How-to Guides

• 1: User Group
• 2: User
• 3: Policy
• 4: Role
• 5: Credential Provider
• 6: My Info.
• 7: JSON Writing Guide

1 - User Group

Users can enter required information for user groups and select detailed options through the Samsung Cloud Platform Console to create the corresponding service.

Creating a User Group

To create a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the Create User Group button on the User Group List page. You will be navigated to the Create User Group page.
   • Enter the required information in the Enter Basic Information, Add User, Connect Policy, Enter Additional Information areas.

     Category	Required	Description
     User Group Name	Required	Enter user group name Enter a value between 3-24 characters using Korean, English, numbers, and special characters (+=,.@-_)
     Description	Optional	Description of the user group name Can enter up to 1,000 characters as a detailed description of the user group name
     Users	Optional	Users to add to the user group A list of users registered in the Account is displayed, and when a checkbox is selected, the username of the selected user is displayed at the top of the screen Click the X button for each user at the top of the screen or uncheck the checkbox in the user list to cancel the selection of the selected user If there is no user to add, click Create User at the bottom of the user list to first register a new user After user creation is complete, refresh the user list and select the user when the user is displayed For details on creating a user group, refer to Creating a User
     Policies	Optional	Policies to connect to the user group A list of policies registered in the Account is displayed, and when a checkbox is selected, the policy name of the selected policy is displayed at the top of the screen Click the X button for each policy at the top of the screen or uncheck the checkbox in the policy list to cancel the selection of the selected policy If there is no policy to connect, click Create Policy at the bottom of the policy list to first register a new policy After policy creation is complete, refresh the policy list and select the policy when the policy is displayed For details on creating a policy, refer to Creating a Policy
     Tags	Optional	Tags to add to the user group Up to 50 tags can be added per resource

     Table. User Group Creation Information Entry Items
4. Click the Create button.
5. When a popup window announcing creation opens, click the OK button. You will be navigated to the User Group List page.

Viewing User Group Details

In user groups, you can view the user group list and detailed information and modify them. The User Group Details page consists of Basic Information, Users, Policies, Tags tabs.

To view detailed information of the user group service, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name for which you want to view detailed information on the User Group List page. You will be navigated to the User Group Details page.
   • The User Group Details page displays basic information and consists of Basic Information, Users, Policies, Tags tabs.

Basic Information

On the User Group List page, you can view the basic information of the selected user group and, if necessary, modify the user group name and description.

Users

On the User Group List page, you can view the users included in the selected user group and, if necessary, add or delete users.

• For details on Users, refer to Users.

Policies

On the User Group List page, you can view the policy connection information of the selected user group and, if necessary, modify the policy connection information for the user group.

• For details on Policies, refer to Policies.

  Category	Description
  Disconnect	Disconnect the connection of the selected policy Activated when a policy is selected from the policy list For details, refer to Disconnecting Policies
  Connect Policy	Connect a new policy to the user group Clicking the button navigates to the Connect Policy page For details, refer to Connecting Policies
  Policy Name	Name of the policy
  Policy Type	Type of the connected policy Basic: Basic policy provided by Samsung Cloud Platform Custom: Policy directly created by the user
  Description	Description of the policy
  Creation Date/Time	Date/Time when the policy was created
  Modification Date/Time	Date/Time when the policy was modified

  Table. User Group Details - Policies Tab Items

Tags

On the User Group List page, you can view the tag information of the selected user group and add, modify, or delete tags.

Managing User Groups

You can change the name of a user group or add users, connect policies, and modify tags. If user group management is needed, you can perform tasks on the User Group List or User Group Details page.

Modifying Basic Information

You can modify the name and description of a user group. To modify the name and description of a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name for which you want to modify basic information on the User Group List page. You will be navigated to the User Group Details page.
4. After viewing the basic information to modify on the User Group Details page, click the Edit button.
   • User Group Name: Can change the user group name. Clicking the Edit button opens the Edit User Group Name popup window.
   • Description: Can modify the description of the user group. Clicking the Edit button opens the Edit Description popup window.
5. Modify to the content you want to change in the popup window, then click the OK button.

Managing Users

You can add or exclude users from a user group.

Adding Users

To add users to a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name to which you want to add users on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Users tab on the User Group Details page. You will be navigated to the Users tab.
5. Click the Add User button on the Users tab. You will be navigated to the Add User page.
6. Select the user you want to add from the Users list on the Add User page, then click the Complete button. A popup window announcing user addition opens.

7. Click the OK button in the popup window announcing user addition. You can view the added user in the list on the Users tab.

Excluding Users

To exclude users from a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name from which you want to exclude users on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Users tab on the User Group Details page. You will be navigated to the Users tab.
5. Select the user to exclude from the displayed user list on the Users tab, then click the Exclude User button.
6. The selected User is excluded and the user list is refreshed.

Managing Policies

You can connect policies to a user group or disconnect connected policies.

Connecting Policies

To connect policies to a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name to which you want to connect policies on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Policies tab on the User Group Details page. You will be navigated to the Policies tab.
5. Click the Connect Policy button on the Policies tab. You will be navigated to the Connect Policy page.
6. Select the policy to connect to the user group, then click the Complete button. A popup window announcing policy connection opens.

7. Click the OK button in the popup window announcing policy connection. You can view the connected policy in the list on the Policies tab.

Disconnecting Policies

To disconnect connected policies from a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name for which you want to disconnect policy connections on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Policies tab on the User Group Details page. You will be navigated to the Policies tab.
5. Select the policy to disconnect from the displayed policy list on the Policies tab, then click the Disconnect button.
6. The selected Policy is disconnected and the policy list is refreshed.

Managing Tags

You can modify the tags of a user group. To modify tags in a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name for which you want to modify tag information on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Tags tab on the User Group Details page. You will be navigated to the Tags tab.
5. Click the Edit Tags button on the Tags tab.
6. After adding or modifying tags, click the Save button. A popup window announcing tag modification opens.
   • You can modify the Key, Value of previously registered tags.
   • You can add a new tag by clicking the Add Tag button.
   • Clicking the X button in front of the added tag deletes that tag.
7. Click the OK button. You can view the modified tag information in the list.

Deleting a User Group

To delete a user group, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Click the user group name to delete on the User Group List page. You will be navigated to the User Group Details page.
4. Click the Delete User Group button on the User Group Details page.
5. The user group is deleted and you will be navigated to the User Group List page.

To delete multiple user groups simultaneously, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the User Group menu on the Service Home page. You will be navigated to the User Group List page.
3. Check the user groups to delete from the user group list.
4. After confirming the selected user groups, click the Delete button.
5. The selected user groups are deleted and the User Group List page is refreshed.

2 - User

Users can create services by entering required information for policies and selecting detailed options through Samsung Cloud Platform Console.

Creating a User

To create a user, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).

2. On the Service Home page, click the User menu. You will be taken to the User List page.

3. On the User List page, click the Create User button. You will be taken to the Create User page.

4. Enter the required information in the Enter Basic Information, Permission Settings, Enter Additional Information areas on the Create User page, then click the Create button. A popup window announcing user creation opens.

   Category	Required	Description
   Username	Required	Name of the user Enter a value within 64 characters using English, numbers, and special characters (+=,.@-_)
   Description	Optional	Description of the username Enter up to 1,000 characters as a detailed description of the username
   Password	Required	Password for the user, there are 2 creation methods Auto Generate: Password is automatically generated and can be checked at the time of user creation Direct Input: Create password directly
   Password Change Setting	Optional	Password change setting on first user login If not set, the user cannot change the password on first login and can reset it again through Reset Password For more information about password reset, see Modifying Password
   Add to User Group	Optional	Select a user group to include the user from the list of user groups registered in the Account When the checkbox is selected, the selected user group name is displayed at the top of the list Click the X button of the user group name added at the top of the list, or uncheck the checkbox in the user group list to cancel that user group If there is no user group to link, you can first register a new user group by clicking the Create User Group item at the bottom of the user group list When user group creation is complete, refresh the user group list and then select the created user group For more information about creating a user group, see Creating a User Group
   Direct Policy Link	Optional	Select a policy to directly link to the user from the list of policies registered in the Account When the checkbox is selected, the selected policy name is displayed at the top of the list Click the X button of the policy name added at the top of the list, or uncheck the checkbox in the policy list to cancel that policy If there is no policy to link, you can first register a new policy by clicking the Create Policy item at the bottom of the policy list When policy creation is complete, refresh the policy list and then select the created policy For more information about creating a policy, see Creating a Policy
   Tags	Optional	Tags to add to the user group Can add up to 50 tags per resource

   Table. Create User Information Entry Items

5. Click the Create button in the popup window announcing user creation. The IAM User Login Information popup window opens.

