Policy Syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions. It contains a permission or permission set of multiple other elements such as effect, action, resource, and condition. One policy has only one statement.
action is required. It describes the allowed or denied action (operation). An operation can be an API (prefixed with "name") or a feature set (a set of specific APIs prefixed with "permid").
resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify resources, see the product documentation corresponding to the resource statement you are writing.
condition is optional. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value can be a client IP.
effect is required. It describes the result of a statement. The result can be an "allow" or an explicit "deny".
ASR Operations
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with
name/asr: should be used for ASR, such as name/asr:CreateModel or name/asr:CreateAsrVocab.To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["name/asr:action1","name/asr:action2"]
You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:
"action":["name/cvm:Describe*"]
To specify all operations in ASR, use the * wildcard as shown below:
"action":["name/asr:*"]
ASR Resource Path
Each CAM policy statement is resource-specific with a resource path as shown below:
qcs:project_id:service_type:region:account:resource
project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation such as asr.
region describes the region information, which is not required for ASR.
account describes the root account of the resource owner, such as uin/164256472.
resource describes the detailed resource information of each product, such as model/model_id1 or
model/*.For example, you can use a specific self adaptive learning model (15b96676edb211ea9301b49691037310) by specifying it in the statement as shown below:
"resource":[ "qcs::asr::uin/164256472:model/15b96676edb211ea9301b49691037310"]
You can also use the * wildcard to specify all self adaptive learning models that belong to a specific account as shown below:
"resource":[ "qcs::asr::uin/164256472:model/*"]
If you want to specify all resources or a specific API operation supports only API-level permission control, you can use the * wildcard in the resource element as shown below:
"resource": ["*"]
To specify multiple resources in one policy, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
Yes
No
Was this page helpful?