SecMaster权限及授权项
如果您需要对您所拥有的安全云脑(SecMaster)进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,IAM),如果账号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用SecMaster服务的其它功能。
默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略或角色,才能使用户组中的用户获得相应的权限,这一过程称为授权。授权后,用户就可以基于已有权限对云服务进行操作。
权限根据授权的精细程度,分为角色和策略。角色以服务为粒度,是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。策略授权更加精细,可以精确到某个操作、资源和条件,能够满足企业对权限最小化的安全管控要求。
约束与限制
安全云脑的所有授权项(Action)仅支持IAM项目,不支持企业项目。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。
- 权限:允许或拒绝某项操作。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
权限 |
授权项 (Action) |
---|---|
Get the statistics of playbook |
secmaster:playbook:getStatistics |
Query playbook details |
secmaster:playbook:getInstance |
Show subscription version |
secmaster:subscription:getVersion |
Query search condition details |
secmaster:searchCondition:get |
export indicator |
secmaster:indicator:export |
Export emergency vulnerabilities |
secmaster:emergencyVulnerability:export |
Get incident details |
secmaster:incident:get |
Query alert rule template details |
secmaster:alertRuleTemplate:get |
Get field details |
secmaster:dataclass:getField |
Show vulnerabilities group info |
secmaster:vulnerability:getGroup |
Get workflow details |
secmaster:workflow:get |
Get alert details |
secmaster:alert:get |
Query the indicator list |
secmaster:indicator:list |
Query pipe details |
secmaster:pipe:get |
Get classifier details |
secmaster:mapping:getClassifier |
Get playbook details |
secmaster:playbook:get |
Get pipe consumption |
secmaster:pipe:getConsumption |
download indicator template |
secmaster:indicator:downloadTemplate |
Get the monitor of playbook |
secmaster:playbook:getMonitor |
export playbook |
secmaster:playbook:export |
Query the dataclass details |
secmaster:dataclass:get |
Query alert rule details |
secmaster:alertRule:get |
Get mapper details |
secmaster:mapping:getMapper |
Get a wizard |
secmaster:layout:getWizard |
Get type details |
secmaster:dataclass:getType |
Get asset credential details |
secmaster:connection:get |
Get task details |
secmaster:task:get |
Show report |
secmaster:report:get |
Query a pipe index |
secmaster:pipe:getIndex |
Query playbook topology details |
secmaster:playbook:getInstanceTopology |
Show agency |
secmaster:agency:get |
Get indicator details |
secmaster:indicator:get |
Get mapping datasources |
secmaster:mapping:getDatasource |
Show resource statistics |
secmaster:resource:getStatistics |
Get the workflow instance topology |
secmaster:workflow:getInstance |
Get workspace details |
secmaster:workspace:get |
Get resource import template |
secmaster:resource:getTemplate |
Get workflow version details |
secmaster:workflow:getVersion |
Get a layout |
secmaster:layout:get |
Get playbook version details |
secmaster:playbook:getVersion |
Get dataspace details |
secmaster:dataspace:get |
Get a layout field. |
secmaster:layout:getField |
Show metric result |
secmaster:metric:getResult |
Query the alert list |
secmaster:alert:list |
Query alert rules |
secmaster:alertRule:list |
Get the playbook list |
secmaster:playbook:list |
Query the search condition list |
secmaster:searchCondition:list |
Query the pipe list |
secmaster:pipe:list |
List alert rule template metrics |
secmaster:alertRuleTemplate:listMetrics |
Query the approval list |
secmaster:playbook:listApproves |
export vulnerabilities groups |
secmaster:vulnerability:exportGroup |
List emergency vulnerabilities |
secmaster:emergencyVulnerability:list |
Query the mapper list |
secmaster:mapping:listMappers |
Search category |
secmaster:catalogue:list |
Query the type list |
secmaster:dataclass:listTypes |
List metric results |
secmaster:metric:listResults |
Query the playbook instance list |
secmaster:playbook:listInstances |
Query logs |
secmaster:search:listLogs |
Get layout field list |
secmaster:layout:listFields |
List vulnerabilities groups |
secmaster:vulnerability:listGroups |
Get the playbook version list |
secmaster:playbook:listVersions |
Get the incident type list |
secmaster:incident:listTypes |
Query mapping functions |
secmaster:mapping:listFunctions |
Query histograms |
secmaster:search:listHistograms |
Get layout type list |
secmaster:layout:listBusinessTypes |
Create batch orderAlerts |
secmaster:alert:batchOrders |
Query the workflow list |
secmaster:workflow:list |
Get the workflow version list |
secmaster:workflow:listVersions |
Query the playbook instance auditlog list |
secmaster:playbook:getInstanceAuditlog |
Query the task list |
secmaster:task:list |
List reports |
secmaster:report:list |
Get layout list |
secmaster:layout:list |
Query the indicator type list |
secmaster:indicator:listTypes |
Get dataclass list |
secmaster:dataclass:list |
Query the dataspace list |
secmaster:dataspace:list |
List alert rule templates |
secmaster:alertRuleTemplate:list |
Query the mapping list |
secmaster:mapping:list |
Query the field list |