6. After checking the IAM user login information, click the Confirm button. You will be taken to the User List page.

   Category	Description
   Account ID	Account ID value
   Username	Created user name
   Password	Password of the created user Click the View icon to check the password
   IAM User Login URL	Login URL information of the IAM user
   Excel Download	Download IAM user login information as an Excel file
   Email Send	Send an Excel file containing IAM user login information via email After clicking the button, enter the address to receive the email

   Table. IAM User Login Information Items

Viewing User Details

In Users, you can view and modify the user list and detailed information. The User Details page is composed of Basic Information, User Group, Tags tabs.

To view detailed information of the user service, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to view detailed information. You will be taken to the User Details page.
   • The User Details page displays basic information and is composed of Basic Information, User, Policy, Tags tabs.

Basic Information

You can view the basic information of the user selected on the User List page, and if necessary, modify the user’s description and options.

User Group

You can view the user groups registered for the user selected on the User List page, and if necessary, add or exclude user groups.

• For more information about User Groups, see User Group.

Policy

You can view the policy information of the user selected on the User List page, and add, change, or delete it.

Tags

You can view the tag information of the user selected on the User List page, and add, change, or delete it.

Managing Users

You can change the user’s basic information, add user groups, and modify tags. If user management is required, you can perform tasks on the User List or User Details page.

Modifying Basic Information

You can modify the user’s basic information.

Modifying Description

To modify the user’s description, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to modify the description. You will be taken to the User Details page.
4. On the User Details page, check the description and click the description Modify button. The Modify Description popup window opens.
5. After changing the description in the Modify Description popup window, click the Confirm button.

Modifying Password

To modify the user’s password, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to modify the password. You will be taken to the User Details page.
4. On the User Details page, click the password Modify button. The Reset Password popup window opens.
5. After modifying the password, click the Confirm button. The IAM User Login Information popup window opens.
   • Password has the following 2 settings.
     • Auto Generate: A random password is generated.
     • Direct Input: Created with the password directly entered by the user. Must include at least 1 each of uppercase English, lowercase English, numbers, and special characters (! @ # $ % & * ^). Refer to the password creation rules.
   • Password Change Setting: It is recommended to change the password on first login after resetting the password.

6. After checking the user creation information, click the Confirm button. Password change is completed.

   Category	Description
   Account ID	Account ID value
   Username	Created user name
   Password	Password of the created user Click the View icon to check the password
   IAM User Login URL	Login URL information of the IAM user
   Excel Download	Download IAM user login information as an Excel file
   Email Send	Send an Excel file containing IAM user login information via email After clicking the button, enter the address to receive the email

   Table. IAM User Login Information Items

Restricting Password Reuse

Specify the number of password history to check to prevent reuse of recently used passwords. To restrict user password reuse, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to modify password reuse restriction. You will be taken to the User Details page.
4. On the User Details page, click the password reuse restriction Modify button. The Modify Password Reuse Restriction popup window opens.
   • Password Reuse Restriction: Select the number of recently used password history as a number within 1~24.
5. Click the Confirm button. You can check that the Password Reuse Restriction number has changed.

Managing User Groups

You can add a user to a user group or exclude the user from a user group.

Adding User Group

To add a user to a user group, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to add a user group. You will be taken to the User Details page.
4. On the User Details page, click the User Group tab. You will be taken to the User Group tab.
5. On the User Group tab, click the Add User Group button. You will be taken to the Add User Group page.
6. On the Add User Group page, select the user group to add from the User Group list, then click the Complete button. A popup window announcing user group addition opens.

7. Click the Confirm button in the popup window announcing user group addition. You can check the added user group in the list on the User Group tab.

Excluding User Group

To exclude a user from a user group, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to exclude a user group. You will be taken to the User Details page.
4. On the User Details page, click the User Group tab. You will be taken to the User Group tab.
5. On the User Group tab, select the user group to exclude from the retrieved user group list, then click the Exclude User Group button.
6. The selected User Group is excluded and the user group list is retrieved again.

Managing Policies

You can link policies to users or unlink linked policies.

Linking Policy

You can link a policy by including a user in a user group or directly linking to a policy.

To link a policy to a user, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).

2. On the Service Home page, click the User menu. You will be taken to the User List page.

3. On the User List page, click the username for which you want to link a policy. You will be taken to the User Details page.

4. On the User Details page, click the Policy tab. You will be taken to the Policy tab.

5. On the Policy tab, click the Link Policy button. You will be taken to the Link Policy page.

6. After selecting the user group and policy to link to the user, click the Complete button. A popup window announcing policy linking opens.

   Category	Description
   Added User Group	Display the user group to which the user belongs
   Add to User Group	Select a user group using the policy to link from the list of user groups registered in the Account When the checkbox is selected, the selected user group name is displayed at the top of the list Click the X button of the user group name added at the top of the list, or uncheck the checkbox in the user group list to cancel that user group If there is no desired user group, you can first register a new user group by clicking the Create User Group item at the bottom of the user group list When user group creation is complete, refresh the user group list and then select the created user group For more information about creating a user group, see Creating a User Group
   Directly Linked Policy	Display policies directly linked to the user
   Direct Policy Link	Select a policy to directly link to the user from the list of policies registered in the Account When the checkbox is selected, the selected policy name is displayed at the top of the list Click the X button of the policy name added at the top of the list, or uncheck the checkbox in the policy list to cancel that policy If there is no policy to link, you can first register a new policy by clicking the Create Policy item at the bottom of the policy list When policy creation is complete, refresh the policy list and then select the created policy For more information about creating a policy, see Creating a Policy

   Table. Link Policy Detail Items

7. Click the Confirm button in the popup window announcing policy linking. You can check the linked policy in the list on the Policy tab.

Unlinking Policy

You can unlink a policy linked to the user.

To unlink a policy linked to the user, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to unlink the policy. You will be taken to the User Details page.
4. On the User Details page, click the Policy tab. You will be taken to the Policy tab.
5. After selecting the policy to unlink from the Policy list, click the Unlink button. A popup window announcing unlinking opens.
   • After clicking the More button, you can unlink the directly linked policy or exclude only the user groups containing the user.
6. After checking the policy information to be unlinked, click the Confirm button. The policy is unlinked.

Managing Tags

You can modify the user’s tags. To modify tags in Users, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username for which you want to modify tag information. You will be taken to the User Details page.
4. On the User Details page, click the Tags tab. You will be taken to the Tags tab.
5. On the Tags tab, click the Modify Tags button.
6. After adding or modifying tags, click the Save button. A popup window announcing tag modification opens.
   • You can modify the Key, Value of previously registered tags.
   • Click the Add Tag button to add a new tag.
   • Click the X button in front of the added tag to delete that tag.
7. Click the Confirm button. You can check the modified tag information in the list.

Deleting a User

To delete a user, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. On the User List page, click the username to delete. You will be taken to the User Details page.
4. On the User Details page, click the Delete User button.
5. The user is deleted and you are taken to the User List page.

To delete multiple users at the same time, follow the steps below.

1. Click the All Services > Management > IAM menu. You will be taken to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the User menu. You will be taken to the User List page.
3. Check the users to delete in the user list.
4. After checking the selected users, click the Delete button.
5. The selected users are deleted and the User List page is retrieved again.

3 - Policy

Users can enter required information for policies and select detailed options through the Samsung Cloud Platform Console to create the corresponding service.

