百度智能云

All Product Document

          Reference

          Policy Management Interface

          Note: The privilege policy is divided into customized policy and system policy. The customized policy is a privilege policy that is created and managed by the user himself, with the type of CUSTOM; the system policy is a built-in policy managed uniformly by the cloud platform, with the type of SYSTEM.

          Create Privilege Policy

          Interface description

          Create enterprise organization privileges policies.

          Enterprise organization privilege policy (Service Control Policy, SCP for short) uses the same policy syntax as IAM privilege policy, but the effect of authorization is different: The privileges defined by the SCP are the maximum privileges of the account or unit member to which the SCP is attached. The privileges of the account sub-users and unit member accounts cannot exceed this range.

          Request structure

          POST /v1/organization/{organizationId}/scp HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string
          
          {
              "description": "description", 
              "document": "dumped json document of acl",
              "name": "name"
          }

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          name String RequestBody parameter privilege Policy Name Yes
          description String RequestBody parameter privilege policy description No
          document String RequestBody parameter Policy contents, which shall be the String that is serialized for ACL format Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          SCP Object

          Request example

          POST /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString
          
          {
              "name": "testScp",
              "description": "test scp", 
              "document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}"
          }

          Response example

          HTTP/1.1 201 Created
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          {
              "description": "test scp", 
              "createTime": "2019-09-24T07:42:08Z", 
              "policyType": "CUSTOM", 
              "document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}", 
              "id": "6b705623cee74f9ea274d5c0dc5523b2", 
              "name": "testScp"
          }

          Delete Privilege Policy

          Interface description

          Delete enterprise organization privileges policy.

          Note: Before deleting a privilege policy, you need to unbind all the privileges associated with the policy.

          Request structure

          DELETE /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          None

          Request example

          DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/6b705623cee74f9ea274d5c0dc5523b2
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 204 No Content
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS

          View Privilege Policy

          Interface description

          View enterprise organization privileges policies.

          Request structure

          GET /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          SCP Object

          Request example

          GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          {
              "description": "test scp", 
              "createTime": "2019-09-24T07:43:48Z", 
              "policyType": "CUSTOM", 
              "document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}", 
              "id": "480fdbfcaec7485187176f6f66e780a3", 
              "name": "testScp"
          }

          Update Privilege Policy

          Interface description

          Update corporate organization privileges policy.

          Request structure

          PUT /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string
          
          {
              "description": "description", 
              "document": "dumped json document of acl",
              "name": "name"
          }

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          scpId String URL parameter privilege Policy ID Yes
          name String RequestBody parameter privilege Policy Name No
          description String RequestBody parameter privilege policy description No
          document String RequestBody parameter Policy contents, which shall be the String that is serialized for ACL format No

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          SCP Object

          Request example

          PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          {
              "description": "update", 
              "createTime": "2019-09-24T07:43:48Z", 
              "policyType": "CUSTOM", 
              "document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}", 
              "id": "480fdbfcaec7485187176f6f66e780a3", 
              "name": "update"
          }

          List Privilege Policy

          Interface description

          List enterprise organization privileges policies.

          When the policyType parameter is "SYSTEM", query the system's built-in policy; when the policyType parameter is "CUSTOM" or not specified, query the custom policy under the enterprise organization.

          Request structure

          GET /v1/organization/{organizationId}/scp?policyType={policyType} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          policyType String Query parameter Type of policy to query No

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          Name Type Description
          scps List <SCP> List of privileges policies

          Request example

          GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp?policyType=CUSTOM
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          [
              {
                  "description": "update", 
                  "createTime": "2019-09-24T07:43:48Z", 
                  "policyType": "CUSTOM", 
                  "document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}", 
                  "id": "480fdbfcaec7485187176f6f66e780a3", 
                  "name": "update"
              }
          ] 

          Interface description

          Associate privileges policies for the account.

          Request structure

          PUT /v1/organization/{organizationId}/account/{accountId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          accountId String URL parameter Account ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          None

          Request example

          PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS

          Unbind Account Privilege Policy

          Interface description

          Unbind the specified privilege policy associated with an account.

          Request structure

          DELETE /v1/organization/{organizationId}/account/{accountId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          accountId String URL parameter Account ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          None

          Request example

          DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS

          View the Privilege Policy Associated with an Account

          Interface description

          View the privilege policies associated with the account. Exclude the privileges policy associated with its parent unit.

          Request structure

          GET /v1/organization/{organizationId}/account/{accountId}/scp HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          accountId String URL parameter Account ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          Name Type Description
          scps List <SCP> List of privileges policies

          Request example

          GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          [
              {
                  "description": "Allow all actions", 
                  "createTime": "2018-03-26T03:25:06Z", 
                  "policyType": "SYSTEM", 
                  "document": "{\"accessControlList\":[{\"service\":\"*\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"*\"]}]}", 
                  "id": "c122aeb9065c4ae6bfc5ca58665ea056", 
                  "name": "FullAccessScp"
              }
          ] 

          Associated Unit Privilege Policy

          Interface description

          Associate privileges policies for the unit.

          Request structure

          PUT /v1/organization/{organizationId}/unit/{unitId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          unitId String URL parameter Unit ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          None

          Request example

          PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS

          Unbind Unit Privilege Policy

          Interface description

          Unbind the specified privilege policy associated with the unit.

          Request structure

          DELETE /v1/organization/{organizationId}/unit/{unitId}/scp/{scpId} HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          unitId String URL parameter Unit ID Yes
          scpId String URL parameter privilege Policy ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          None

          Request example

          DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp/480fdbfcaec7485187176f6f66e780a3
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS

          View Privilege Policy Associated with the Unit

          Interface description

          View the privilege policies associated with the unit. Exclude the privileges policy associated with its parent unit.

          Request structure

          GET /v1/organization/{organizationId}/unit/{unitId}/scp HTTP/1.1
          Host: organization.bj.baidubce.com
          Authorization: authorization string

          Request header

          There are no other special headers except the public headers.

          Request parameter

          Name Type Location Description Required or not
          organizationId String URL parameter Enterprise organization ID Yes
          unitId String URL parameter Unit ID Yes

          Response header fields

          There are no other special headers except the public headers.

          Response parameter

          Name Type Description
          scps List <SCP> List of privileges policies

          Request example

          GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp
          host: organization.bj.baidubce.com
          Authorization: AuthorizationString

          Response example

          HTTP/1.1 200 OK
          Content-Type: application/json;charset=UTF-8
          X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
          Server: BWS
          
          [
              {
                  "description": "Allow all actions", 
                  "createTime": "2018-03-26T03:25:06Z", 
                  "policyType": "SYSTEM", 
                  "document": "{\"accessControlList\":[{\"service\":\"*\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"*\"]}]}", 
                  "id": "c122aeb9065c4ae6bfc5ca58665ea056", 
                  "name": "FullAccessScp"
              }
          ] 
          Previous
          Unit Management Interface
          Next
          Data Type