Creating a Custom Policy¶
Function¶
This API is provided for the administrator to create a custom policy.
The API can be called using both the global endpoint and region-specific endpoints.
URI¶
POST /v3.0/OS-ROLE/roles
Request Parameters¶
Parameter | Mandatory | Type | Description |
---|---|---|---|
Content-Type | Yes | String | Fill application/json;charset=utf8 in this field. |
X-Auth-Token | Yes | String | Token with Security Administrator permissions. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
display_name | Yes | String | Display name of the custom policy. |
type | Yes | String | Display mode. Note
|
description | Yes | String | Description of the custom policy. |
description_cn | No | String | Description of the custom policy. |
Yes | Object | Content of custom policy. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
Version | Yes | String | Policy version. When creating a custom policy, set this parameter to 1.1. Note
|
Yes | Array of objects | Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
Action | Yes | Array of strings | An action item is a specific operation permission on a resource. Note
Options:
|
Effect | Yes | String | Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
No | Object | Resources to be managed. After an account establishes multiple trust relationships between itself and your account, you can authorize IAM users in different user groups to manage resources of the delegating party. Each IAM user can only switch to the delegated agencies. For example: "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}
|
Parameter | Mandatory | Type | Description |
---|---|---|---|
uri | Yes | Array of strings | URI of a delegated resource, which can contain a maximum of 128 characters. Format: /iam/agencies/delegation ID. For example: "uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]
|
Response Parameters¶
Parameter | Type | Description |
---|---|---|
catalog | String | Service catalog. |
display_name | String | Display name of the custom policy. |
description | String | Description of the custom policy. |
Object | Resource link of the custom policy. | |
Object | Content of custom policy. | |
description_cn | String | Description of the custom policy. |
domain_id | String | Domain ID. |
type | String | Display mode. Note
|
id | String | Policy ID. |
name | String | Name of the custom policy. |
updated_time | String | Time when the custom policy was last updated. |
created_time | String | Time when the custom policy was created. |
references | String | Number of references. |
Parameter | Type | Description |
---|---|---|
self | String | Resource link. |
Parameter | Type | Description |
---|---|---|
Version | String | Policy version. Note
|
Array of objects | Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter | Type | Description |
---|---|---|
Action | Array of strings | An action item is a specific operation permission on a resource. Note
|
Effect | String | Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Object | Resources to be managed. After an account establishes multiple trust relationships between itself and your account, you can authorize IAM users in different user groups to manage resources of the delegating party. Each IAM user can only switch to the delegated agencies. For example: "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}
|
Parameter | Type | Description |
---|---|---|
uri | Array of strings | URI of a delegated resource, which can contain a maximum of 128 characters. Format: /iam/agencies/delegation ID. For example: "uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]
|
Example Request¶
POST https://iam.eu-de.otc.t-systems.com/v3.0/OS-ROLE/roles
{
"role": {
"display_name": "IAMAgencyPolicy",
"type": "AX",
"description": "IAMDescription",
"description_cn": "Policy description",
"policy": {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:agencies:assume"
],
"Resource": {
"uri": [
"/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"
]
}
}
]
}
}
}
Example Response¶
Status code: 201
The request is successful.
{
"role": {
"catalog": "CUSTOMED",
"display_name": "IAMAgencyPolicy",
"description": "IAMDescription",
"links": {
"self": "https://iam.eu-de.otc.t-systems.com/v3/roles/f67224e84dc849ab954ce29fb4f47f8e"
},
"policy": {
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:agencies:assume"
],
"Resource": {
"uri": [
"/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"
]
},
"Effect": "Allow"
}
]
},
"description_cn": "Policy description",
"domain_id": "d78cbac186b744899480f25bd02...",
"type": "AX",
"id": "f67224e84dc849ab954ce29fb4f47f8e",
"name": "custom_d78cbac186b744899480f25bd022f468_0"
}
}
Status Codes¶
Status Code | Description |
---|---|
201 | The request is successful. |
400 | The server failed to process the request. |
401 | Authentication failed. |
403 | Access denied. |
500 | Internal server error. |
Error Codes¶
None