secmaster:dataclass:listFields |
Get alert rule metrics |
secmaster:alertRule:listMetrics |
Get wizard list |
secmaster:layout:listWizards |
Query the incident list |
secmaster:incident:list |
Query the incident category list |
secmaster:incident:listCategories |
Query the dataObject relation list |
secmaster:dataobject:listRelations |
Query the alert category list |
secmaster:alert:listCategories |
Query the vulnerability type list |
secmaster:vulnerability:listTypes |
Query the asset credential list |
secmaster:connection:list |
List resources |
secmaster:resource:list |
Query the alert type list |
secmaster:alert:listTypes |
Search metric hits |
secmaster:metric:listHits |
Query the workspace list |
secmaster:workspace:list |
query tags of resource |
secmaster:workspace:listTags |
List cloud logs config |
secmaster:collector:listConfig |
List cloud logs config |
secmaster:cloudLog:list |
Query cloud logs resource |
secmaster:cloudLog:listResourceConfig |
List collector parser templates |
secmaster:collectorParser:listTemplates |
List collector parsers |
secmaster:collectorParser:list |
Export collector parsers |
secmaster:collectorParser:export |
List collector connections |
secmaster:collectorConnection:list |
Get collector connection |
secmaster:collectorConnection:get |
List collector channel instances |
secmaster:collectorChannel:listInstances |
List collector channels |
secmaster:collectorChannel:list |
Get collector channel |
secmaster:collectorChannel:get |
List collector channel nodes |
secmaster:collectorChannel:listNodes |
List collector channel group |
secmaster:collectorChannelGroup:list |
List collector nodes |
secmaster:collectorNode:list |
List components configuration template |
secmaster:component:listTemplates |
List components configurations |
secmaster:component:listConfigurations |
Show component info |
secmaster:component:get |
List component info |
secmaster:component:list |
List component history configuration info |
secmaster:component:listConfigurationVersions |
List component running node info |
secmaster:component:listRunningNodes |
List node info |
secmaster:node:list |
Get table consumption |
secmaster:table:getConsumption |
Export an analysis script |
secmaster:analysisScript:export |
Show collector parser |
secmaster:collectorParser:get |
权限 |
授权项 (Action) |
---|---|
Delete a workflow |
secmaster:workflow:delete |
Delete a pipe |
secmaster:pipe:delete |
Create a workspace |
secmaster:workspace:create |
Delete a mapping |
secmaster:mapping:delete |
Import resources |
secmaster:resource:import |
Create a wizard |
secmaster:layout:createWizard |
Update an incident |
secmaster:incident:update |
import playbook |
secmaster:playbook:import |
Create a playbook version |
secmaster:playbook:createVersion |
Approve a workflow version |
secmaster:workflow:approveVersion |
Delete a workflow version |
secmaster:workflow:deleteVersion |
Operate a playbook instance |
secmaster:playbook:operateInstance |
Bind an indicator type with layout |
secmaster:indicator:bindLayout |
Delete a layout field |
secmaster:layout:deleteField |
Delete pipe consumption |
secmaster:pipe:deleteConsumption |
Delete report |
secmaster:report:delete |
Create agency |
secmaster:agency:create |
Update wizards |
secmaster:layout:updateWizard |
Copy a mapping |
secmaster:mapping:copy |
Update the status of a mapping |
secmaster:mapping:update |
Approve a playbook |
secmaster:playbook:approve |
Create a search condition |
secmaster:searchCondition:create |
Update a workflow version |
secmaster:workflow:updateVersion |
Create an incident type |
secmaster:incident:createType |
Update a mapper |
secmaster:mapping:updateMapper |
Create alert rule |
secmaster:alertRule:create |
Update a dataclass |
secmaster:dataclass:update |
Update a pipe |
secmaster:pipe:update |
Create a layout |
secmaster:layout:create |
Enable or disable an incident type |
secmaster:incident:enableType |
Update a layout |
secmaster:layout:update |
Operate a workflow instance |
secmaster:workflow:operateInstance |
Update a layout field |
secmaster:layout:updateField |
Delete alert rule |
secmaster:alertRule:delete |
Update an alert |
secmaster:alert:update |
Delete an incident type |
secmaster:incident:deleteType |
Create an alert |
secmaster:alert:create |
Enable or disable an alert type |
secmaster:alert:enableType |
Delete an incident |
secmaster:incident:delete |
Create a workflow version |
secmaster:workflow:createVersion |
Create a classifier |
secmaster:mapping:createClassifier |
Delete a mapper |
secmaster:mapping:deleteMapper |
Update report |
secmaster:report:update |
Execute an analysis |
secmaster:search:createAnalysis |
Update a workspace |
secmaster:workspace:update |
Update a search condition |
secmaster:searchCondition:update |
Delete a playbook |
secmaster:playbook:delete |
Create a task |
secmaster:task:create |
Create a dataclass |
secmaster:dataclass:create |
Update an alert type |