Creating a Policy

To create a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).

2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.

3. Click the Create Policy button on the Policy List page. You will be navigated to the Create Policy page.

4. Enter the required information in the Enter Basic Information, Enter Additional Information areas, then click the Next button. You will be navigated to the Permission Settings area.

   Category	Required	Description
   Policy Name	Required	Enter policy name Enter a value between 3-128 characters using Korean, English, numbers, and special characters (+=,.@-_)
   Description	Optional	Description of the policy name Enter up to 1,000 characters as a detailed description of the policy name
   Tags	Optional	Tags to add to the policy Up to 50 tags can be added per resource

   Table. Policy Creation Information Entry Items - Basic Information and Additional Information

5. Select the service for which to set permissions. Permission setting items are displayed under the selected service name.

   • You can select the desired service or set it for all services.

6. Enter the required information in the Permission Settings area.

   Category	Required	Description
   Control Type	Required	Select policy control type Allow Policy: Policy that allows defined permissions Deny Policy: Policy that denies defined permissions Deny policy takes precedence for the same target
   Action	Required	Select actions provided by each service Actions where individual resource selection is possible are displayed in purple Actions targeting all resources are displayed in black Add Action Directly: Can specify multiple actions at once using wildcard *
   Applied Resource	Required	Resource to which the action is applied All Resources: Apply to all resources for the selected action Individual Resource: Apply only to specified resources for the selected action Individual resources are only possible when selecting purple actions where individual resource selection is possible among actions Click the Add Resource button to specify target resources by resource type For details on Add Resource, refer to Registering Individual Resources as Applied Resources
   Authentication Type	Required	Authentication method of the target to which the policy is applied All Authentication: Apply regardless of authentication method Authentication Key Authentication: Apply to authentication key authentication users Temporary Key Authentication, Console Login: Apply to temporary key authentication or Console login users
   Applied IP	Required	IP that allows policy application User-defined IP: User directly registers and manages IP Applied IP: IP to which the policy is applied by user registration, can be registered in IP address or range format Excluded IP: IP to exclude from Applied IP, can be registered in IP address or range format All IP: Do not restrict IP access Allow access for all IPs, but if an exception is needed, register Excluded IP to restrict access for registered IPs
   Additional Conditions	Optional	Add conditions for Attribute-Based Access Control (ABAC) Condition Key: Select from Global condition Key and service condition Key lists Qualifier: Default, any value in request, all values in request Operator: Bool, Null Value: True, False

   Table. Policy Creation Information Entry Items - Permission Settings
   Caution

   Permission settings provide Basic Mode and JSON Mode.

   • After writing in Basic Mode, when entering JSON Mode or moving screens, services with the same conditions are merged into one and services where settings are not completed are deleted.
   • If content written in JSON Mode does not match JSON format, you cannot switch to Basic Mode.

7. In the Permission Settings area, first select the Service for which to set permissions.

   • You can create a policy by loading an existing registered policy through Load Policy. For details on Load Policy, refer to Loading Policy.

8. Click the Next button. You will be navigated to the Confirm Entered Information page.

9. After confirming the entered information, click the Create button.

10. When a popup window announcing policy creation opens, click the OK button. You will be navigated to the Policy List page.

Loading Policy

You can load an existing policy to reference it for policy creation. To load an existing policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the Create Policy button on the Policy List page. You will be navigated to the Create Policy page.
4. Enter the required information in the Enter Basic Information, Enter Additional Information areas.
5. Click the Next button. You will be navigated to the Permission Settings area.
6. Click the Load Policy button. The Load Policy popup window will open.
7. A list of policies registered in the Account is displayed. Select the policy you want to load and click OK.
8. The loaded policy is entered in the Permission Settings area and can be edited.

Registering Individual Resources as Applied Resources

You can register individual resources as applied resources in the Permission Settings area. To register individual resources as applied resources, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the Create Policy button on the Policy List page. You will be navigated to the Create Policy page.
4. Enter the required information in the Enter Basic Information, Enter Additional Information areas.
5. Click the Next button. You will be navigated to the Permission Settings area.
6. Select the Service for which to set permissions in the Permission Settings area.
7. In Action selection, select an Action where Individual Resource selection is possible.
   • Actions where individual resource selection is possible are displayed in purple.
8. Click Individual Resource in Applied Resource.
9. Click the Add Resource button. The Add Resource popup window will open.
10. Add resources to which the policy will be applied in the Add Resource tab. Adding resources is possible in two ways: Select Resource and Direct Input.
    • Select Resource: Check and select resources displayed by Resource Type.
    • Direct Input: Directly enter target resources by Resource Type to add them.
      • Wildcards *, ? can be used. If you check Select All, all resources of that resource type are added, and newly added resources thereafter are automatically included.
        Note

        When changing the addition method, entered content is deleted.
11. After confirming the entered information, click the OK button.

Viewing Policy Details

In policies, you can view the policy list and detailed information and modify them. The Policy Details page consists of Basic Information, Permissions, Connected Targets, Tags tabs.

To view detailed information of the policy service, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to view detailed information on the Policy List page. You will be navigated to the Policy Details page.
   • The Policy Details page displays basic information and consists of Basic Information, Permissions, Connected Targets, Tags tabs.

Basic Information

On the Policy List page, you can view the basic information of the selected policy and, if necessary, modify the policy name and description.

Permissions

On the Policy List page, you can view the permission information of the selected policy and, if necessary, modify permissions.

• Click the Expand button of the service name for which you want to view permission information to display detailed policy information.
  Note

  Permission settings provide basic mode and JSON mode.

  Category	Description
  Edit Permissions	Permissions can be edited Clicking the button navigates to the Edit Permissions page For details on edit permission items, refer to Creating a Policy
  View Mode	Policy control type Basic Mode: Display policy items and detailed information in basic UI JSON Mode: Display in JSON editor format
  Control Type	Policy control type Allow Policy: Policy that allows defined permissions Deny Policy: Policy that denies defined permissions
  Action	Provided functions for each service that is the target of the policy
  Applied Resource	Resource to which the action is applied All Resources: Apply to all resources for the selected action Individual Resource: Apply only to specified resources for the selected action
  Authentication Type	Authentication method of the target to which the policy is applied All Authentication: Apply regardless of authentication method Authentication Key Authentication: Apply to authentication key authentication users Temporary Key Authentication, Console Login: Apply to temporary key authentication or Console login users
  Applied IP	IP that allows policy application User-defined IP: User directly registers and manages IP Applied IP: IP to which the policy is applied by user registration, can be registered in IP address or range format Excluded IP: IP to exclude from Applied IP, can be registered in IP address or range format All IP: Do not restrict IP access Allow access for all IPs, but if an exception is needed, register Excluded IP to restrict access for registered IPs

  Table. Policy Details - Permissions Tab Items

Connected Targets

On the Policy List page, you can view the user groups registered to the selected policy and, if necessary, add or exclude user groups.

• For details on User Groups, refer to User Groups.

Tags

On the Policy List page, you can view the tag information of the selected policy and add, modify, or delete tags.

Managing Policies

You can change the name of a policy or modify permissions, connected targets, and tags. If policy management is needed, you can perform tasks on the Policy List or Policy Details page.

Modifying Basic Information

You can modify the name and description of a policy. To modify the name and description of a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to modify basic information on the Policy List page. You will be navigated to the Policy Details page.
4. After viewing the basic information to modify on the Policy Details page, click the Edit button.
   • Policy Name: Can change the policy name. Clicking the Edit button opens the Edit Policy Name popup window.
   • Description: Can modify the description of the policy. Clicking the Edit button opens the Edit Description popup window.
5. Modify to the content you want to change in the popup window, then click the OK button.

Managing Permissions

You can modify the permissions of a policy. To modify the permissions of a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to modify policy permissions on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Permissions tab on the Policy Details page. You will be navigated to the Connected Permissions tab.
5. Click the Edit Permissions button on the Policy Details page. You will be navigated to the Edit Permissions page.
6. After modifying the necessary permissions on the Edit Permissions page, click the Next button. You will be navigated to the Confirm Entered Information page.
   • For detailed descriptions of each item in permission information, refer to Creating a Policy.
7. After confirming the modified permission information on the Confirm Entered Information page, click the Complete button. You will be navigated to the Permissions tab.

