Creates a custom policy

POST 
/iam/policies

Creates a custom IAM policy used to control permissions. A policy is composed of one or more statements that grant permissions to a set of members. Each statement contains a role as well as a list of tenants.

The role defines a set of actions that the statement is scoped to. The tenant list defines the set of resources that the statement is scoped to. Pass "tenants": ["*"] to scope a statement to every tenant.

A policy's top-level tenants list defines which tenants the policy belongs to (for filtering policies by their tenants), whereas the statement-level tenants list defines which tenants the statement applies to.

The example creates a new policy not associated with any tenant (because the top-level tenants property is empty) that grants the viewer role on a few tenants for all local teams and a custom role myRole on a specific tenant.

Authorization Action:

iam:policies:create

Request

application/json

Body

required

Does not contain type as the enduser can only create 'custom' policies.

id stringrequired

Unique ID. Cannot be changed.

name stringrequired

Name for the policy.

members string[]

Members affected by this policy.

statements object[]required
Statements for the policy.
Array [
effect compiuta.api.iam.v2.Statement.Effect
Possible values: [ALLOW, DENY]
Default value: ALLOW
actions string[]
Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.
role string
The role defines a set of actions that the statement is scoped to.
resources string[]
Resources defined inline.
tenants string[]
The tenant list defines the set of resources that the statement is scoped to. May be empty.
]
tenants string[]

List of tenants this policy belongs to.

Responses

200

A successful response.

application/json

Schema

Schema

policy object

name string

Name for the policy.

id string

Unique ID. Cannot be changed.

type compiuta.api.iam.v2.Type

Possible values: [COMPIUTA_MANAGED, CUSTOM]

Default value: COMPIUTA_MANAGED

members string[]

Members affected by this policy. May be empty.

statements object[]

Statements for the policy. Will contain one or more.

Array [

effect compiuta.api.iam.v2.Statement.Effect

Possible values: [ALLOW, DENY]

Default value: ALLOW

actions string[]

Actions defined inline. May be empty. Best practices recommend that you use custom roles rather than inline actions where practical.

role string

The role defines a set of actions that the statement is scoped to.

resources string[]

Resources defined inline.

tenants string[]

The tenant list defines the set of resources that the statement is scoped to. May be empty.

]

tenants string[]

List of tenants this policy belongs to. May be empty.

Example (from schema)

{
  "name": "My Viewer Policy",
  "id": "custom-viewer-policy",
  "members": [
    "team:local:*"
  ],
  "statements": [
    {
      "role": "viewer",
      "tenants": [
        "tenant1",
        "tenant2"
      ],
      "effect": "ALLOW"
    },
    {
      "role": "myRole",
      "tenants": [
        "exampleTenant"
      ],
      "effect": "ALLOW"
    }
  ],
  "tenants": []
}

default

An unexpected error response.

application/json

Schema

Schema

code int32
message string
details object[]
Array [
@type string
]

Example (from schema)

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Loading...