更新时间:2025-07-03 GMT+08:00

SecMaster权限及授权项

如果您需要对您所拥有的安全云脑(SecMaster)进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,IAM),如果账号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用SecMaster服务的其它功能。

默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略或角色,才能使用户组中的用户获得相应的权限,这一过程称为授权。授权后,用户就可以基于已有权限对云服务进行操作。

权限根据授权的精细程度,分为角色和策略。角色以服务为粒度,是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。策略授权更加精细,可以精确到某个操作、资源和条件,能够满足企业对权限最小化的安全管控要求。

约束与限制

安全云脑的所有授权项(Action)仅支持IAM项目,不支持企业项目

支持的授权项

策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。

  • 权限:允许或拒绝某项操作。
  • 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
表1 支持的只读权限授权项

权限

授权项 (Action)

Get the statistics of playbook

secmaster:playbook:getStatistics

Query playbook details

secmaster:playbook:getInstance

Show subscription version

secmaster:subscription:getVersion

Query search condition details

secmaster:searchCondition:get

export indicator

secmaster:indicator:export

Export emergency vulnerabilities

secmaster:emergencyVulnerability:export

Get incident details

secmaster:incident:get

Query alert rule template details

secmaster:alertRuleTemplate:get

Get field details

secmaster:dataclass:getField

Show vulnerabilities group info

secmaster:vulnerability:getGroup

Get workflow details

secmaster:workflow:get

Get alert details

secmaster:alert:get

Query the indicator list

secmaster:indicator:list

Query pipe details

secmaster:pipe:get

Get classifier details

secmaster:mapping:getClassifier

Get playbook details

secmaster:playbook:get

Get pipe consumption

secmaster:pipe:getConsumption

download indicator template

secmaster:indicator:downloadTemplate

Get the monitor of playbook

secmaster:playbook:getMonitor

export playbook

secmaster:playbook:export

Query the dataclass details

secmaster:dataclass:get

Query alert rule details

secmaster:alertRule:get

Get mapper details

secmaster:mapping:getMapper

Get a wizard

secmaster:layout:getWizard

Get type details

secmaster:dataclass:getType

Get asset credential details

secmaster:connection:get

Get task details

secmaster:task:get

Show report

secmaster:report:get

Query a pipe index

secmaster:pipe:getIndex

Query playbook topology details

secmaster:playbook:getInstanceTopology

Show agency

secmaster:agency:get

Get indicator details

secmaster:indicator:get

Get mapping datasources

secmaster:mapping:getDatasource

Show resource statistics

secmaster:resource:getStatistics

Get the workflow instance topology

secmaster:workflow:getInstance

Get workspace details

secmaster:workspace:get

Get resource import template

secmaster:resource:getTemplate

Get workflow version details

secmaster:workflow:getVersion

Get a layout

secmaster:layout:get

Get playbook version details

secmaster:playbook:getVersion

Get dataspace details

secmaster:dataspace:get

Get a layout field.

