vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/eip/umn/permission_0004.html
Qin Ying, Fan 1e074c969a EIP UMN 20240126 version 
Reviewed-by: Sarda, Priya <prsarda@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: Qin Ying, Fan <fanqinying@huawei.com>
Co-committed-by: Qin Ying, Fan <fanqinying@huawei.com>
2024-05-21 11:04:33 +00:00

64 lines
4.4 KiB
HTML
Raw Permalink Blame History

<a name="permission_0004"></a><a name="permission_0004"></a>
<h1 class="topictitle1">EIP Custom Policies</h1>
<div id="body8662426"><p id="permission_0004__p85752135715">Custom policies can be created as a supplement to the system policies of EIP. For the actions supported for custom policies, see <em id="permission_0004__i20961044132818"><a href="https://docs.otc.t-systems.com/virtual-private-cloud/api-ref/permissions_policies_and_supported_actions/index.html" target="_blank" rel="noopener noreferrer">Permissions Policies and Supported Actions</a>.</em></p>
<p id="permission_0004__p1391019913815">You can create custom policies in either of the following ways:</p>
<ul id="permission_0004__ul7608134252211"><li id="permission_0004__li131893469221">Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.</li><li id="permission_0004__li186081242142216">JSON: Edit JSON policies from scratch or based on an existing policy.<p id="permission_0004__p14439125933520"><a name="permission_0004__li186081242142216"></a><a name="li186081242142216"></a>For details, see <a href="https://docs.otc.t-systems.com/identity-access-management/umn/user_guide/permissions/creating_a_custom_policy.html" target="_blank" rel="noopener noreferrer">Creating a Custom Policy</a>. The following section contains examples of common EIP custom policies.</p>
</li></ul>
<div class="section" id="permission_0004__en-us_topic_0171307069_section51981826152017"><h4 class="sectiontitle">Example Custom Policies</h4><ul id="permission_0004__en-us_topic_0171307069_ul783572752011"><li id="permission_0004__en-us_topic_0171307069_li14835327172017">Example 1: Grant permissions to assign and view EIPs<pre class="screen" id="permission_0004__en-us_topic_0171307069_screen1464193292417">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"
vpc:publicIps:create,
vpc:publicIps:list
"
]
}
]
}</pre>
</li><li id="permission_0004__en-us_topic_0171307069_li1083502772018">Example 2: Grant permission to deny EIP deletion.<p id="permission_0004__en-us_topic_0171307069_p11835122732018"><a name="permission_0004__en-us_topic_0171307069_li1083502772018"></a><a name="en-us_topic_0171307069_li1083502772018"></a>A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.</p>
<p id="permission_0004__en-us_topic_0171307069_p16835182716203">Assume that you want to grant the permissions of the <strong id="permission_0004__b15443161551812">VPC FullAccess</strong> policy to a user but want to prevent them from releasing EIPs. You can create a custom policy for denying EIP release, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on EIPs except releasing them. Example policy denying EIP release:</p>
<pre class="screen" id="permission_0004__en-us_topic_0171307069_screen0212155773014">{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"vpc:publicIps:delete"
]
}
]
}</pre>
</li></ul>
</div>
<ul id="permission_0004__ul783572752011"><li id="permission_0004__li53625446377">Example 3: Create a custom policy containing multiple actions.<p id="permission_0004__p2610194519379"><a name="permission_0004__li53625446377"></a><a name="li53625446377"></a>A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). Example policy containing multiple actions:</p>
<pre class="screen" id="permission_0004__screen172023611149">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:publicIps:update",
"vpc:publicIps:create"
]
},
{
"Effect": "Deny",
"Action": [
"vpc:publicIps:delete"
]
}
]
}</pre>
</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="permission_0001.html">Permissions Management</a></div>
</div>
</div>
View Git Blame Copy Permalink