CDNetworks Documentation Console Guide Console Guide Getting Started with Policy Management

Getting Started with Policy Management

Last update:2022-06-03 14:48:05

Overview

CDNetworks Console IAM provides Policy is a set of ruleset of permission and actions that describe the specific actions or actions that will be allowed or denied(refused).

It means that these permissions of actions are combined into the policy and you can delegate the role of end-users by granting the policy to Sub Accounts that end-users use and you can grant the permission is allowed or granted of each action to perform the functional operations of each CDNetworks product by attaching/detaching multiple policies.

The policy is a set of permissions that consist of permission effect(allowed, denied), and actions.

To assign permissions between a user and action - the functional operation of CDNetworks product, you create a policy that lets you specify:

  • Actions:
    Which CDNetworks product/service actions you allow. For example, you might allow a user to call the POST_CONFIGURATION action of CA(Content Acceleration) product. Any actions that you don’t explicitly allow are denied.
  • Permission Effect
    Whether to allow or deny access. because access is denied by default, you typically write policies where the effect is to allow.

We provide the policy management menu on CDNetworks Console

Entrance

IAM → Permissions → Policies.

Introduction

image.png

Policy Type

Two policies are divided by different policy owner:

  • System policies: created and managed by CDNetworks, cannot be modified by customers.
  • Custom policies: created and managed by customers according to their own business requirements.

image.png

Creation Way

There are two policies based on different creation method as below

  • Functional policy
    • CDNetworks Console’s functional features such as traffic report, Domain configuration items that used in the CDN products & Cloud Security Products.
  • Expression policy
    • CDNetworks Console provides an Expression policy to assign specific operation permissions for specific resources base on IAM structure by syntax level
    • It supports only UC and Object Storage product, and CDN and security products don’t support expression policy.
      image.png

Policy Type

The following table helps you understand which policy types are applied to product lists.

Main Category Category Product Lists Created Policy Type
Product & Service CDN product Content Acceleration
Dynamic Web Acceleration
Download Acceleration
Media Acceleration
Media Acceleration - Live Broadcast
Function policy
Security Product Flood Shield
Application Shield
Bot Shield
Web Application Firewall
FloodShield (for Media Acceleration)
Function policy
Storage Object Storage Expression policy
Application Service Content MGMT
Log Download Certificate MGMT
HTTPDNS
Security Report
Security Overview
Function policy
IAM UC IAM permission
Control-group management
Contract Management
Access Key management
Expression policy

What is UC

uc is an identity management service, includes the policy related to IAM permission, control group management, contact management, access key, api key, below policies are examples.
image.png

Naming Rule of Action and Policy

Name convention of Action

This topic describes the naming rule of Action. you can read the example of Action Name.

image.png

The Name Convention of Action refers to the example as below :

    • “Get_XXX” means the function of viewing something(reports or configuration).
      • (e.g. Get_Origin_Modifition, the function is to view the configuration of Origin Modification function)
    • “Post_XXX” means the function of changing/editing something(usually configuration)
      • (e.g. Post_Disable_Domain, the function is to operate disable the Domain,
      • Post_Create_Domain, the function is to Create New Domain)
    • XXX displays the report name, configuration item, or even detailed button on one page

Name convention of System Policy

There are two name conventions for Product and non-Product.

image.png

Naming-Rule: ‘Product name’ _ ‘Function type’ _ ‘Function name’ _ ‘Function role’

  • Product name: means the policy works for which product domains
  • Common function type
    • VAS: means the function is a VAS feature, not open to Main Accounts by default
    • custom: means the function is a customized feature, not open to Main Accounts by default.
  • Function name: means what the function is
  • Function role
    • report: means to display one report of the function
    • config: means to provide one configuration item
    • data: means to show one data of the function
      For example, the policy name of “MA-Live_VAS_DedicatedCaching_Report” means to display the report of the VAS feature dedicated caching for MA-Live product.
  • For non-product related policy, It applies to the common services such as log download or content management,
  • For example, CA_BasicPolicy_write means grant view permission of all basic functions to the use-accountr, basic function means some common traffic, status code, region information report, and even some common configurations such as Back-to-origin configurations.

image.png

Default policy

  • Main Account has the system policy that you have contracted to use CDNetworks products.
  • Main Account can attach policy by “adding permission” to grant permission to use functional operations of products.
  • Main Account can detach policy by “revoke permission” to remove permission from Sub Account.

image.png

Instructions for Functional Policy

View actions that are combined in one policy.

When you want to view the list of actions of one policy, you click the policy name that you select, you can see the information of action-list.

  • Click Policy name
    image.png
  • Check the lists of actions
    In the below example, Action list of Media Acceleration Live product has the permission effect as “allowed”.
    image.png

Combine multiple actions of different products into one policy

When you combine multiple actions of different products into one policy, you can make one policy in the CDNetworks Console IAM.

One-click to aggregate actions of multiple products into one policy
For example, you can choose actions of CA products with permission effect as "allowed

image.png

  • And you can choose actions of MA products with permission effect as "allowed after you change MA product.

image.png

  • And click the button “Save” to complete multiple actions of different products as one policy.
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!