Managing User Connections

• On the Policy > Connected Targets tab, you can view users registered to the policy and, if necessary, connect or disconnect users.
• For details on Users, refer to Users.

Connecting Users

To connect users to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name to which you want to connect users on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Click the Connect User button on the Connected Targets tab. You will be navigated to the Connect User page.
6. Select the user you want to connect from the Users list on the Connect User page, then click the Complete button. A popup window announcing user connection opens.

   Category	Description
   Connected User Groups	Display users connected to the policy
   User Groups	Select a user to connect the policy from the list of users registered in the Account When a checkbox is selected, the selected username is displayed at the top of the list Click the X button of the username added at the top of the list or uncheck the checkbox in the user list to cancel that user If the desired user does not exist, click the Create User item at the bottom of the user list to first register a new user After user creation is complete, refresh the user list and select the created user For details on creating users, refer to Creating a User

   Table. User Connection Detail Items
7. Click the OK button in the popup window announcing user connection. You can view the connected user in the list on the Users tab.

Disconnecting Users

To disconnect users connected to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to disconnect user connections on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Select the user to disconnect from the user group list on the Connected Targets tab, then click the Disconnect button. A popup window announcing disconnection opens.
6. Click the OK button in the popup window announcing disconnection. The connection of the selected user is disconnected and the user group list is refreshed.

Managing User Group Connections

• On the Policy > Connected Targets tab, you can view user groups registered to the policy and, if necessary, connect or disconnect user groups.
• For details on User Groups, refer to User Groups.

Connecting User Groups

To connect user groups to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name to which you want to connect user groups on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Click the Connect User Group button on the Connected Targets tab. You will be navigated to the Connect User Group page.
6. Select the user group you want to connect from the User Groups list on the Connect User Group page, then click the Complete button. A popup window announcing user group connection opens.

   Category	Description
   Connected User Groups	Display user groups connected to the policy
   User Groups	Select a user group to connect the policy from the list of user groups registered in the Account When a checkbox is selected, the selected user group name is displayed at the top of the list Click the X button of the user group name added at the top of the list or uncheck the checkbox in the user group list to cancel that user group If the desired user group does not exist, click the Create User Group item at the bottom of the user group list to first register a new user group After user group creation is complete, refresh the user group list and select the created user group For details on creating user groups, refer to Creating a User Group

   Table. User Group Connection Detail Items
7. Click the OK button in the popup window announcing user group connection. You can view the connected user group in the list on the User Groups tab.

Disconnecting User Groups

To disconnect user groups connected to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to disconnect user group connections on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Select the user group to disconnect from the user group list on the Connected Targets tab, then click the Disconnect button. A popup window announcing disconnection opens.
6. Click the OK button in the popup window announcing disconnection. The connection of the selected user group is disconnected and the user group list is refreshed.

Managing Role Connections

• On the Policy > Connected Targets tab, you can view roles registered to the policy and, if necessary, connect or disconnect roles.
• For details on Roles, refer to Roles.

Connecting Roles

To connect roles to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name to which you want to connect roles on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Click the Connect Role button on the Connected Targets tab. You will be navigated to the Connect Role page.
6. Select the role you want to connect from the Roles list on the Connect Role page, then click the Complete button. A popup window announcing role connection opens.

   Category	Description
   Connected Roles	Display roles connected to the policy
   Roles	Select a role to connect the policy from the list of roles registered in the Account When a checkbox is selected, the selected role is displayed at the top of the list Click the X button of the role name added at the top of the list or uncheck the checkbox in the role list to cancel that role If the desired role does not exist, click the Create Role item at the bottom of the role list to first register a new role After role creation is complete, refresh the role list and select the created role For details on creating roles, refer to Creating a Role

   Table. Role Connection Detail Items
7. Click the OK button in the popup window announcing role connection. You can view the connected role in the list on the Roles tab.

Disconnecting Roles

To disconnect roles connected to a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name for which you want to disconnect role connections on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Connected Targets tab on the Policy Details page. You will be navigated to the Connected Targets tab.
5. Select the role to disconnect from the role list on the Connected Targets tab, then click the Disconnect button. A popup window announcing disconnection opens.
6. Click the OK button in the popup window announcing disconnection. The connection of the selected role is disconnected and the role list is refreshed.

Managing Tags

You can modify the tags of a policy.

To modify tags in a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name to which you want to add users on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Tags tab on the Policy Details page. You will be navigated to the Tags tab.
5. Click the Edit Tags button on the Tags tab.
6. After adding or modifying tags, click the Save button. A popup window announcing tag modification opens.
   • You can modify the Key, Value of previously registered tags.
   • You can add a new tag by clicking the Add Tag button.
   • Clicking the X button in front of the added tag deletes that tag.
7. Click the OK button. You can view the modified tag information in the list.

Deleting a Policy

To delete a policy, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Click the policy name to delete on the Policy List page. You will be navigated to the Policy Details page.
4. Click the Delete Policy button on the Policy Details page.
5. The policy is deleted and you will be navigated to the Policy List page.

To delete multiple policies simultaneously, follow these steps:

1. Click the All Services > Management > IAM menu. You will be navigated to the Service Home page of Identity and Access Management (IAM).
2. Click the Policy menu on the Service Home page. You will be navigated to the Policy List page.
3. Select the policies to delete from the policy list.
4. After confirming the selected policies, click the Delete Policy button.
5. The selected policies are deleted and the Policy List page is refreshed.

4 - Role

The user can create a role with separate permissions and switch from their own account to another role to access the Account.

Creating a role

To create a role, follow the following procedure.

1. All services > Management > IAM menu is clicked. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the Create Role button. It moves to the Create Role page.
4. Role Creation page where you enter information for role creation, click the Complete button.

• Enter Basic Information Input.

  Classification	Necessity	Detailed Description
  Role Name	Required	Enter the name of the role Use English letters, numbers, and special characters (+=-_@,.) to enter within 64 characters
  Description	Selection	Enter a description of the role within 1,000 characters
  Maximum session persistence time	Required	Enter the session time allowed for the user when switching roles in the console Time selection: 1 hour, 2 hours, 4 hours, 8 hours, 12 hours Job input: Input possible in seconds from 3,200 seconds (1 hour) to 43,200 seconds (12 hours)

  Table. Basic Information Items for Role Creation
• Execution Entity를 연결하세요.

  Classification	Mandatory	Detailed Description
  Classification	Essential	Select the performing entity Current Account, Different Account, User SRN, Credential Provider, Service
  Value	Required	Enter the Value value for the performing entity Current Account: Display the current Account ID Different Account: Enter the Account ID to use this role User SRN: Enter the SRN of the user registered in the Console Credential Provider: Select the credential provider name Service: Select Virtual Server or Cloud Functions
  Add	Select	A button to add the performing entity Up to 20 additional connections are possible

  Table. Role Creation Performing Subject Connection Items
• Policy을 연결하세요 -> * Connect the policy.

  Classification	Mandatory	Detailed Description
  Policy	Required	Select a policy to link to the role If you select the check box, the selected policy name will be displayed at the top of the list You can cancel the policy by clicking the X button for the added policy name at the top of the list or by unchecking the check box in the policy list If there is no policy to link, you can click the Create Policy item at the bottom of the policy list to register a new policy first After policy creation is complete, you can refresh the policy list and select the created policy For more information on policy creation, see Create Policy

  Table. Role Creation Policy Link Items
• Additional information를 입력하세요.

  Classification	Mandatory	Detailed Description
  Tag	Selection	Tags to add to the role Up to 50 tags can be added per resource

  Table. Role Creation Additional Information Items

5. When the popup window notifying role creation opens, click the Confirm button.

Check detailed role information

Role List page where you can check and modify the detailed information of the selected role.

To check the detailed information of the role, follow the next procedure.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the identity provider to verify. It moves to the Identity Provider Details page.

