster:mapping:getMapper |
|
Get a wizard |
secmaster:layout:getWizard |
|
Get type details |
secmaster:dataclass:getType |
|
Get asset credential details |
secmaster:connection:get |
|
Get task details |
secmaster:task:get |
|
Show report |
secmaster:report:get |
|
Query a pipe index |
secmaster:pipe:getIndex |
|
Query playbook topology details |
secmaster:playbook:getInstanceTopology |
|
Show agency |
secmaster:agency:get |
|
Get indicator details |
secmaster:indicator:get |
|
Get mapping datasources |
secmaster:mapping:getDatasource |
|
Show resource statistics |
secmaster:resource:getStatistics |
|
Get the workflow instance topology |
secmaster:workflow:getInstance |
|
Get workspace details |
secmaster:workspace:get |
|
Get resource import template |
secmaster:resource:getTemplate |
|
Get workflow version details |
secmaster:workflow:getVersion |
|
Get a layout |
secmaster:layout:get |
|
Get playbook version details |
secmaster:playbook:getVersion |
|
Get dataspace details |
secmaster:dataspace:get |
|
Get a layout field. |
secmaster:layout:getField |
|
Show metric result |
secmaster:metric:getResult |
|
Query the alert list |
secmaster:alert:list |
|
Query alert rules |
secmaster:alertRule:list |
|
Get the playbook list |
secmaster:playbook:list |
|
Query the search condition list |
secmaster:searchCondition:list |
|
Query the pipe list |
secmaster:pipe:list |
|
List alert rule template metrics |
secmaster:alertRuleTemplate:listMetrics |
|
Query the approval list |
secmaster:playbook:listApproves |
|
export vulnerabilities groups |
secmaster:vulnerability:exportGroup |
|
List emergency vulnerabilities |
secmaster:emergencyVulnerability:list |
|
Query the mapper list |
secmaster:mapping:listMappers |
|
Search category |
secmaster:catalogue:list |
|
Query the type list |
secmaster:dataclass:listTypes |
|
List metric results |
secmaster:metric:listResults |
|
Query the playbook instance list |
secmaster:playbook:listInstances |
|
Query logs |
secmaster:search:listLogs |
|
Get layout field list |
secmaster:layout:listFields |
|
List vulnerabilities groups |
secmaster:vulnerability:listGroups |
|
Get the playbook version list |
secmaster:playbook:listVersions |
|
Get the incident type list |
secmaster:incident:listTypes |
|
Query mapping functions |
secmaster:mapping:listFunctions |
|
Query histograms |
secmaster:search:listHistograms |
|
Get layout type list |
secmaster:layout:listBusinessTypes |
|
Create batch orderAlerts |
secmaster:alert:batchOrders |
|
Query the workflow list |
secmaster:workflow:list |
|
Get the workflow version list |
secmaster:workflow:listVersions |
|
Query the playbook instance auditlog list |
secmaster:playbook:getInstanceAuditlog |
|
Query the task list |
secmaster:task:list |
|
List reports |
secmaster:report:list |
|
Get layout list |
secmaster:layout:list |
|
Query the indicator type list |
secmaster:indicator:listTypes |
|
Get dataclass list |
secmaster:dataclass:list |
|
Query the dataspace list |
secmaster:dataspace:list |
|
List alert rule templates |
secmaster:alertRuleTemplate:list |
|
Query the mapping list |
secmaster:mapping:list |
|
Query the field list |
secmaster:dataclass:listFields |
|
Get alert rule metrics |
secmaster:alertRule:listMetrics |
|
Get wizard list |
secmaster:layout:listWizards |
|
Query the incident list |
secmaster:incident:list |
|
Query the incident category list |
secmaster:incident:listCategories |
|
Query the dataObject relation list |
secmaster:dataobject:listRelations |
|
Query the alert category list |
secmaster:alert:listCategories |
|
Query the vulnerability type list |
secmaster:vulnerability:listTypes |
|
Query the asset credential list |
secmaster:connection:list |
|
List resources |
secmaster:resource:list |
|
Query the alert type list |
secmaster:alert:listTypes |
|
Search metric hits |
secmaster:metric:listHits |
|
Query the workspace list |
secmaster:workspace:list |
|
query tags of resource |
secmaster:workspace:listTags |
|
List cloud logs config |
secmaster:collector:listConfig |
|
List cloud logs config |
secmaster:cloudLog:list |
|
Query cloud logs resource |
secmaster:cloudLog:listResourceConfig |
|
List collector parser templates |
secmaster:collectorParser:listTemplates |
|
List collector parsers |
secmaster:collectorParser:list |
|
Export collector parsers |
secmaster:collectorParser:export |
|
List collector connections |
secmaster:collectorConnection:list |
|
Get collector connection |
