The page has been translated by Gen AI.
JSON Writing Guide
Policies are divided into identity-based policies and resource-based policies.
- Identity-based policy: Policy granted to a principal (subject) that performs actions such as users, groups, roles, etc.
- Resource-based policy: Policy granted to a resource that determines whether to allow or deny (Effect) actions on a specific resource to a principal (subject)
Note
Generally, identity-based policies do not need to specify a separate Principal attribute, but resource-based policies must specify a Principal attribute.
Resource-based Policy
A resource-based policy is a policy that grants permission to a specified principal (requester) to perform specific operations on that resource. Therefore, resource-based policies are directly granted to resources, and only users defined in the policy can execute the policy, and the user to whom the policy is granted becomes the security principal.
Warning
Resource-based policies specify the principal through the Principal attribute, so you must enter the Principal attribute when creating the policy.
Color mode
{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["object-store:UploadObject"],
"Principal": {
"scp":"srn:e::1234:::scp-iam:user/abc3d3442"
},
"Effect": "Allow",
"Resource": "srn:e:::::object-store:bucket/foo"
}
]
}{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["object-store:UploadObject"],
"Principal": {
"scp":"srn:e::1234:::scp-iam:user/abc3d3442"
},
"Effect": "Allow",
"Resource": "srn:e:::::object-store:bucket/foo"
}
]
}Resource-based Policy Structure
The syntax structure and item-by-item description of resource-based policies are as follows.
Color mode
{
"Version": "2024-07-01", # Version of policy syntax (fixed to 2024-07-01)
"Statement": [
{
"Sid": "statement1", # Policy element ID
"Effect": "Allow", # Policy effect
"Action": ["iam:showUser"], # Action content defined in the policy
"Principal": {
"scp":"srn:e::1234:::iam:user/ROOT" # Principal that is the target of the policy
}
"Resource": "srn:e::kr-west1:::scp-iam:group/foo", # Resource where policy action is allowed
"Condition": { # Policy condition
"StringEquals": {
"iam:userName": [
"scp_test_user"
]
}
}
}
]
}{
"Version": "2024-07-01", # Version of policy syntax (fixed to 2024-07-01)
"Statement": [
{
"Sid": "statement1", # Policy element ID
"Effect": "Allow", # Policy effect
"Action": ["iam:showUser"], # Action content defined in the policy
"Principal": {
"scp":"srn:e::1234:::iam:user/ROOT" # Principal that is the target of the policy
}
"Resource": "srn:e::kr-west1:::scp-iam:group/foo", # Resource where policy action is allowed
"Condition": { # Policy condition
"StringEquals": {
"iam:userName": [
"scp_test_user"
]
}
}
}
]
}| Item | Description | Required |
|---|---|---|
| Version |
| Required |
| Statement | Main element information of the policy | Required |
| Statement.Sid | Policy element ID (unique ID for elements within the same policy) | Optional |
| Statement.Effect | Policy application effect ( Allow : Allow / Deny : Deny ) | Required |
| Statement.Principal | Security principal | Required |
| Statement.Action | Policy application target action (must specify at least one of Action/NotAction) | Optional |
| Statement.Resource | List of resources that are the target of policy judgment | Required |
| Statement.Condition | Policy judgment condition information | Optional |
Table. Description of Policy Structure Items
Version
Version is used with a different meaning than policy version, and the current version is “2024-07-01”.
{
"Version" : "2024-07-01"
}
Statement
Statement is information about the main elements of the policy and can be defined in the form of a single element or an array of individual elements.
"Statement" : [{statement}]
"Statement" : [{statement}, {statement}, {statement}]
Note
If there are 2 or more policy elements, write multiple elements in the array. In this case, the operation between each element is defined as
OR.Statement.Effect
Statement.Effect defines whether the policy operation is allowed.
"Effect" : "Allow" # Allow
"Effect" : "Deny" # Deny
Warning
Write with case sensitivity.
Statement.Principal
Statement.Principal specifies the principal that is allowed or denied access to the resource in a resource-based policy. The principals that can be specified in the Principal element are as follows:
- Root user
- IAM user
- IAM role
- Service account
Warning
- Principal can have one or more values, and if there are one or more, write them as an array.
- Principal cannot use wildcards (*).
"Principal" : { "scp": "srn:e::1234:::iam:user/root_user_id" }
"Principal" : {
"scp": [
"srn:e::1234:::iam:user/abc33333",
"srn:e::1234:::iam:user/kef12344"
]
}
"Principal": {
"Service": [
"apigateway.samsungsdscloud.com"
]
}
Statement.Action
Statement.Action defines the action to be evaluated in the policy check.