• Role Details page displays basic information, and consists of Basic Information, Performing Entity, Policy, Tag tabs.

Basic Information

You can check and modify the basic information of the role.

Performing Entity

You can confirm and manage the subject of role performance.

Policy

Tag

You can check, add, change, or delete the tag information of the credential provider.

Managing Roles

You can change the basic information of the role, or modify or delete the performing entity, connected policies, or tag information of the role.

Modify basic information

You can modify the maximum session persistence time and description in the role details. To modify the basic information, follow the following procedure.

1. All services > Management > IAM menu is clicked. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the user role name to modify the basic information. It moves to the Role Details page.
4. Role Details page, check the basic information to be modified, and then click the Modify button.

• Maximum session duration: You can set the role session duration allowed for an IAM user switching roles in the Console. When you click the Edit button, the Edit maximum session duration popup window opens.
• Description: You can modify the description of the role. When the Modify button is clicked, the Description Modification popup window opens.

5. In the popup window, modify it to the content to be changed, then click the confirm button.

Managing the Performing Entity

You can add, modify, or delete the subject of the role’s performance.

To manage the performing subject of a role, follow the following procedure.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the user name to modify the performing subject. It moves to the Role Details page.
4. Role Details page, click the Performing Entity tab. It moves to the Performing Entity tab.
5. Execution Entity tab, click the Modify Execution Entity button. It moves to the Modify Execution Entity page.
6. Modify the performing entity page, modify the performing entity, and then click the Complete button. A pop-up window announcing the modification of the performing entity will open.

7. Click the Confirm button in the pop-up window notifying the modification of the performing entity. You can check the modified performing entity in the list of the Performing Entity tab.

Managing Policies

You can link policies to roles or unlink linked policies.

Connect Policy

You can link policies to a role.

To link a policy to a role, follow these procedures.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).

2. Service Home page, click the role menu. It moves to the role list page.

3. Role List page, click the role name to link the policy. It moves to the User Detail page.

4. Role Details page, click the Policy tab. It moves to the Policy tab.

5. Policy tab, click the Policy Link button. It moves to the Policy Link page.

6. After selecting the policy to be linked to the role, click the Complete button. A popup window announcing the policy connection will open.

   Classification	Detailed Description
   Connected Policy	Displays the policy connected to the role
   Policy	Select a policy to be linked to the role from the list of policies registered in the Account When you select a check box, the selected policy name is displayed at the top of the list The selected policy can be canceled by clicking the X button at the top of the list or by unchecking the check box in the policy list If there are no policies to link, click the Create Policy item at the bottom of the policy list to register a new policy first After policy creation is complete, you can refresh the policy list and select the created policy For more information on policy creation, see Create Policy

   Table. Policy Link Details

7. Click the Confirm button in the pop-up window notifying policy connection. You can check the connected policy in the list of the Policy tab.

Policy Disconnecting

You can release the policies connected to the user.

To release the policy linked to the user, follow the following procedure.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the role name to disconnect the policy link. It moves to the Role Details page.
4. Role Details page, click the Policy tab. It moves to the Policy tab.
5. Policy list, select the policy to disconnect, then click the Disconnect button. A pop-up window notifying disconnection will open.
6. After checking the policy information to be disconnected, click the Confirm button. The policy will be disconnected.

Managing tags

You can add, modify, or delete the role’s tag.

To manage the role’s tags, follow the following procedure.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the Role menu. It moves to the Role List page.
3. Role List page, click the role name to modify the tag information. It moves to the Role Details page.
4. Role Details page, click the Tags tab. It moves to the Tags tab.
5. Tag tab, click the Edit Tag button.
6. After adding or modifying the tag, click the Save button. A popup window announcing the tag modification will open.

• You can modify the Key, Value of the previously registered tag.
• Add tag button to click and add a new tag.
• Clicking the X button in front of the added tag will delete the tag.

7. Confirm button, you can check the modified tag information in the list.

Switching roles

To switch roles in the Samsung Cloud Platform Console, follow the following procedure.

1. Click the profile-shaped button at the top right of the Console. My menu popup window will open.

2. My menu popup window, click the role switch button. Role switch popup window opens.

3. Role Switching In the role switching popup window, enter the role switching information and click the Confirm button.

   Classification	Mandatory	Detailed Description
   Account ID	required	Enter the Account ID that the user wants to enter with role switching
   Role Name	Mandatory	Enter the role name that the user wants to enter through role switching
   Alias	Select	Name to be used when the user enters with role switching
   Color	Required	Select a color to use as the background of the Account when entering the role Not selected: Apply the existing Account background color

   Table. Role Transition Information Items

4. When the popup window notifying role switching opens, click the Confirm button.

Check the role

Console you can check the role information switched by clicking the profile-shaped button at the top right of the console.

Delete role

To delete a role, follow the following procedure.

1. All services > Management > IAM menu is clicked. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Role List page, click the role name to be deleted. It moves to the Role Details page.
4. Role Details page, click the Delete Role button.
5. The role is deleted, and it moves to the role list page.

To delete multiple roles at the same time, follow the procedure below.

1. All services > Management > IAM menu, click. It moves to the Service Home page of Identity and Access Management(IAM).
2. Service Home page, click the role menu. It moves to the role list page.
3. Check the role to be deleted from the role list.
4. Confirm the selected role, and click the role deletion button.
5. The selected role is deleted and the role list page is newly retrieved.

5 - Credential Provider

You can access and use the Account resource through the credential provider.

Create Credential Provider

To create a credential provider, follow the steps below.

1. All Services > Management > IAM Click the menu. Navigate to the Service Home page of Identity and Access Management (IAM).
2. Click the Credential Provider menu on the Service Home page. Navigate to the Credential Provider List page.
3. On the Credential Provider List page, click the Create Credential Provider button. You will be taken to the Create Credential Provider page.
4. After entering information in the Basic Information Input, Additional Information Input areas, click the Generate button.

4. When the popup notifying the creation of a credential provider opens, click the Confirm button.

Check credential provider details

You can view and edit detailed information of the credential provider. The credential provider page consists of basic information, tags tabs.

To view detailed information of the credential provider, follow the steps below.

1. Click the All Services > Management > IAM menu. Navigate to the Service Home page of Identity and Access Management (IAM).
2. Click the Credential Provider menu on the Service Home page. You will be taken to the Credential Provider List page.
3. Credential Provider List Click the credential provider you want to view on the page. Credential Provider Details You will be taken to the page.
   • Credential Provider Details page displays basic information and consists of Basic Information tab, Tag tab.

Basic Information

You can view and edit the basic information of the credential provider.

Tag

You can view the tag information of the credential provider and add, modify, or delete it.

Delete Credential Provider

To delete a credential provider, follow the steps below.

1. Click the All Services > Management > IAM menu. Go to the Service Home page of Identity and Access Management (IAM).
2. Click the Credential Provider menu on the Service Home page. You will be taken to the Credential Provider List page.
3. Credential Provider List page, click the credential provider name to delete. It moves to the Credential Provider Details page.
4. Click the Delete Credential Provider button on the Credential Provider Details page.
5. Credential provider is deleted, and you are taken to the Credential Provider List page.

To delete multiple credential providers simultaneously, follow the steps below.

1. Click the All Services > Management > IAM menu. Go to the Service Home page of Identity and Access Management (IAM).
2. Click the Credential Provider menu on the Service Home page. Navigate to the Credential Provider List page.
3. Check the credential provider to delete from the credential provider list.
4. Verify the selected credential provider and click the Delete Credential Provider button.
5. The selected credential provider is deleted and the Credential Provider List page is refreshed.

6 - My Info.

My Info. provides basic user information and authentication key management functions.

Checking My Info.

Users can view and modify their basic information on the My Info. screen, and manage authentication keys.

To view My Info. information, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
   • The My Info. page displays basic information and consists of Basic Information, Users, Policies, Tags tabs.

Basic Information

In the My Info. > Basic Information tab, you can view a user’s basic details and, if needed, edit the email, password, mobile phone number, password reuse limit, and time zone.