secmaster:collectorConnection:get |
|
List collector channel instances |
secmaster:collectorChannel:listInstances |
|
List collector channels |
secmaster:collectorChannel:list |
|
Get collector channel |
secmaster:collectorChannel:get |
|
List collector channel nodes |
secmaster:collectorChannel:listNodes |
|
List collector channel group |
secmaster:collectorChannelGroup:list |
|
List collector nodes |
secmaster:collectorNode:list |
|
List components configuration template |
secmaster:component:listTemplates |
|
List components configurations |
secmaster:component:listConfigurations |
|
Show component info |
secmaster:component:get |
|
List component info |
secmaster:component:list |
|
List component history configuration info |
secmaster:component:listConfigurationVersions |
|
List component running node info |
secmaster:component:listRunningNodes |
|
List node info |
secmaster:node:list |
|
Get table consumption |
secmaster:table:getConsumption |
|
Export an analysis script |
secmaster:analysisScript:export |
|
Show collector parser |
secmaster:collectorParser:get |
|
权限 |
授权项 (Action) |
|---|---|
|
Delete a workflow |
secmaster:workflow:delete |
|
Delete a pipe |
secmaster:pipe:delete |
|
Create a workspace |
secmaster:workspace:create |
|
Delete a mapping |
secmaster:mapping:delete |
|
Import resources |
secmaster:resource:import |
|
Create a wizard |
secmaster:layout:createWizard |
|
Update an incident |
secmaster:incident:update |
|
import playbook |
secmaster:playbook:import |
|
Create a playbook version |
secmaster:playbook:createVersion |
|
Approve a workflow version |
secmaster:workflow:approveVersion |
|
Delete a workflow version |
secmaster:workflow:deleteVersion |
|
Operate a playbook instance |
secmaster:playbook:operateInstance |
|
Bind an indicator type with layout |
secmaster:indicator:bindLayout |
|
Delete a layout field |
secmaster:layout:deleteField |
|
Delete pipe consumption |
secmaster:pipe:deleteConsumption |
|
Delete report |
secmaster:report:delete |
|
Create agency |
secmaster:agency:create |
|
Update wizards |
secmaster:layout:updateWizard |
|
Copy a mapping |
secmaster:mapping:copy |
|
Update the status of a mapping |
secmaster:mapping:update |
|
Approve a playbook |
secmaster:playbook:approve |
|
Create a search condition |
secmaster:searchCondition:create |
|
Update a workflow version |
secmaster:workflow:updateVersion |
|
Create an incident type |
secmaster:incident:createType |
|
Update a mapper |
secmaster:mapping:updateMapper |
|
Create alert rule |
secmaster:alertRule:create |
|
Update a dataclass |
secmaster:dataclass:update |
|
Update a pipe |
secmaster:pipe:update |
|
Create a layout |
secmaster:layout:create |
|
Enable or disable an incident type |
secmaster:incident:enableType |
|
Update a layout |
secmaster:layout:update |
|
Operate a workflow instance |
secmaster:workflow:operateInstance |
|
Update a layout field |
secmaster:layout:updateField |
|
Delete alert rule |
secmaster:alertRule:delete |
|
Update an alert |
secmaster:alert:update |
|
Delete an incident type |
secmaster:incident:deleteType |
|
Create an alert |
secmaster:alert:create |
|
Enable or disable an alert type |
secmaster:alert:enableType |
|
Delete an incident |
secmaster:incident:delete |
|
Create a workflow version |
secmaster:workflow:createVersion |
|
Create a classifier |
secmaster:mapping:createClassifier |
|
Delete a mapper |
secmaster:mapping:deleteMapper |
|
Update report |
secmaster:report:update |
|
Execute an analysis |
secmaster:search:createAnalysis |
|
Update a workspace |
secmaster:workspace:update |
|
Update a search condition |
secmaster:searchCondition:update |
|
Delete a playbook |
secmaster:playbook:delete |
|
Create a task |
secmaster:task:create |
|
Create a dataclass |
secmaster:dataclass:create |
|
Update an alert type |
secmaster:alert:updateType |
|
Update a workflow |
secmaster:workflow:update |
|
Delete a vulnerability type |
secmaster:vulnerability:deleteType |
|
Create a layout field |
secmaster:layout:createField |
|
Update an asset credential |
secmaster:connection:update |
|
Delete an alert type |
secmaster:alert:deleteType |
|
Create a mapper |
secmaster:mapping:createMapper |
|
Create a playbook |
secmaster:playbook:create |
|
Set emergency vulnerability read status |
secmaster:emergencyVulnerability:updateReadStatus |
|
Verify a workflow version |
secmaster:workflow:validate |
|
Update a pipe index |
secmaster:pipe:updateIndex |
|
