Creates a custom policy
POST/iam/policies
Creates a custom IAM policy used to control permissions. A policy is composed of one or more statements that grant permissions to a set of members. Each statement contains a role as well as a list of tenants.
The role defines a set of actions that the statement is scoped to.
The tenant list defines the set of resources that the statement is scoped to.
Pass "tenants": ["*"]
to scope a statement to every tenant.
A policy's top-level tenants list defines which tenants the policy belongs to (for filtering policies by their tenants), whereas the statement-level tenants list defines which tenants the statement applies to.
The example creates a new policy not associated with any tenant (because the top-level tenants
property is empty) that grants the viewer
role
on a few tenants for all local teams and a custom role myRole
on a specific tenant.
Authorization Action:
iam:policies:create
Request
- application/json
Body
required
Does not contain type as the enduser can only create 'custom' policies.
- Array [
- ]
Unique ID. Cannot be changed.
Name for the policy.
Members affected by this policy.
statements object[]required
Statements for the policy.
Possible values: [ALLOW
, DENY
]
Default value: ALLOW
Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.
The role defines a set of actions that the statement is scoped to.
Resources defined inline.
The tenant list defines the set of resources that the statement is scoped to. May be empty.
List of tenants this policy belongs to.
Responses
- 200
- default
A successful response.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
policy object
Name for the policy.
Unique ID. Cannot be changed.
Possible values: [COMPIUTA_MANAGED
, CUSTOM
]
Default value: COMPIUTA_MANAGED
Members affected by this policy. May be empty.
statements object[]
Statements for the policy. Will contain one or more.
Possible values: [ALLOW
, DENY
]
Default value: ALLOW
Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.
The role defines a set of actions that the statement is scoped to.
Resources defined inline.
The tenant list defines the set of resources that the statement is scoped to. May be empty.
List of tenants this policy belongs to. May be empty.
{
"name": "My Viewer Policy",
"id": "custom-viewer-policy",
"members": [
"team:local:*"
],
"statements": [
{
"role": "viewer",
"tenants": [
"tenant1",
"tenant2"
],
"effect": "ALLOW"
},
{
"role": "myRole",
"tenants": [
"exampleTenant"
],
"effect": "ALLOW"
}
],
"tenants": []
}
An unexpected error response.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}