Skip to main content

Creates a custom policy

POST 
https://apis.<domain>/iam/policies

Creates a custom IAM policy used to control permissions. A policy is composed of one or more statements that grant permissions to a set of members. Each statement contains a role as well as a list of tenants.

The role defines a set of actions that the statement is scoped to. The tenant list defines the set of resources that the statement is scoped to. Pass "tenants": ["*"] to scope a statement to every tenant.

A policy's top-level tenants list defines which tenants the policy belongs to (for filtering policies by their tenants), whereas the statement-level tenants list defines which tenants the statement applies to.

The example creates a new policy not associated with any tenant (because the top-level tenants property is empty) that grants the viewer role on a few tenants for all local teams and a custom role myRole on a specific tenant.

Authorization Action:

iam:policies:create

Request

Body

required

Does not contain type as the enduser can only create 'custom' policies.

    id stringrequired

    Unique ID. Cannot be changed.

    name stringrequired

    Name for the policy.

    members string[]

    Members affected by this policy.

    statements object[]required

    Statements for the policy.

  • Array [
    • effect compiuta.api.iam.v2.Statement.Effect

    Possible values: [ALLOW, DENY]

    Default value: ALLOW

    actions string[]

    Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.

    role string

    The role defines a set of actions that the statement is scoped to.

    resources string[]

    Resources defined inline.

    tenants string[]

    The tenant list defines the set of resources that the statement is scoped to. May be empty.

  • ]
    • tenants string[]

    List of tenants this policy belongs to.

Responses

A successful response.

Schema
    policy object
    name string

    Name for the policy.

    id string

    Unique ID. Cannot be changed.

    type compiuta.api.iam.v2.Type

    Possible values: [COMPIUTA_MANAGED, CUSTOM]

    Default value: COMPIUTA_MANAGED

    members string[]

    Members affected by this policy. May be empty.

    statements object[]

    Statements for the policy. Will contain one or more.

  • Array [
    • effect compiuta.api.iam.v2.Statement.Effect

    Possible values: [ALLOW, DENY]

    Default value: ALLOW

    actions string[]

    Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.

    role string

    The role defines a set of actions that the statement is scoped to.

    resources string[]

    Resources defined inline.

    tenants string[]

    The tenant list defines the set of resources that the statement is scoped to. May be empty.

  • ]
    • tenants string[]

    List of tenants this policy belongs to. May be empty.

curl -L -X POST 'https://apis.<domain>/iam/policies' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
  "name": "My Viewer Policy",
  "id": "custom-viewer-policy",
  "members": [
    "team:local:*"
  ],
  "statements": [
    {
      "role": "viewer",
      "tenants": [
        "tenant1",
        "tenant2"
      ],
      "effect": "ALLOW"
    },
    {
      "role": "myRole",
      "tenants": [
        "exampleTenant"
      ],
      "effect": "ALLOW"
    }
  ],
  "tenants": []
}'
Request Collapse all
Base URL
https://apis.<domain>
Body required
{

  "name": "My Viewer Policy",

  "id": "custom-viewer-policy",

  "members": [

    "team:local:*"

  ],

  "statements": [

    {

      "role": "viewer",

      "tenants": [

        "tenant1",

        "tenant2"

      ],

      "effect": "ALLOW"

    },

    {

      "role": "myRole",

      "tenants": [

        "exampleTenant"

      ],

      "effect": "ALLOW"

    }

  ],

  "tenants": []

}