Policy Management Interface
Note: The privilege policy is divided into customized policy and system policy. The customized policy is a privilege policy that is created and managed by the user himself, with the type of CUSTOM; the system policy is a built-in policy managed uniformly by the cloud platform, with the type of SYSTEM.
Create Privilege Policy
Interface description
Create enterprise organization privileges policies.
Enterprise organization privilege policy (Service Control Policy, SCP for short) uses the same policy syntax as IAM privilege policy, but the effect of authorization is different: The privileges defined by the SCP are the maximum privileges of the account or unit member to which the SCP is attached. The privileges of the account sub-users and unit member accounts cannot exceed this range.
Request structure
POST /v1/organization/{organizationId}/scp HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
{
"description": "description",
"document": "dumped json document of acl",
"name": "name"
}
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
name | String | RequestBody parameter | privilege Policy Name | Yes |
description | String | RequestBody parameter | privilege policy description | No |
document | String | RequestBody parameter | Policy contents, which shall be the String that is serialized for ACL format | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
SCP Object
Request example
POST /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp
host: organization.bj.baidubce.com
Authorization: AuthorizationString
{
"name": "testScp",
"description": "test scp",
"document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}"
}
Response example
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
{
"description": "test scp",
"createTime": "2019-09-24T07:42:08Z",
"policyType": "CUSTOM",
"document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}",
"id": "6b705623cee74f9ea274d5c0dc5523b2",
"name": "testScp"
}
Delete Privilege Policy
Interface description
Delete enterprise organization privileges policy.
Note: Before deleting a privilege policy, you need to unbind all the privileges associated with the policy.
Request structure
DELETE /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
None
Request example
DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/6b705623cee74f9ea274d5c0dc5523b2
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 204 No Content
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
View Privilege Policy
Interface description
View enterprise organization privileges policies.
Request structure
GET /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
SCP Object
Request example
GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
{
"description": "test scp",
"createTime": "2019-09-24T07:43:48Z",
"policyType": "CUSTOM",
"document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}",
"id": "480fdbfcaec7485187176f6f66e780a3",
"name": "testScp"
}
Update Privilege Policy
Interface description
Update corporate organization privileges policy.
Request structure
PUT /v1/organization/{organizationId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
{
"description": "description",
"document": "dumped json document of acl",
"name": "name"
}
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
name | String | RequestBody parameter | privilege Policy Name | No |
description | String | RequestBody parameter | privilege policy description | No |
document | String | RequestBody parameter | Policy contents, which shall be the String that is serialized for ACL format | No |
Response header fields
There are no other special headers except the public headers.
Response parameter
SCP Object
Request example
PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
{
"description": "update",
"createTime": "2019-09-24T07:43:48Z",
"policyType": "CUSTOM",
"document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}",
"id": "480fdbfcaec7485187176f6f66e780a3",
"name": "update"
}
List Privilege Policy
Interface description
List enterprise organization privileges policies.
When the policyType parameter is "SYSTEM", query the system's built-in policy; when the policyType parameter is "CUSTOM" or not specified, query the custom policy under the enterprise organization.
Request structure
GET /v1/organization/{organizationId}/scp?policyType={policyType} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
policyType | String | Query parameter | Type of policy to query | No |
Response header fields
There are no other special headers except the public headers.
Response parameter
Name | Type | Description |
---|---|---|
scps | List <SCP> | List of privileges policies |
Request example
GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/scp?policyType=CUSTOM
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
[
{
"description": "update",
"createTime": "2019-09-24T07:43:48Z",
"policyType": "CUSTOM",
"document": "{\"accessControlList\":[{\"service\":\"bce:bcc\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"READ\"]}]}",
"id": "480fdbfcaec7485187176f6f66e780a3",
"name": "update"
}
]
Link Account Privilege Policy
Interface description
Associate privileges policies for the account.
Request structure
PUT /v1/organization/{organizationId}/account/{accountId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
accountId | String | URL parameter | Account ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
None
Request example
PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
Unbind Account Privilege Policy
Interface description
Unbind the specified privilege policy associated with an account.
Request structure
DELETE /v1/organization/{organizationId}/account/{accountId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
accountId | String | URL parameter | Account ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
None
Request example
DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
View the Privilege Policy Associated with an Account
Interface description
View the privilege policies associated with the account. Exclude the privileges policy associated with its parent unit.
Request structure
GET /v1/organization/{organizationId}/account/{accountId}/scp HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
accountId | String | URL parameter | Account ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
Name | Type | Description |
---|---|---|
scps | List <SCP> | List of privileges policies |
Request example
GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/account/bfdbd1e6316b4729ab49f2cb25710068/scp
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
[
{
"description": "Allow all actions",
"createTime": "2018-03-26T03:25:06Z",
"policyType": "SYSTEM",
"document": "{\"accessControlList\":[{\"service\":\"*\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"*\"]}]}",
"id": "c122aeb9065c4ae6bfc5ca58665ea056",
"name": "FullAccessScp"
}
]
Associated Unit Privilege Policy
Interface description
Associate privileges policies for the unit.
Request structure
PUT /v1/organization/{organizationId}/unit/{unitId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
unitId | String | URL parameter | Unit ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
None
Request example
PUT /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
Unbind Unit Privilege Policy
Interface description
Unbind the specified privilege policy associated with the unit.
Request structure
DELETE /v1/organization/{organizationId}/unit/{unitId}/scp/{scpId} HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
unitId | String | URL parameter | Unit ID | Yes |
scpId | String | URL parameter | privilege Policy ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
None
Request example
DELETE /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp/480fdbfcaec7485187176f6f66e780a3
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
View Privilege Policy Associated with the Unit
Interface description
View the privilege policies associated with the unit. Exclude the privileges policy associated with its parent unit.
Request structure
GET /v1/organization/{organizationId}/unit/{unitId}/scp HTTP/1.1
Host: organization.bj.baidubce.com
Authorization: authorization string
Request header
There are no other special headers except the public headers.
Request parameter
Name | Type | Location | Description | Required or not |
---|---|---|---|---|
organizationId | String | URL parameter | Enterprise organization ID | Yes |
unitId | String | URL parameter | Unit ID | Yes |
Response header fields
There are no other special headers except the public headers.
Response parameter
Name | Type | Description |
---|---|---|
scps | List <SCP> | List of privileges policies |
Request example
GET /v1/organization/25fc10b3bc61437aa72b35f76515b375/unit/a6ed8b858a094187b3e3cb95da73b415/scp
host: organization.bj.baidubce.com
Authorization: AuthorizationString
Response example
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
X-Bce-Request-Id: fc96771d-f2a3-4b1a-8ed2-ea7665461baf
Server: BWS
[
{
"description": "Allow all actions",
"createTime": "2018-03-26T03:25:06Z",
"policyType": "SYSTEM",
"document": "{\"accessControlList\":[{\"service\":\"*\",\"region\":\"*\",\"resource\":[\"*\"],\"effect\":\"Allow\",\"privilege\":[\"*\"]}]}",
"id": "c122aeb9065c4ae6bfc5ca58665ea056",
"name": "FullAccessScp"
}
]