Table of Contents | ||
---|---|---|
|
Info |
---|
Best PracticeEach Action domain administrators are allowed to perform can be listed to create a policy for them having broad permissions. It is easier and less error-prone to list the few actions they cannot perform (such as DeleteDomain and CopyDomain) by replacing the entire Action statement with the NotAction statement: |
Code Block |
---|
{ "Version": "2016-10-17", "Statement": [ { "Sid": "Grant all except excluded domain operations to admins2", "Resource": "/*", "Effect": "Allow"," "Principal": { "group": [ "admins2" ] }, "NotAction": [ "CopyDomain", "DeleteDomain" ] } ] } |
Policy Document Fields
Policy documents are JSON-formatted objects.
...
Manage | Action | Scope | Description | ||
---|---|---|---|---|---|
Global | * | R,T,D,B | all actions | ||
Tenants | ListTenants | R | List all tenants | ||
CreateTenant | R | Create a new or change an existing tenant | |||
GetTenant | R,T | Retrieve tenant properties | |||
DeleteTenant | R,T | Permanently remove tenant properties | |||
ListEtc | R,T | List documents associated with a tenant | |||
Domains | ListDomains | R,T | List the domains owned by the _system tenant | ||
CreateDomain | R,T | Create a domain for the _system tenant | |||
GetDomain | R,T,D | GET a domain | |||
DeleteDomain | R,T,D | Delete a domain | |||
Policies | ListEtc | R,T,D | List documents associated with a tenant or a storage domain | ||
PutPolicy | R,T,D | Create or update an access control policy JSON document | |||
GetPolicy | R,T,D | Read an access control policy JSON document | |||
DeletePolicy | R,T,D | Permanently remove an access control policy JSON document | |||
| |||||
Authentication | TokenAdmin | R,T,D | Create and list authorization tokens for other users in the same scope | ||
CreateToken | R,T,D | Create an authentication token | |||
ListTokens | R,T,D | List user authentication tokens | |||
ValidateToken | R,T,D | Read an authentication token | |||
DeleteToken | R,T,D | Delete an authentication token |
...