vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/tms/umn/tms_04_0008.html
Wei, Hongmin b9f5622cca TMS UMN 0207 Version 
Reviewed-by: Rumpler, Mihály <mihaly.rumpler@t-systems.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>
2024-04-26 10:27:19 +00:00

59 lines
3.5 KiB
HTML
Raw Blame History

<a name="tms_04_0008"></a><a name="tms_04_0008"></a>
<h1 class="topictitle1">Custom Policies</h1>
<div id="body0000001748583625"><p id="tms_04_0008__p82911030103912">The following lists examples of custom policies for TMS.</p>
<div class="section" id="tms_04_0008__section455661411212"><h4 class="sectiontitle">Example Custom Policies</h4><ul id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_ul2504185715494"><li id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_li5504357164912">Example 1: Grant permission to view predefined tags<pre class="screen" id="tms_04_0008__tms_04_0006_screen1434821115119">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"tms:predefineTags:list"
]
}
]
}</pre>
</li><li id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_li3652938178">Example 2: Grant permission to deny predefined tag deletion<p id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_p1892813119464"><a name="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_li3652938178"></a><a name="tms_04_0006_en-us_topic_0000001489537442_li3652938178"></a>A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.</p>
<p id="tms_04_0008__tms_04_0006_p62042046114620">Assume that you want to grant the permissions of the <strong id="tms_04_0008__tms_04_0006_b13162115484513">TMS FullAccess</strong> to a user but want to prevent them from deleting predefined tags. You can create a custom policy for denying predefined tag deletion, and attach this policy together with the <strong id="tms_04_0008__tms_04_0006_b2215154618467">TMS FullAccess</strong> policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on these tags excepting deleting them. Example policy denying predefined tag deletion:</p>
<pre class="screen" id="tms_04_0008__tms_04_0006_screen6462365312">{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"tms:predefineTags:delete"
]
}
]
}</pre>
</li><li id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_li8475316125413">Example 3: Create a custom policy containing multiple actions.<p id="tms_04_0008__tms_04_0006_p2491830111410"><a name="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_li8475316125413"></a><a name="tms_04_0006_en-us_topic_0000001489537442_li8475316125413"></a>A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).</p>
<p id="tms_04_0008__tms_04_0006_en-us_topic_0000001489537442_p164313514480">Example policy containing multiple actions:</p>
<pre class="screen" id="tms_04_0008__tms_04_0006_screen6963631321">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"tms:predefineTags:create",
"tms:predefineTags:delete"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMyBuckets",
"obs:bucket:ListBucket"
]
}
]
}</pre>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="tms_04_0000.html">Permissions Management</a></div>
</div>
</div>
View Git Blame Copy Permalink