forked from docs/doc-exports
Chen, Junjie
dac566cf2f
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com> Co-authored-by: Chen, Junjie <chenjunjie@huawei.com> Co-committed-by: Chen, Junjie <chenjunjie@huawei.com>
75 lines
6.7 KiB
HTML
75 lines
6.7 KiB
HTML
<a name="functiongraph_01_0215"></a><a name="functiongraph_01_0215"></a>
|
|
|
|
<h1 class="topictitle1">Creating a Custom Policy</h1>
|
|
<div id="body32001227"><p id="functiongraph_01_0215__en-us_topic_0000001298547965_p252114615315">Custom policies can be created as a supplement to the system policies of FunctionGraph.</p>
|
|
<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p67482219501">You can create custom policies in either of the following ways:</p>
|
|
<ul id="functiongraph_01_0215__en-us_topic_0000001298547965_ul3745223505"><li id="functiongraph_01_0215__en-us_topic_0000001298547965_li37514226502">Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.</li><li id="functiongraph_01_0215__en-us_topic_0000001298547965_li197582275016">JSON: Edit JSON policies from scratch or based on an existing policy.</li></ul>
|
|
<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p875162217506">For details, see section "Creating a Custom Policy". This section introduces examples of common FunctionGraph custom policies.</p>
|
|
<div class="section" id="functiongraph_01_0215__en-us_topic_0000001298547965_section198210477557"><h4 class="sectiontitle">Example Custom Policies</h4><ul id="functiongraph_01_0215__en-us_topic_0000001298547965_ul1137295811265"><li id="functiongraph_01_0215__en-us_topic_0000001298547965_li10372358142611">Example 1: Authorizing a user to query function code and configuration<pre class="screen" id="functiongraph_01_0215__en-us_topic_0000001298547965_screen819581918475">{
|
|
"Version": "1.1",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"functiongraph:function:list",
|
|
"functiongraph:function:getConfig",
|
|
"funcitongraph:function:getCode"
|
|
]
|
|
}
|
|
]
|
|
}</pre>
|
|
</li><li id="functiongraph_01_0215__en-us_topic_0000001298547965_li872995282811">Example 2: Denying function deletion<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p145812018122914"><a name="functiongraph_01_0215__en-us_topic_0000001298547965_li872995282811"></a><a name="en-us_topic_0000001298547965_li872995282811"></a>A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If both "Allow" and "Deny" permissions are assigned to a user, the "Deny" permissions take precedence over the "Allow" permissions.</p>
|
|
<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p19445181314297">If you need to assign permissions of the <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b1338141181913">FunctionGraph FullAccess</strong> policy to a user but prevent the user from deleting functions, create a custom policy for denying function deletion, and attach both policies to the group to which the user belongs. In this way, the user can perform all operations on FunctionGraph except deleting functions. The following is an example of a deny policy:</p>
|
|
<pre class="screen" id="functiongraph_01_0215__en-us_topic_0000001298547965_screen1545419239477">{
|
|
"Version": "1.1",
|
|
"Statement": [
|
|
"Effect": "Deny",
|
|
"Action": [
|
|
"functiongraph:function:delete"
|
|
]
|
|
]
|
|
}</pre>
|
|
</li><li id="functiongraph_01_0215__en-us_topic_0000001298547965_li14580258184512">Example 3: Configuring permissions for specific resources<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p17996440267"><a name="functiongraph_01_0215__en-us_topic_0000001298547965_li14580258184512"></a><a name="en-us_topic_0000001298547965_li14580258184512"></a>You can grant an IAM user permissions for specific resources. For example, to grant a user permissions for the <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b18147181785919">functionname</strong> function in the <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b2724213145920">Default</strong> application, set <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b1693985555911">functionname</strong> to a specified resource path, that is, <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b1184451510013">FUNCTIONGRAPH:*:*:function:Default/functionname</strong>.</p>
|
|
<div class="note" id="functiongraph_01_0215__en-us_topic_0000001298547965_note3711191279"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="functiongraph_01_0215__en-us_topic_0000001298547965_p1337761631720">Specify function resources:</p>
|
|
<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p0277191611149">Format: <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b19391103225212">FUNCTIONGRAPH:*:*:function: </strong><em id="functiongraph_01_0215__en-us_topic_0000001298547965_i1211373610526">application or function name</em></p>
|
|
<p id="functiongraph_01_0215__en-us_topic_0000001298547965_p33301821131615">For function resources, IAM automatically generates the resource path prefix <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b173865359490">FUNCTIONGRAPH:*:*:function:</strong>. You can specify a resource path by adding the application or function name next to the path prefix. Wildcards (*) are supported. For example, <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b1731173065311">FUNCTIONGRAPH:*:*:function:Default/*</strong> indicates any function in the <strong id="functiongraph_01_0215__en-us_topic_0000001298547965_b17323144075318">Default</strong> application.</p>
|
|
</div></div>
|
|
<pre class="screen" id="functiongraph_01_0215__en-us_topic_0000001298547965_screen345412810476">{
|
|
"Version": "1.1",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"functiongraph:function:list"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"functiongraph:function:listAlias",
|
|
"functiongraph:function:listVersion",
|
|
"functiongraph:function:getConfig",
|
|
"functiongraph:function:getCode",
|
|
"functiongraph:function:updateCode",
|
|
"functiongraph:function:invoke",
|
|
"functiongraph:function:updateConfig",
|
|
"functiongraph:function:createVersion",
|
|
"functiongraph:function:updateAlias",
|
|
"functiongraph:function:createAlias"
|
|
],
|
|
"Resource": [
|
|
"FUNCTIONGRAPH:*:*:function:Default/*"
|
|
]
|
|
}
|
|
]
|
|
}</pre>
|
|
</li></ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="functiongraph_01_0140.html">Permissions Management</a></div>
|
|
</div>
|
|
</div>
|
|
|