Authentication Key Management

In the My Info. > Authentication Key Management tab, you can view a user’s authentication key information and create new keys if needed.

Access IP Control

In the My Info. > Access IP Control tab, you can register and manage IPs that can access the Console.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the My Info. page, click the Access IP Control tab to go to the Access IP Control page.
4. On the Access IP Control page, click the Edit button of Console Access IP Control. The Password Confirmation popup appears.
5. Enter your password and click Confirm. The Console Access IP Control Edit popup opens.
6. Set the Access IP Control feature to On and register the IPs you want to allow.
7. After registration is complete, click Confirm.

Modifying Basic Information

In the My Info. > Basic Information tab, you can edit email, password, mobile phone number, password reuse limit, and time zone.

Modifying Email

You can change the user’s email.

To modify the user’s email, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the Basic Information tab of the My Info. page, click Edit Email. The Edit Email popup appears.
4. In the Edit Email popup, enter the characters shown in the captcha and click Confirm.
5. Enter the Email and click Authenticate. An authentication code is sent to the entered Email.
6. Enter the authentication code sent to the entered Email and click Confirm.
7. In the Edit Email popup, click Confirm. The Password Confirmation popup appears.
8. In the Password Confirmation popup, enter the password and click Confirm. You return to the Basic Information tab.

Modifying Password

You can change the user’s password.

To modify the user’s password, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the Basic Information tab of the My Info. page, click Edit Password. The Change Password popup appears.
4. In the Change Password popup, enter Current Password, New Password, and Confirm Password.
5. Click Confirm in the Change Password popup. You return to the Basic Information tab.

Modifying Mobile Phone Number

You can change the user’s mobile phone number.

To change the user’s mobile phone number, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the Basic Information tab of the My Info. page, click Change Mobile Phone Number. The Change Mobile Phone Number popup appears.
4. In the Change Mobile Phone Number popup, enter the captcha characters and click Confirm.
5. Choose a verification method for the mobile phone number:
   • Verify via SMS: Sends verification code via SMS.
   • Verify via Knox Teams: Sends verification code via Knox Teams.
6. Enter the new mobile phone number and click Verify.
7. Enter the verification code sent via SMS or Knox Teams and click Confirm.
8. In the Change Mobile Phone Number popup, click Confirm. The Password Confirmation popup appears.
9. In the Password Confirmation popup, enter the password and click Confirm. You return to the Basic Information tab.

Modifying Password Reuse Limit

You can change the number of times a password cannot be reused for the user.

To modify the password reuse limit, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the Basic Information tab of the My Info. page, click Edit Password Reuse Limit. The Edit Password Reuse Limit popup appears.
4. In the Edit Password Reuse Limit popup, select the number of recent passwords that cannot be reused.
5. Click Confirm in the Edit Password Reuse Limit popup. You return to the Basic Information tab.

Modifying Time Zone

You can change the user’s time zone.

To modify the time zone, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the Basic Information tab of the My Info. page, click Edit Time Zone. The Edit Time Zone popup appears.
4. Select the desired time zone.
5. Click Confirm in the Edit Time Zone popup. You return to the Basic Information tab.

Managing Authentication Keys

In the My Info. > Authentication Key Management tab, you can create authentication keys and manage security settings.

Creating an Authentication Key

You can generate an authentication key for the user.

To create an authentication key, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. Click the Authentication Key Management tab on the My Info. page to go to the Authentication Key Management tab.
4. Click the Create Authentication Key button. You are taken to the Create Authentication Key page.
5. On the Create Authentication Key page, enter the Expiration Period and Usage.
   • The Expiration Period can be a number between 1 and 365.
   • Selecting Permanent for the Expiration Period makes the key usable indefinitely.
6. Review the authentication key creation details and click Create. You return to the Authentication Key Management tab.

Viewing Authentication Key Details

To view detailed information of an authentication key, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. Click the Authentication Key Management tab on the My Info. page to go to the Authentication Key Management tab.
4. In the Authentication Key Management tab, click the authentication key you want to view. You are taken to the Authentication Key Detail page.
   • The Authentication Key Detail page consists of Basic Information and Authentication Key Management tabs.

Basic Information

In the Basic Information tab of the Authentication Key Detail, you can view the basic information of the selected authentication key.

User Temporary Keys

The User Temporary Keys tab of the Authentication Key Detail displays a list of temporary keys for the selected authentication key.

Secret Vault Temporary Keys

The Secret Vault Temporary Keys tab of the Authentication Key Detail displays a list of Secret Vault temporary keys for the selected authentication key.

Modifying Authentication Key Security Settings

You can register security settings for a user’s authentication key.

To register security settings for a user’s authentication key, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. In the My Info. page, click the Authentication Key Management tab to go to the Authentication Key Management tab.
4. Click the Edit Security Settings button in the Authentication Key Management tab. You are taken to the Edit Authentication Key Security Settings page.
5. On the Edit Authentication Key Security Settings page, enter Authentication Method and Allowed Access IP.
   • Authentication Method: temporary key, authentication key
     • Access is allowed only when the authentication method set for the API call matches.
     • Temporary key: authentication using a temporary key issued with an authentication key and verification code.
     • Authentication key: authentication using the authentication key created in the Console.
   • Allowed Access IP: IPs that control user access
     • When On, only the specified IP range is allowed.
     • If On is set but no IPs are registered, all IPs are denied.
     • When Off, all IPs are allowed.
     • Up to 50 IPs can be registered.
     • IP address or CIDR can be entered.
6. Review the authentication key security settings and click Confirm. You return to the Authentication Key Management tab.

Deleting an Authentication Key

To delete an authentication key, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. Click the Authentication Key Management tab on the My Info. page to go to the Authentication Key Management tab.
4. In the authentication key list on the Authentication Key Management tab, click the authentication key you want to delete. You are taken to the Authentication Key Detail page.
5. On the Authentication Key Detail page, click the Delete Authentication Key button.
6. The authentication key is deleted and you return to the Authentication Key Management tab.

To delete multiple keys at once, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the My Info. menu to go to the My Info. page.
3. Click the Authentication Key Management tab on the My Info. page to go to the Authentication Key Management tab.
4. In the authentication key list on the Authentication Key Management tab, check the authentication keys you want to delete.
5. Confirm the selected authentication keys and click the Delete Authentication Key button.
6. The selected authentication keys are deleted and the Authentication Key Management tab refreshes.

Managing Access IPs

In the My Info. > Access IP Control tab, you can register and manage IPs that can access the Console.

The Access IP Control feature allows you to restrict Console access to registered IP ranges only.

To use the Access IP Control feature and manage IPs, follow these steps.

1. Click the All Services > Management > IAM menu. This navigates to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the **My Info." menu. My Info. page opens.
3. In the My Info. page, click the Access IP Control tab. The Access IP Control page opens.
4. On the Access IP Control page, click the Edit button of Console Access IP Control. The Password Confirmation popup appears.
5. Enter your password and click Confirm. The Console Access IP Control Edit popup opens.
6. After setting the Access IP Control feature to On, register the IPs you want to allow.
7. After registration is complete, click Confirm.

7 - JSON Writing Guide

Policies are divided into identity-based policies and resource-based policies.

• Identity-based policy: Policy granted to a principal (subject) that performs actions such as users, groups, roles, etc.
• Resource-based policy: Policy granted to a resource that determines whether to allow or deny (Effect) actions on a specific resource to a principal (subject)

Resource-based Policy

A resource-based policy is a policy that grants permission to a specified principal (requester) to perform specific operations on that resource. Therefore, resource-based policies are directly granted to resources, and only users defined in the policy can execute the policy, and the user to whom the policy is granted becomes the security principal.

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["object-store:UploadObject"],
            "Principal": {
                "scp":"srn:e::1234:::scp-iam:user/abc3d3442"
            },
            "Effect": "Allow",
            "Resource": "srn:e:::::object-store:bucket/foo"
        }
    ]
}

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["object-store:UploadObject"],
            "Principal": {
                "scp":"srn:e::1234:::scp-iam:user/abc3d3442"
            },
            "Effect": "Allow",
            "Resource": "srn:e:::::object-store:bucket/foo"
        }
    ]
}

Resource-based Policy Structure

The syntax structure and item-by-item description of resource-based policies are as follows.