secmaster:layout:getField

Show metric result

secmaster:metric:getResult

Query the alert list

secmaster:alert:list

Query alert rules

secmaster:alertRule:list

Get the playbook list

secmaster:playbook:list

Query the search condition list

secmaster:searchCondition:list

Query the pipe list

secmaster:pipe:list

List alert rule template metrics

secmaster:alertRuleTemplate:listMetrics

Query the approval list

secmaster:playbook:listApproves

export vulnerabilities groups

secmaster:vulnerability:exportGroup

List emergency vulnerabilities

secmaster:emergencyVulnerability:list

Query the mapper list

secmaster:mapping:listMappers

Search category

secmaster:catalogue:list

Query the type list

secmaster:dataclass:listTypes

List metric results

secmaster:metric:listResults

Query the playbook instance list

secmaster:playbook:listInstances

Query logs

secmaster:search:listLogs

Get layout field list

secmaster:layout:listFields

List vulnerabilities groups

secmaster:vulnerability:listGroups

Get the playbook version list

secmaster:playbook:listVersions

Get the incident type list

secmaster:incident:listTypes

Query mapping functions

secmaster:mapping:listFunctions

Query histograms

secmaster:search:listHistograms

Get layout type list

secmaster:layout:listBusinessTypes

Create batch orderAlerts

secmaster:alert:batchOrders

Query the workflow list

secmaster:workflow:list

Get the workflow version list

secmaster:workflow:listVersions

Query the playbook instance auditlog list

secmaster:playbook:getInstanceAuditlog

Query the task list

secmaster:task:list

List reports

secmaster:report:list

Get layout list

secmaster:layout:list

Query the indicator type list

secmaster:indicator:listTypes

Get dataclass list

secmaster:dataclass:list

Query the dataspace list

secmaster:dataspace:list

List alert rule templates

secmaster:alertRuleTemplate:list

Query the mapping list

secmaster:mapping:list

Query the field list

secmaster:dataclass:listFields

Get alert rule metrics

secmaster:alertRule:listMetrics

Get wizard list

secmaster:layout:listWizards

Query the incident list

secmaster:incident:list

Query the incident category list

secmaster:incident:listCategories

Query the dataObject relation list

secmaster:dataobject:listRelations

Query the alert category list

secmaster:alert:listCategories

Query the vulnerability type list

secmaster:vulnerability:listTypes

Query the asset credential list

secmaster:connection:list

List resources

secmaster:resource:list

Query the alert type list

secmaster:alert:listTypes

Search metric hits

secmaster:metric:listHits

Query the workspace list

secmaster:workspace:list

query tags of resource

secmaster:workspace:listTags

List cloud logs config

secmaster:collector:listConfig

List cloud logs config

secmaster:cloudLog:list

Query cloud logs resource

secmaster:cloudLog:listResourceConfig

List collector parser templates

secmaster:collectorParser:listTemplates

List collector parsers

secmaster:collectorParser:list

Export collector parsers

secmaster:collectorParser:export

List collector connections

secmaster:collectorConnection:list

Get collector connection

secmaster:collectorConnection:get

List collector channel instances

secmaster:collectorChannel:listInstances

List collector channels

secmaster:collectorChannel:list

Get collector channel

secmaster:collectorChannel:get

List collector channel nodes

secmaster:collectorChannel:listNodes

List collector channel group

secmaster:collectorChannelGroup:list

List collector nodes

secmaster:collectorNode:list

List components configuration template

secmaster:component:listTemplates

List components configurations

secmaster:component:listConfigurations

Show component info

secmaster:component:get

List component info

secmaster:component:list

List component history configuration info

secmaster:component:listConfigurationVersions

List component running node info

secmaster:component:listRunningNodes

List node info

secmaster:node:list

Get table consumption

secmaster:table:getConsumption

Export an analysis script

secmaster:analysisScript:export

Show collector parser

secmaster:collectorParser:get

表2 支持的写权限授权项

权限

授权项 (Action)

