yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
main
doc-exports/docs/rfs/umn/en-us_topic_0000002158636644.html
陈伟 00621181 a562174edd Upload RFS UMN 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: 陈伟 00621181 <chenwei395@huawei.com>
Co-committed-by: 陈伟 00621181 <chenwei395@huawei.com>
2025-02-13 17:52:19 +00:00

62 lines
3.4 KiB
HTML
Raw Permalink Blame History

<a name="EN-US_TOPIC_0000002158636644"></a><a name="EN-US_TOPIC_0000002158636644"></a>
<h1 class="topictitle1">Custom Policies</h1>
<div id="body0000002158636644"><p id="EN-US_TOPIC_0000002158636644__p8060118">The following lists examples of custom policies for RFS.</p>
<p id="EN-US_TOPIC_0000002158636644__p0641039191020"><strong id="EN-US_TOPIC_0000002158636644__b564239191016">Example Custom Policies</strong></p>
<ul id="EN-US_TOPIC_0000002158636644__ul1740766111117"><li id="EN-US_TOPIC_0000002158636644__li1940711616110">Example 1: Granting permission to view stacks<pre class="screen" id="EN-US_TOPIC_0000002158636644__screen86821028572">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rf:stack:listStacks"
]
}
]
}</pre>
</li><li id="EN-US_TOPIC_0000002158636644__li17420919115">Example 2: Granting permission to deny stack deletion<p id="EN-US_TOPIC_0000002158636644__p133776352423"><a name="EN-US_TOPIC_0000002158636644__li17420919115"></a><a name="li17420919115"></a>“Deny” permissions should be used together with “Allow” permissions. If “Deny” and “Allow” permissions are both assigned, the “Deny” permissions take precedence over the “Allow” permissions.</p>
<p id="EN-US_TOPIC_0000002158636644__p1137718352423">Assume that you want to grant the <strong id="EN-US_TOPIC_0000002158636644__b178474713242">RF FullAccess</strong> permissions to users but do not want them to delete stacks. You can create a custom policy for denying stack deletion, and attach this policy together with the <strong id="EN-US_TOPIC_0000002158636644__b5163121162513">RF FullAccess</strong> policy to the users. As an explicit deny in any policy overrides any allows, the users can perform all operations on stacks except deleting them. The following shows an example policy for denying stack deletion.</p>
<pre class="screen" id="EN-US_TOPIC_0000002158636644__screen639915112710">{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"rf:stack:deleteStack"
]
}
]
}</pre>
</li><li id="EN-US_TOPIC_0000002158636644__li5305650820">Example 3: Creating a custom policy containing multiple actions.<p id="EN-US_TOPIC_0000002158636644__p83057466813"><a name="EN-US_TOPIC_0000002158636644__li5305650820"></a><a name="li5305650820"></a>A custom policy can contain actions of one or more services. To grant permissions of multiple services in a policy, ensure that the services are all of the same level (global or project).</p>
<p id="EN-US_TOPIC_0000002158636644__p1730512462818">The following shows an example policy that contains multiple actions.</p>
<pre class="screen" id="EN-US_TOPIC_0000002158636644__screen12436113216815">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rf:stack:updateStack",
"rf:stack:createStack",
"rf:stack:deployStack",
"rf:stack:deleteStack",
"rf:stack:listStacks"
]
},
{
"Effect": "Allow",
"Action": [
"kms:dek:create",
"kms:cmk:list"
]
}
]
}</pre>
</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000002154571445.html">Permission Management</a></div>
</div>
</div>
View Git Blame Copy Permalink