{
  "Version": "2024-07-01",                                 # Version of policy syntax (fixed to 2024-07-01)
  "Statement": [
    {
      "Sid": "statement1",                                 # Policy element ID
      "Effect": "Allow",                                   # Policy effect
      "Action": ["iam:showUser"],                          # Action content defined in the policy
      "Principal": {
          "scp":"srn:e::1234:::iam:user/ROOT"              # Principal that is the target of the policy
      }
      "Resource": "srn:e::kr-west1:::scp-iam:group/foo",   # Resource where policy action is allowed
      "Condition": {                                       # Policy condition
          "StringEquals": {
            "iam:userName": [
              "scp_test_user"
              ]
          }
        }
    }
  ]
}

{
  "Version": "2024-07-01",                                 # Version of policy syntax (fixed to 2024-07-01)
  "Statement": [
    {
      "Sid": "statement1",                                 # Policy element ID
      "Effect": "Allow",                                   # Policy effect
      "Action": ["iam:showUser"],                          # Action content defined in the policy
      "Principal": {
          "scp":"srn:e::1234:::iam:user/ROOT"              # Principal that is the target of the policy
      }
      "Resource": "srn:e::kr-west1:::scp-iam:group/foo",   # Resource where policy action is allowed
      "Condition": {                                       # Policy condition
          "StringEquals": {
            "iam:userName": [
              "scp_test_user"
              ]
          }
        }
    }
  ]
}

Version

Version is used with a different meaning than policy version, and the current version is “2024-07-01”.

{
   "Version" : "2024-07-01"
}

Statement

Statement is information about the main elements of the policy and can be defined in the form of a single element or an array of individual elements.

"Statement" : [{statement}]
"Statement" : [{statement}, {statement}, {statement}]

Statement.Effect

Statement.Effect defines whether the policy operation is allowed.

"Effect" : "Allow" # Allow
"Effect" : "Deny"  # Deny

Statement.Principal

Statement.Principal specifies the principal that is allowed or denied access to the resource in a resource-based policy. The principals that can be specified in the Principal element are as follows:

• Root user
• IAM user
• IAM role
• Service account

"Principal" : { "scp": "srn:e::1234:::iam:user/root_user_id" }

"Principal" : {
    "scp": [
        "srn:e::1234:::iam:user/abc33333",
        "srn:e::1234:::iam:user/kef12344"
    ]
}

"Principal": {
    "Service": [
      "apigateway.samsungsdscloud.com"
    ]
}

Statement.Action

Statement.Action defines the action to be evaluated in the policy check.

• Write with case sensitivity.
• Write the action in the format of the action name defined in the action definition.

"Action" : ["{action_expression}"]                               # Single action
"Action" : ["{action_expression}", "{action_expression}", ... ]  # Multiple actions

Statement.Resource

Statement.Resource defines the SRN that specifies a specific resource or set of resources to which the policy applies.

• Write with case sensitivity.
• Write resource_expression in wildcard ("*") or SRN format.

"Resource" : ["{resource_expression}"]                                 # Single resource
"Resource" : ["{resource_expression}", "{resource_expression}", ... ]  # Multiple resources

"Resource" : ["srn:*::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"]   # offering wildcard notation (X)
"Resource" : ["srn:e::*:kr-west1::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"]                                  # account wildcard notation (X)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::*:instance/d12937a6db0940499fdb0e18ad57b101"]   # service type notation (X)

#  region
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:*::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"]     # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-*::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"]  # Partial (O)

# resource-type
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:*/d12937a6db0940499fdb0e18ad57b101"]     # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:ins*/d12937a6db0940499fdb0e18ad57b101"]  # Partial (O)

# resource-identifier
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/*"]                             # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/d12*101"]                       # Partial (O)

When it is a single resource, action_definition resources definition form for user lookup

kind: scp-iam:action-definition
service: iam
paths:
  /v1/users/{user_id}:
    get:
      resources:
      - "iam:user":
           resource_id: "path['user_id']"  # Scope of resources supported in user lookup action

kind: scp-iam:action-definition
service: iam
paths:
  /v1/users/{user_id}:
    get:
      resources:
      - "iam:user":
           resource_id: "path['user_id']"  # Scope of resources supported in user lookup action

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["iam:showUser"],
            "Effect": "Allow",
            "Resource": [
                    "*",  #  Expression for all resources,
                    "srn:e:::::scp-iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
                    "srn:e:::::scp-iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource -> If you write that resource in user lookup action, the written content is ignored during policy evaluation.
             ]
        }
    ]
}

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["iam:showUser"],
            "Effect": "Allow",
            "Resource": [
                    "*",  #  Expression for all resources,
                    "srn:e:::::scp-iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
                    "srn:e:::::scp-iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource -> If you write that resource in user lookup action, the written content is ignored during policy evaluation.
             ]
        }
    ]
}

When it is multiple resources, action_definition resources definition form for user policy lookup

When defining multiple different resources, define the resource type written in the policy.

kind: scp-iam:action-definition
service: iam
paths:
  /v1/user/{user_id}/policy/{policy_id}
    get:
      resources:
      - "iam:user":
         resource_id : "path['user_id']"
      - "iam:policy":
         resource_id : "path['policy_id']"

• Normal: Specific user specific policy example

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["iam:ShowUserPolicy"],
            "Effect": "Allow",
            "Resource": [
                    "srn:e:::::iam:user/94c2ae8e7d5d471683a6135446183a12",  # Expression for specific user resource
                    "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
             ]
        }
    ]
}

{
  "Version": "2024-07-01",
  "Statement": [
        {
            "Sid": "statement1",
            "Action": ["iam:ShowUserPolicy"],
            "Effect": "Allow",
            "Resource": [
                    "srn:e:::::iam:user/94c2ae8e7d5d471683a6135446183a12",  # Expression for specific user resource
                    "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
             ]
        }
    ]
}

• Normal: All users specific policy example

  • JSON

  Sample Code Download

  Copy Code

  Color mode

  {
    "Version": "2024-07-01",
    "Statement": [
          {
              "Sid": "statement1",
              "Action": ["iam:ShowUserPolicy"],
              "Effect": "Allow",
              "Resource": [
                      "srn:e:::::iam:user/*",                                 # Expression for all user resources
                      "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
               ]
          }
      ]
  }

  {
    "Version": "2024-07-01",
    "Statement": [
          {
              "Sid": "statement1",
              "Action": ["iam:ShowUserPolicy"],
              "Effect": "Allow",
              "Resource": [
                      "srn:e:::::iam:user/*",                                 # Expression for all user resources
                      "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
               ]
          }
      ]
  }

• Abnormal: user resource not described example

  • JSON

  Sample Code Download

  Copy Code

  Color mode

  {
    "Version": "2024-07-01",
    "Statement": [
          {
              "Sid": "statement1",
              "Action": ["iam:ShowUserPolicy"],
              "Effect": "Allow",
              "Resource": [
                      "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
               ]
          }
      ]
  }

  {
    "Version": "2024-07-01",
    "Statement": [
          {
              "Sid": "statement1",
              "Action": ["iam:ShowUserPolicy"],
              "Effect": "Allow",
              "Resource": [
                      "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
               ]
          }
      ]
  }

Statement.Condition

Statement.Condition defines application conditions for a specific target to which the policy applies within the policy.

• Write with case sensitivity.
• Write a condition expression to compare the attribute condition key (or global condition key), value of the resource defined in the policy with the actual request (or resource attribute) value using condition operators.

