Permission Policy Examples
Full Access to All Resources
{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
View-only to All Resources
{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}
View-only to Specific Gateway Groups
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // View-only to all published services on these gateway groups
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}
Full Access to Specific Gateway Groups
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
Full Access to Specific Gateway Groups except Consumer Credentials
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}" // Use gateway group id to identify
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id 1}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id 2}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/consumer/<.*>" // Use consumer name to identify
],
"actions": [
"gateway:GetConsumerCredential",
"gateway:UpdateConsumerCredential",
"gateway:DeleteConsumerCredential"
]
"effect": "deny"
}
]
}
Service Manager
- Modify specific services directly on all gateway groups;
- Modify the template of specific services in service hub, then publish to all gateway groups;
- Sync specific services from one gateway group to another.
note
Please learn the difference between ServiceTemplateID and ServiceID
{
"statement": [
{
"resources": [
"arn:api7:gateway:servicetemplate/{service template id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/{service template id}" // use service template id instead of service id
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup", // For managing published services on Dashboard
"gateway:GetGlobalPluginRule", // See the global rules before applying plugins to your published service to prevent conflicts.
"gateway:GetPluginMetadata" // See plugin metadata before applying plugins to your published service to prevent conflicts.
],
"effect": "allow"
}
]
}
Or you can use labels, if you have multiple services to manage and their share the same label:
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:servicetemplate/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup" // For managing published services on Dashboard
],
"effect": "allow"
}
]
}
Manage Custom Plugins
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaysetting/*"
],
"actions": [
"gateway:<.*>CustomPlugin<.*>"
],
"effect": "allow"
}
]
}
Role Manager
- Invite/Delete users;
- Help users resetting their password;
- Design custom roles;
- Assign roles to users.
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:iam:user/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:role/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:permissionpolicy/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
Create and Manage Production Gateway Groups
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"gateway_group_label": {
"type": "MatchLabel",
"options": {
"key": "type",
"operator": "exact_match",
"value": "production"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/*"
],
"actions": [
"gateway:CreateGatewayGroup"
],
"effect": "allow"
}
]
}
Full Access to All Resources Except License
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:iam:organization/*"
],
"actions": [
"iam:UpdateLicense"
],
"effect": "deny" // "deny" takes precedence, ultimately prohibiting access to updateLicense action.
}
]
}