Basic Elements of Policy

Basic Elements of a Policy

The basic elements of a policy constitute the fundamental components of a permission policy. In IAM, permission policies are used to define the specifics of authorization. Understanding these basic elements can help you use permission policies more efficiently.

Basic Usage Rules for Policy

Effect

The valid values for Effect are Allow or Deny, for example: "Effect": "Allow".

Action

Action supports multiple values and the valid options are the action names defined by the service.

Format: <service-name>:<action-name>

• Service Name: The name of the product, for example: wos.
• Action Name: The corresponding operation name.

Example Description:

"Action": ["wos:ListBuckets"]

Resource

Resource typically refers to an asset or object of operation.

Format: wsc:<service-name>:<region>:<account>:<relative-id>

• wsc: Represents the console.
• service-name: Product name, for example: wos.
• region: Region information. If this field is not supported, you may leave it empty or use a wildcard ‘*’ as a substitute.
• account: Account, which refers to your account name (in English).
• relative-id: The resource descriptor associated with the service, with its semantics defined by the specific service. This field supports a hierarchical structure (similar to a file path). For example, in WOS, a WOS object is represented as: relative-id = “mybucket/dir1/object1.jpg”.

Description Example:

"Resource": ["wsc:wos:*:*:mybucket", "wsc:wos:*:*:mybucket/*"]

Permission Policy Example

The following permission policy means: Allow read-only operations on the samplebucket in WOS, and deny write operations on the samplebucket in WOS.

[
    {
        "Effect": "Allow",
        "Action": ["wos:List*", "wos:Get*"],
        "Resource": ["wsc:wos:*:*:samplebucket", "wsc:wos:*:*:samplebucket/*"]
    },
    {
        "Effect": "Deny",
        "Action": ["wos:Delete*", "wos:Put*"],
        "Resource": ["wsc:wos:*:*:samplebucket", "wsc:wos:*:*:samplebucket/*"]
    }
]