"Condition" : {
	"{qualifier:}{operator}" : {
    	"{condition-key}" : ["{condition-value}"],
	    "{condition-key2}" : ["{condition-value}"]
	}
}

"Condition": {
   "StringEquals": {
      "iam:userName": [  # When User's name is foo or bar
          "foo", "bar"
      ],
      "iam:userCompany": [  # When User's company is Samsung
          "Samsung"
      ]
    }
  }

"Condition": {
   "NotIpAddress": {
      "scp:SourceIp": [  # When request IP is neither 1.1.1.1 nor 2.2.2.2
          "1.1.1.1/24", "2.2.2.2/24"
      ]
    }
  }

Condition Operator

Condition operators provide 7 types (string, numeric, date, Bool, IP, SRN, Null) operators.

• String operators

  Condition Operator	Operator Type	Description
  StringEquals	Positive Operator	Exact match, case sensitive
  StringNotEquals	Negative Operator	Mismatch
  StringEqualsIsIgnoreCase	Positive Operator	Exact match, case insensitive
  StringNotEqualsIsIgnoreCase	Negative Operator	Mismatch, case insensitive
  StringLike	Positive Operator	Case sensitive match, wildcard with multi-character match (*) can be included in value
  StringNotLike	Negative Operator	Case sensitive mismatch, wildcard with multi-character match (*) can be included in value

  Table. String Operators

• Numeric operators

  Condition Operator	Operator Type	Description
  NumericEquals	Positive Operator	Match
  NumericNotEquals	Negative Operator	Mismatch
  NumericLessThan	Positive Operator	Less than match
  NumericLessThanEquals	Positive Operator	Less than or equal match
  NumericGreaterThan	Positive Operator	Greater than match
  NumericGreaterThanEquals	Positive Operator	Greater than or equal match

  Table. Numeric Operators

• Date operators

  Condition Operator	Operator Type	Description
  DateEquals	Positive Operator	Match specific date
  DateNotEquals	Negative Operator	Mismatch
  DateLessThan	Positive Operator	Match before specific date/time
  DateLessThanEquals	Positive Operator	Match on or before specific date/time
  DateGreaterThan	Positive Operator	Match after specific date/time
  DateGreaterThanEquals	Positive Operator	Match on or after specific date/time

  Table. Date Operators

• Bool operators

  Condition Operator	Operator Type	Description
  Bool	Positive Operator	True, False match

  Table. Bool Operators

• IP operators

  Condition Operator	Operator Type	Description
  IpAddress	Positive Operator	Specified IP address or range
  NotIpAddress	Negative Operator	All IP addresses except specified IP address or range

  Table. IP Operators

• SRN operators

  Condition Operator	Operator Type	Description
  SrnEquals, SrnLike	Positive Operator	SRN match
  SrnNotEquals, SrnNotLike	Negative Operator	SRN mismatch

  Table. SRN Operators

• Null operators

  Condition Operator	Operator Type	Description
  Null	Positive Operator	When key is missing or value is null → True When key exists and value is not null → False

  Table. Null Operators

Condition Key

Condition keys are divided into global condition keys and resource attribute keys.

Global Condition Key

A condition key predefined in Samsung Cloud Platform that defines data such as request information, resource common information (ex-tag), network information, etc.

Resource Attribute Key

An attribute key for a specific resource, used when checking condition values based on resource attribute values.

"{service}:{resource_type}{attribute_name}"

• Resource attribute name usage example

"iam:userLastname"  (O) # Attribute name defined in resource (service: iam, resource: user, attribute_name : lastname)
"iam:userLASTNAME"  (O) # Attribute name defined in resource (case insensitive)
"iam:userLast_name" (X) # If not an attribute name defined in resource
"iam:userEmail"     (X) # If abac is false
"iam:state"         (X) # If abac field is not defined

kind: scp-resourcemanager:resource-definition
service_type: scp-iam
name: scp-iam:user
resources_uri: /v1/users
resource_type: user
display_name:
  ko: '사용자'
  en: 'User'
product_id: IAM
attributes:
  state:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.state
  firstname:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.first_name
    abac: true
  lastname:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.last_name
    abac: true
  email:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.email
    abac: false

kind: scp-resourcemanager:resource-definition
service_type: scp-iam
name: scp-iam:user
resources_uri: /v1/users
resource_type: user
display_name:
  ko: '사용자'
  en: 'User'
product_id: IAM
attributes:
  state:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.state
  firstname:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.first_name
    abac: true
  lastname:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.last_name
    abac: true
  email:
    type: string
    uri: /v1/users/{resource_id}
    method: GET
    jsonpath: $.email
    abac: false

Condition Key Definition Example

• Global condition key example: A policy that allows group detail lookup only when the value of the key (Environment) of a specific policy resource tag is “Local” or “Dev”

{
  "Version": "2024-07-01",
  "Statement": [
    {
      "Sid": "statement1",
      "Action": ["iam:showPolicy"],
      "Effect": "Allow",
      "Resource": ["*"],
      "Condition": {
          "StringEquals": {
            "scp:ResourceTag/Environment": [  # Definition form using global condition key (scp:ResourceTag)
              "Local", "Dev"
            ]
          }
      }
    }
  ]
}

{
  "Version": "2024-07-01",
  "Statement": [
    {
      "Sid": "statement1",
      "Action": ["iam:showPolicy"],
      "Effect": "Allow",
      "Resource": ["*"],
      "Condition": {
          "StringEquals": {
            "scp:ResourceTag/Environment": [  # Definition form using global condition key (scp:ResourceTag)
              "Local", "Dev"
            ]
          }
      }
    }
  ]
}

• Resource attribute key example
  • JSON

  Sample Code Download

  Copy Code

  Color mode

  {
    "Version": "2024-07-01",
    "Statement": [
      {
        "Sid": "statement1",
        "Action": ["server:showInstance"],
        "Effect": "Allow",
        "Resource": ["*"],
        "Condition" : {
             "StringEquals" : {
                 "virtual-servers:instanceFlavor" : ["m1.small"] # When the flavor attribute of the instance resource of the virtual-servers service is "m1.small"
              }
         }
      }
    ]
  }

  {
    "Version": "2024-07-01",
    "Statement": [
      {
        "Sid": "statement1",
        "Action": ["server:showInstance"],
        "Effect": "Allow",
        "Resource": ["*"],
        "Condition" : {
             "StringEquals" : {
                 "virtual-servers:instanceFlavor" : ["m1.small"] # When the flavor attribute of the instance resource of the virtual-servers service is "m1.small"
              }
         }
      }
    ]
  }

Policy Condition Value

Defines the value for the condition key.

"Condition" :  {
   "StringEquals" : {
        "scp:resourceTag/key1": ["value1", "value2", "value3"]    # When the value of the resource tag key is key1 is value1 or value2 or value3
 }

Qualifier

Defines the operation method when the request context value extracted from the Condition key has multiple values (omit when request context value is 1). Qualifiers are divided into ForAnyValue, ForAllValues, and if no qualifier is written, ForAnyValue is defined as the default value.

• ForAnyValue: True when at least one of the values extracted from the request context matches the Operand defined in the Condition
• ForAllValues: True when the values extracted from the request context are a subset of the Operand list defined in the Condition

{
  ...
  "Condition" :  {
       "ForAllValues:StringEquals" : {
            "scp:TagKeys": ["key1", "key2", "key3"]
        }
  }
}

Qualifier Operation Example

• When the request value extracted from “scp:TagKeys” is 1: Operates as OR for each Operand regardless of qualifier
• When the request value extracted from “scp:TagKeys” is 2 or more: Result difference according to qualifier

# When the extracted request context value is ["key1", "key2", "key4"]
Operand: ["key1", "key2", "key3"]
   # key1 among request context values is included in Operand, so True
   # key2 among request context values is included in Operand, so True
   # key4 among request context values is not included in Operand, so False

ForAnyValue judges as True if at least 1 of the 3 request context values matches
ForAllValues judges as final True only if all 3 request context values are True

# When the extracted request context value is ["key1", "key2", "key4"]
Operand: ["key1", "key2", "key3"]
   # key1 among request context values is included in Operand, so True
   # key2 among request context values is included in Operand, so True
   # key4 among request context values is not included in Operand, so False

ForAnyValue judges as True if at least 1 of the 3 request context values matches
ForAllValues judges as final True only if all 3 request context values are True