Delete a workflow

secmaster:workflow:delete

Delete a pipe

secmaster:pipe:delete

Create a workspace

secmaster:workspace:create

Delete a mapping

secmaster:mapping:delete

Import resources

secmaster:resource:import

Create a wizard

secmaster:layout:createWizard

Update an incident

secmaster:incident:update

import playbook

secmaster:playbook:import

Create a playbook version

secmaster:playbook:createVersion

Approve a workflow version

secmaster:workflow:approveVersion

Delete a workflow version

secmaster:workflow:deleteVersion

Operate a playbook instance

secmaster:playbook:operateInstance

Bind an indicator type with layout

secmaster:indicator:bindLayout

Delete a layout field

secmaster:layout:deleteField

Delete pipe consumption

secmaster:pipe:deleteConsumption

Delete report

secmaster:report:delete

Create agency

secmaster:agency:create

Update wizards

secmaster:layout:updateWizard

Copy a mapping

secmaster:mapping:copy

Update the status of a mapping

secmaster:mapping:update

Approve a playbook

secmaster:playbook:approve

Create a search condition

secmaster:searchCondition:create

Update a workflow version

secmaster:workflow:updateVersion

Create an incident type

secmaster:incident:createType

Update a mapper

secmaster:mapping:updateMapper

Create alert rule

secmaster:alertRule:create

Update a dataclass

secmaster:dataclass:update

Update a pipe

secmaster:pipe:update

Create a layout

secmaster:layout:create

Enable or disable an incident type

secmaster:incident:enableType

Update a layout

secmaster:layout:update

Operate a workflow instance

secmaster:workflow:operateInstance

Update a layout field

secmaster:layout:updateField

Delete alert rule

secmaster:alertRule:delete

Update an alert

secmaster:alert:update

Delete an incident type

secmaster:incident:deleteType

Create an alert

secmaster:alert:create

Enable or disable an alert type

secmaster:alert:enableType

Delete an incident

secmaster:incident:delete

Create a workflow version

secmaster:workflow:createVersion

Create a classifier

secmaster:mapping:createClassifier

Delete a mapper

secmaster:mapping:deleteMapper

Update report

secmaster:report:update

Execute an analysis

secmaster:search:createAnalysis

Update a workspace

secmaster:workspace:update

Update a search condition

secmaster:searchCondition:update

Delete a playbook

secmaster:playbook:delete

Create a task

secmaster:task:create

Create a dataclass

secmaster:dataclass:create

Update an alert type

secmaster:alert:updateType

Update a workflow

secmaster:workflow:update

Delete a vulnerability type

secmaster:vulnerability:deleteType

Create a layout field

secmaster:layout:createField

Update an asset credential

secmaster:connection:update

Delete an alert type

secmaster:alert:deleteType

Create a mapper

secmaster:mapping:createMapper

Create a playbook

secmaster:playbook:create

Set emergency vulnerability read status

secmaster:emergencyVulnerability:updateReadStatus

Verify a workflow version

secmaster:workflow:validate

Update a pipe index

secmaster:pipe:updateIndex

Create a workflow

secmaster:workflow:create

Create report

secmaster:report:create

Create an alert type

secmaster:alert:createType

Update alert rules

secmaster:alertRule:update

Create a dataspace

secmaster:dataspace:create

Create pre-paid order

secmaster:subscription:createPrePaidOrder

Create pipe consumption

secmaster:pipe:createConsumption

Delete a workspace

secmaster:workspace:delete

Update a classifier

secmaster:mapping:updateClassifier

Simulate alert rule

secmaster:alertRule:createSimulation

Create a pipe

secmaster:pipe:create

Delete post-paid order

secmaster:subscription:deletePostPaidOrder

Enable or disable a vulnerability type

secmaster:vulnerability:enableType

Update an incident type

secmaster:incident:updateType

Update indicator

secmaster:indicator:update

Bind a vulnerability type with a layout

secmaster:vulnerability:bindLayout

Delete a playbook version

secmaster:playbook:deleteVersion

Update a field

secmaster:dataclass:updateField

Delete a wizard

secmaster:layout:deleteWizard

Bind an alert type with a layout

secmaster:alert:bindLayout

Update a vulnerability type

secmaster:vulnerability:updateType

Delete an asset credential

secmaster:connection:delete

Update a category

secmaster:catalogue:update

Disable alert rule

secmaster:alertRule:disable

Create an incident

secmaster:incident:create

Create a field

secmaster:dataclass:createField

Delete a dataspace

secmaster:dataspace:delete

Delete field

secmaster:dataclass:deleteField

Create indicator

secmaster:indicator:create

Copy a playbook version

secmaster:playbook:copyVersion

Create dataObject relations

secmaster:dataobject:createRelation

Delete a search condition

secmaster:searchCondition:delete

Delete a classifier

secmaster:mapping:deleteClassifier

Update a playbook version

secmaster:playbook:updateVersion

Bind an incident type with a layout

secmaster:incident:bindLayout

Delete an alert

secmaster:alert:delete

Delete a dataclass

secmaster:dataclass:delete

Delete dataObject relations

secmaster:dataobject:deleteRelation

import indicator

secmaster:indicator:import

Create an asset credential

secmaster:connection:create

Update a playbook

secmaster:playbook:update

Delete layouts

secmaster:layout:delete

Update a task

secmaster:task:update

Transfer to template

secmaster:layout:createTemplate

Update a dataspace

secmaster:dataspace:update

Create post-paid order

secmaster:subscription:createPostPaidOrder

Create a vulnerability type

secmaster:vulnerability:createType

Delete indicator

secmaster:indicator:delete

Enable alert rule

secmaster:alertRule:enable

Update the debug result of a workflow version

secmaster:workflow:simulate

update tag

secmaster:workspace:updateTag

batch delete tags

secmaster:workspace:deleteTags

batch create tags

secmaster:workspace:createTags

Create cloud logs config

secmaster:collector:createConfig

Create cloud logs config

secmaster:cloudLog:create

Delete cloud logs config

secmaster:cloudLog:delete

Create collector parsers

secmaster:collectorParser:create

Delete collector parser

secmaster:collectorParser:delete

Create collector connection

secmaster:collectorConnection:create

Update collector connection

secmaster:collectorConnection:update

Delete collector connection

secmaster:collectorConnection:delete

Create collector channel

secmaster:collectorChannel:create

Delete collector channel

secmaster:collectorChannel:delete

Update collector channel

secmaster:collectorChannel:update

Create collector channel operation

secmaster:collectorChannel:createOperation

Delete collector channel group

secmaster:collectorChannelGroup:delete

Update collector channel group

secmaster:collectorChannelGroup:update

Create collector channel group

secmaster:collectorChannelGroup:create

Update component configuration info

secmaster:component:updateConfigurations

Delete node info

secmaster:node:delete

Update node info

secmaster:node:update

Create table consumption

secmaster:table:createConsumption

Delete table consumption

secmaster:table:deleteConsumption

Import an analysis script

secmaster:analysisScript:import