Expression Policy

The basic elements of Policy are the basic components of a permission policy. IAM uses permission policies to describe the specific content of authorization.

Understanding the basic knowledge of the basic elements of Policy can help you use permission policies more reasonably.

Basic Elements of Policy

Basic rules for using policy elements

• Effect

Valid values are Allow and Deny.

• Action

  Action supports multiple values defined by CDNetworks.

  Syntax

  < service-name>:< action-name>

  service-name

  the name of a CDNetworks service.

  action-name

  one or more operation names from the service.

  Example: “Action”: [“wos:ListBuckets”]

• Resource

  Resources usually refer to the specific objects that are authorized.

  Syntax

  wsc:< service-name>:< region>:< account>:< relative-id>.

  wsc

  the acronym for CDNetworks console.

  service-name: the

  product name

  of a CDNetworks service, such as wos.

  region

  the region information. If the resource does not support this parameter，you can use an asterisk (*) wildcard character.

  account

  your login name（in English).

  relative-id

  the identifier of the service-related resource. The meaning of this element varies by service. The value of the relative-id element can be a file path. For example, relative-id = “mybucket/dir1/object1.jpg” indicates a WOS object.

  Example: “Resource”: [“wsc:wos:::mybucket”, “wsc:wos:::mybucket/*”]

Policy example

The meaning of the following permissions policy: allow read-only operations on WOS samplebucket, and prohibit write operations on WOS samplebucket:

{
"Version": "1",
"Statement":
[{

"Effect":"Allow",
"Action": ["wos:List*", "wos:Get*"],

"Resource": ["wsc:wos:::samplebucket", "wsc:wos:::samplebucket/*"],

},
{
"Effect":"Deny",
"Action": ["wos:Delete*", "wos:Put*"],

"Resource": ["wsc:wos:::samplebucket", "wsc:wos:::samplebucket/*"],

}]
}