secmaster:alert:updateType |
Update a workflow |
secmaster:workflow:update |
Delete a vulnerability type |
secmaster:vulnerability:deleteType |
Create a layout field |
secmaster:layout:createField |
Update an asset credential |
secmaster:connection:update |
Delete an alert type |
secmaster:alert:deleteType |
Create a mapper |
secmaster:mapping:createMapper |
Create a playbook |
secmaster:playbook:create |
Set emergency vulnerability read status |
secmaster:emergencyVulnerability:updateReadStatus |
Verify a workflow version |
secmaster:workflow:validate |
Update a pipe index |
secmaster:pipe:updateIndex |
Create a workflow |
secmaster:workflow:create |
Create report |
secmaster:report:create |
Create an alert type |
secmaster:alert:createType |
Update alert rules |
secmaster:alertRule:update |
Create a dataspace |
secmaster:dataspace:create |
Create pre-paid order |
secmaster:subscription:createPrePaidOrder |
Create pipe consumption |
secmaster:pipe:createConsumption |
Delete a workspace |
secmaster:workspace:delete |
Update a classifier |
secmaster:mapping:updateClassifier |
Simulate alert rule |
secmaster:alertRule:createSimulation |
Create a pipe |
secmaster:pipe:create |
Delete post-paid order |
secmaster:subscription:deletePostPaidOrder |
Enable or disable a vulnerability type |
secmaster:vulnerability:enableType |
Update an incident type |
secmaster:incident:updateType |
Update indicator |
secmaster:indicator:update |
Bind a vulnerability type with a layout |
secmaster:vulnerability:bindLayout |
Delete a playbook version |
secmaster:playbook:deleteVersion |
Update a field |
secmaster:dataclass:updateField |
Delete a wizard |
secmaster:layout:deleteWizard |
Bind an alert type with a layout |
secmaster:alert:bindLayout |
Update a vulnerability type |
secmaster:vulnerability:updateType |
Delete an asset credential |
secmaster:connection:delete |
Update a category |
secmaster:catalogue:update |
Disable alert rule |
secmaster:alertRule:disable |
Create an incident |
secmaster:incident:create |
Create a field |
secmaster:dataclass:createField |
Delete a dataspace |
secmaster:dataspace:delete |
Delete field |
secmaster:dataclass:deleteField |
Create indicator |
secmaster:indicator:create |
Copy a playbook version |
secmaster:playbook:copyVersion |
Create dataObject relations |
secmaster:dataobject:createRelation |
Delete a search condition |
secmaster:searchCondition:delete |
Delete a classifier |
secmaster:mapping:deleteClassifier |
Update a playbook version |
secmaster:playbook:updateVersion |
Bind an incident type with a layout |
secmaster:incident:bindLayout |
Delete an alert |
secmaster:alert:delete |
Delete a dataclass |
secmaster:dataclass:delete |
Delete dataObject relations |
secmaster:dataobject:deleteRelation |
import indicator |
secmaster:indicator:import |
Create an asset credential |
secmaster:connection:create |
Update a playbook |
secmaster:playbook:update |
Delete layouts |
secmaster:layout:delete |
Update a task |
secmaster:task:update |
Transfer to template |
secmaster:layout:createTemplate |
Update a dataspace |
secmaster:dataspace:update |
Create post-paid order |
secmaster:subscription:createPostPaidOrder |
Create a vulnerability type |
secmaster:vulnerability:createType |
Delete indicator |
secmaster:indicator:delete |
Enable alert rule |
secmaster:alertRule:enable |
Update the debug result of a workflow version |
secmaster:workflow:simulate |
update tag |
secmaster:workspace:updateTag |
batch delete tags |
secmaster:workspace:deleteTags |
batch create tags |
secmaster:workspace:createTags |
Create cloud logs config |
secmaster:collector:createConfig |
Create cloud logs config |
secmaster:cloudLog:create |
Delete cloud logs config |
secmaster:cloudLog:delete |
Create collector parsers |
secmaster:collectorParser:create |
Delete collector parser |
secmaster:collectorParser:delete |
Create collector connection |
secmaster:collectorConnection:create |
Update collector connection |
secmaster:collectorConnection:update |
Delete collector connection |
secmaster:collectorConnection:delete |
Create collector channel |
secmaster:collectorChannel:create |
Delete collector channel |
secmaster:collectorChannel:delete |
Update collector channel |
secmaster:collectorChannel:update |
Create collector channel operation |
secmaster:collectorChannel:createOperation |
Delete collector channel group |
secmaster:collectorChannelGroup:delete |
Update collector channel group |
secmaster:collectorChannelGroup:update |
Create collector channel group |
secmaster:collectorChannelGroup:create |
Update component configuration info |
secmaster:component:updateConfigurations |
Delete node info |
secmaster:node:delete |
Update node info |
secmaster:node:update |
Create table consumption |
secmaster:table:createConsumption |
Delete table consumption |
secmaster:table:deleteConsumption |
Import an analysis script |
secmaster:analysisScript:import |