Create a workflow |
secmaster:workflow:create |
|
Create report |
secmaster:report:create |
|
Create an alert type |
secmaster:alert:createType |
|
Update alert rules |
secmaster:alertRule:update |
|
Create a dataspace |
secmaster:dataspace:create |
|
Create pre-paid order |
secmaster:subscription:createPrePaidOrder |
|
Create pipe consumption |
secmaster:pipe:createConsumption |
|
Delete a workspace |
secmaster:workspace:delete |
|
Update a classifier |
secmaster:mapping:updateClassifier |
|
Simulate alert rule |
secmaster:alertRule:createSimulation |
|
Create a pipe |
secmaster:pipe:create |
|
Delete post-paid order |
secmaster:subscription:deletePostPaidOrder |
|
Enable or disable a vulnerability type |
secmaster:vulnerability:enableType |
|
Update an incident type |
secmaster:incident:updateType |
|
Update indicator |
secmaster:indicator:update |
|
Bind a vulnerability type with a layout |
secmaster:vulnerability:bindLayout |
|
Delete a playbook version |
secmaster:playbook:deleteVersion |
|
Update a field |
secmaster:dataclass:updateField |
|
Delete a wizard |
secmaster:layout:deleteWizard |
|
Bind an alert type with a layout |
secmaster:alert:bindLayout |
|
Update a vulnerability type |
secmaster:vulnerability:updateType |
|
Delete an asset credential |
secmaster:connection:delete |
|
Update a category |
secmaster:catalogue:update |
|
Disable alert rule |
secmaster:alertRule:disable |
|
Create an incident |
secmaster:incident:create |
|
Create a field |
secmaster:dataclass:createField |
|
Delete a dataspace |
secmaster:dataspace:delete |
|
Delete field |
secmaster:dataclass:deleteField |
|
Create indicator |
secmaster:indicator:create |
|
Copy a playbook version |
secmaster:playbook:copyVersion |
|
Create dataObject relations |
secmaster:dataobject:createRelation |
|
Delete a search condition |
secmaster:searchCondition:delete |
|
Delete a classifier |
secmaster:mapping:deleteClassifier |
|
Update a playbook version |
secmaster:playbook:updateVersion |
|
Bind an incident type with a layout |
secmaster:incident:bindLayout |
|
Delete an alert |
secmaster:alert:delete |
|
Delete a dataclass |
secmaster:dataclass:delete |
|
Delete dataObject relations |
secmaster:dataobject:deleteRelation |
|
import indicator |
secmaster:indicator:import |
|
Create an asset credential |
secmaster:connection:create |
|
Update a playbook |
secmaster:playbook:update |
|
Delete layouts |
secmaster:layout:delete |
|
Update a task |
secmaster:task:update |
|
Transfer to template |
secmaster:layout:createTemplate |
|
Update a dataspace |
secmaster:dataspace:update |
|
Create post-paid order |
secmaster:subscription:createPostPaidOrder |
|
Create a vulnerability type |
secmaster:vulnerability:createType |
|
Delete indicator |
secmaster:indicator:delete |
|
Enable alert rule |
secmaster:alertRule:enable |
|
Update the debug result of a workflow version |
secmaster:workflow:simulate |
|
update tag |
secmaster:workspace:updateTag |
|
batch delete tags |
secmaster:workspace:deleteTags |
|
batch create tags |
secmaster:workspace:createTags |
|
Create cloud logs config |
secmaster:collector:createConfig |
|
Create cloud logs config |
secmaster:cloudLog:create |
|
Delete cloud logs config |
secmaster:cloudLog:delete |
|
Create collector parsers |
secmaster:collectorParser:create |
|
Delete collector parser |
secmaster:collectorParser:delete |
|
Create collector connection |
secmaster:collectorConnection:create |
|
Update collector connection |
secmaster:collectorConnection:update |
|
Delete collector connection |
secmaster:collectorConnection:delete |
|
Create collector channel |
secmaster:collectorChannel:create |
|
Delete collector channel |
secmaster:collectorChannel:delete |
|
Update collector channel |
secmaster:collectorChannel:update |
|
Create collector channel operation |
secmaster:collectorChannel:createOperation |
|
Delete collector channel group |
secmaster:collectorChannelGroup:delete |
|
Update collector channel group |
secmaster:collectorChannelGroup:update |
|
Create collector channel group |
secmaster:collectorChannelGroup:create |
|
Update component configuration info |
secmaster:component:updateConfigurations |
|
Delete node info |
secmaster:node:delete |
|
Update node info |
secmaster:node:update |
|
Create table consumption |
secmaster:table:createConsumption |
|
Delete table consumption |
secmaster:table:deleteConsumption |
|
Import an analysis script |
secmaster:analysisScript:import |
