<p class="shortdesc"></p> <p class="p">The language of custom access policy is an abstract description of adopting JSON to control permission. RAM authorization policy language can express fine authorization semantic and designate to authorize a certain API-Action and Resource-ID.</p> <p class="p">A permission control policy includes one or one set of Statement and Version. One Statement contains one or one set of Resource, Action and Effect. The Statement defines whether the Effect will be made on the designated Resource through designated Action. </p> <section class="section" id="custom__section_fhd_2bd_flb"><h2 class="doc-tairway">Resource </h2> <p class="p">Resource is the abstract of object entity of service provided by cloud services. The format of full landscape is shown as follows:</p> <pre class="pre codeblock"><code>pcs:{$ServiceType}:{$RegionId}:{$AccountId}:{$ResourceType}/{$ResourceIdentifier}</code></pre> <table class="table" id="custom__table_gvv_gbd_flb"><caption></caption><colgroup><col style="width:153pt"><col style="width:311pt"></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="custom__table_gvv_gbd_flb__entry__1">Item </th> <th class="entry" id="custom__table_gvv_gbd_flb__entry__2">Description</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">pcs</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">The English abbreviation of PinganCloud identity is pcs (Pingan Cloud Service).</p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">{$ServiceType}</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">English abbreviations of specific service type such as ram, ecs, igw, elb, vpc, vpn, ecs, and obs. </p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">{$RegionId}</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">Region uuid, such as Region-SouthChina. If it is not distinguished between regions, * can be used. </p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">{$AccountId}</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">Account uuid (such as Tenant-h18HTXgEJ4), which can be replaced by * generally. </p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">{$ResourceType}</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">Resource type. One service type can include multiple resource types such as Instance. </p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 "> <p class="p">{$ResourceIdentifier}</p> </td> <td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 "> <p class="p">Identify specific resource instance which can be relevant name and ID etc.. Combined with resource type, it can identify a certain instance of a resource type, such as instance/Instance-WiF4qB can identify the cloud host instance whose identifier uuid is Instance-WiF4qB.</p> </td> </tr> </tbody></table> </section> <section class="section" id="custom__section_qjf_hbd_flb"><h2 class="doc-tairway">Action</h2> <p class="p">Action describes the operations executed by users. It can be a definite value (such as ListInstances) and also be wildcard * to represent a series of operations (such as List* which means all operations, of a designate service, whose names begin with List, including ListInstances, ListSecurityGroups etc.).</p> <table class="table" id="custom__table_j5t_bhd_flb"><caption></caption><colgroup><col><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="custom__table_j5t_bhd_flb__entry__1">Action</th> <th class="entry" id="custom__table_j5t_bhd_flb__entry__2">Resource</th> <th class="entry" id="custom__table_j5t_bhd_flb__entry__3">Description</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 " rowspan="2"> <p class="p">AddUserToGroup</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 "> <p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 " rowspan="2"> <p class="p">Add a sub account to a group</p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 "> <p class="p">pcs:ram:*:${AccountId}:user/${LoginName}</p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 "> <p class="p">AdminResetPassword</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 "> <p class="p">pcs:ram:*:${AccountId}:user/*</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 "> <p class="p">Reset the password of a sub account</p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 " rowspan="2"> <p class="p">AttachPolicyToGroup</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 "> <p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p> </td> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 " rowspan="2"> <p class="p">Attach authorization policy to group </p> </td> </tr> <tr class="row"> <td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 "> <p class="p">pcs:ram:*:${AccountId}:policy/${PolicyName}</p> </td> </tr> </tbody></table> </section> <section class="section" id="custom__section_chz_stk_flb"><h2 class="doc-tairway">Effect</h2> <p class="p">The value of Effect can be Allow or Deny. Allow means operation is allowed and Deny means operation is denied. If authorization statement exists conflict in the process of authentication, Deny is prioritized. </p> <p class="p">Here is an example of custom access policy. It shows the Allow policy of starting and stopping the Instance-TrcJCCYtYW and Instance-fR8YYjTu90 of the cloud host. </p> <pre class="pre codeblock"><code>{    "Statement":[       {           "Resource":[             "pcs:ecs:*:*:instance/Instance-TrcJCCYtYW",             "pcs:ecs:*:*:instance/Instance-fR8YYjTu90"          ],           "Action":[             "ecs:StartInstance",             "ecs:StopInstance"            ],           "Effect":"Allow"       }    ],    "Version":"1" }</code></pre> </section>