Getting Started with Policy Management

Overview

CDNetworks Console IAM provides Policy is a set of ruleset of permission and actions that describe the specific actions or actions that will be allowed or denied(refused).

It means that these permissions of actions are combined into the policy and you can delegate the role of end-users by granting the policy to Sub Accounts that end-users use and you can grant the permission is allowed or granted of each action to perform the functional operations of each CDNetworks product by attaching/detaching multiple policies.

The policy is a set of permissions that consist of permission effect(allowed, denied), and actions.

To assign permissions between a user and action - the functional operation of CDNetworks product, you create a policy that lets you specify:

• Actions:
  Which CDNetworks product/service actions you allow. For example, you might allow a user to call the POST_CONFIGURATION action of CA(Content Acceleration) product. Any actions that you don’t explicitly allow are denied.
• Permission Effect
  Whether to allow or deny access. because access is denied by default, you typically write policies where the effect is to allow.

We provide the policy management menu on CDNetworks Console

Entrance

IAM → Permissions → Policies.

Introduction

Policy Type

Two policies are divided by different policy owner:

• System policies: created and managed by CDNetworks, cannot be modified by customers.
• Custom policies: created and managed by customers according to their own business requirements.

Creation Way

There are two policies based on different creation method as below

• Functional policy
  • CDNetworks Console’s functional features such as traffic report, Domain configuration items that used in the CDN products & Cloud Security Products.
• Expression policy
  • CDNetworks Console provides an Expression policy to assign specific operation permissions for specific resources base on IAM structure by syntax level
  • It supports only UC and Object Storage product, and CDN and security products don’t support expression policy.
    

Policy Type

The following table helps you understand which policy types are applied to product lists.

What is UC

uc is an identity management service, includes the policy related to IAM permission, control group management, contact management, access key, api key, below policies are examples.

Naming Rule of Action and Policy

Name convention of Action

This topic describes the naming rule of Action. you can read the example of Action Name.

The Name Convention of Action refers to the example as below :

• • “Get_XXX” means the function of viewing something(reports or configuration).
    • (e.g. Get_Origin_Modifition, the function is to view the configuration of Origin Modification function)
  • “Post_XXX” means the function of changing/editing something(usually configuration)
    • (e.g. Post_Disable_Domain, the function is to operate disable the Domain,
    • Post_Create_Domain, the function is to Create New Domain)
  • XXX displays the report name, configuration item, or even detailed button on one page

Name convention of System Policy

There are two name conventions for Product and non-Product.

Naming-Rule: ‘Product name’ _ ‘Function type’ _ ‘Function name’ _ ‘Function role’

• Product name: means the policy works for which product domains
• Common function type
  • VAS: means the function is a VAS feature, not open to Main Accounts by default
  • custom: means the function is a customized feature, not open to Main Accounts by default.
• Function name: means what the function is
• Function role
  • report: means to display one report of the function
  • config: means to provide one configuration item
  • data: means to show one data of the function
    For example, the policy name of “MA-Live_VAS_DedicatedCaching_Report” means to display the report of the VAS feature dedicated caching for MA-Live product.
• For non-product related policy, It applies to the common services such as log download or content management,
• For example, CA_BasicPolicy_write means grant view permission of all basic functions to the use-accountr, basic function means some common traffic, status code, region information report, and even some common configurations such as Back-to-origin configurations.

Default policy

• Main Account has the system policy that you have contracted to use CDNetworks products.
• Main Account can attach policy by “adding permission” to grant permission to use functional operations of products.
• Main Account can detach policy by “revoke permission” to remove permission from Sub Account.

Instructions for Functional Policy

View actions that are combined in one policy.

When you want to view the list of actions of one policy, you click the policy name that you select, you can see the information of action-list.

• Click Policy name
  
• Check the lists of actions
  In the below example, Action list of Media Acceleration Live product has the permission effect as “allowed”.
  

Combine multiple actions of different products into one policy

When you combine multiple actions of different products into one policy, you can make one policy in the CDNetworks Console IAM.

One-click to aggregate actions of multiple products into one policy
For example, you can choose actions of CA products with permission effect as "allowed

• And you can choose actions of MA products with permission effect as "allowed after you change MA product.

• And click the button “Save” to complete multiple actions of different products as one policy.