- Write with case sensitivity.
- Write the action in the format of the action name defined in the action definition.
Warning
Only actions of the service providing the corresponding resource can be entered for the action (however, actions such as adding tags and integrated resource lookup provided by common functions can be added).
"Action" : ["{action_expression}"] # Single action
"Action" : ["{action_expression}", "{action_expression}", ... ] # Multiple actions
Statement.Resource
Statement.Resource defines the SRN that specifies a specific resource or set of resources to which the policy applies.
- Write with case sensitivity.
- Write
resource_expressionin wildcard ("*") or SRN format.
Warning
- The SRN of the resource to which the resource-based policy is granted must be included, and if there are sub-resources of that resource, they can be written including sub-resources.
- Resources can be written in Resources only for resources described in the action definition defined in the policy, and for undefined resources, they are ignored during policy evaluation.
- Wildcards (*) can also be used for sub-resources.
"Resource" : ["{resource_expression}"] # Single resource
"Resource" : ["{resource_expression}", "{resource_expression}", ... ] # Multiple resources
Note
In resource_expression, wildcard forms can be displayed in each element of the SRN, and the supported form varies depending on the type of element.
- SRN elements not supporting wildcard Among SRN elements, offering, account_id, and service-type do not support wildcards.
"Resource" : ["srn:*::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"] # offering wildcard notation (X)
"Resource" : ["srn:e::*:kr-west1::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"] # account wildcard notation (X)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::*:instance/d12937a6db0940499fdb0e18ad57b101"] # service type notation (X)
- SRN elements supporting wildcard
- Among SRN elements, resource-type, resource-identifier, and region support wildcards for entire or partial.
- For partial wildcards, you can write expressions like “foo , foo*, foo, fo”.
# region
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:*::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"] # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-*::scp-compute:instance/d12937a6db0940499fdb0e18ad57b101"] # Partial (O)
# resource-type
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:*/d12937a6db0940499fdb0e18ad57b101"] # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:ins*/d12937a6db0940499fdb0e18ad57b101"] # Partial (O)
# resource-identifier
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/*"] # Entire (O)
"Resource" : ["srn:e::9b7653f6f47a42e38055934a0575a813:kr-west1::scp-compute:instance/d12*101"] # Partial (O)
When it is a single resource, action_definition resources definition form for user lookup
Color mode
kind: scp-iam:action-definition
service: iam
paths:
/v1/users/{user_id}:
get:
resources:
- "iam:user":
resource_id: "path['user_id']" # Scope of resources supported in user lookup actionkind: scp-iam:action-definition
service: iam
paths:
/v1/users/{user_id}:
get:
resources:
- "iam:user":
resource_id: "path['user_id']" # Scope of resources supported in user lookup actionColor mode
{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:showUser"],
"Effect": "Allow",
"Resource": [
"*", # Expression for all resources,
"srn:e:::::scp-iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
"srn:e:::::scp-iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource -> If you write that resource in user lookup action, the written content is ignored during policy evaluation.
]
}
]
}{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:showUser"],
"Effect": "Allow",
"Resource": [
"*", # Expression for all resources,
"srn:e:::::scp-iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
"srn:e:::::scp-iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource -> If you write that resource in user lookup action, the written content is ignored during policy evaluation.
]
}
]
}When it is multiple resources, action_definition resources definition form for user policy lookup
When defining multiple different resources, define the resource type written in the policy.
Warning
- When judging the policy, it is judged as successful only if the content written in the policy satisfies the condition based on the resources defined in the action definition file.
- If not all resources defined in the action definition file are written in the policy, it is judged as not meeting the policy condition.
kind: scp-iam:action-definition
service: iam
paths:
/v1/user/{user_id}/policy/{policy_id}
get:
resources:
- "iam:user":
resource_id : "path['user_id']"
- "iam:policy":
resource_id : "path['policy_id']"
- Normal: Specific user specific policy example
Color mode
{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:ShowUserPolicy"],
"Effect": "Allow",
"Resource": [
"srn:e:::::iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
"srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
]
}
]
}{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:ShowUserPolicy"],
"Effect": "Allow",
"Resource": [
"srn:e:::::iam:user/94c2ae8e7d5d471683a6135446183a12", # Expression for specific user resource
"srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource
]
}
]
}Normal: All users specific policy example
Color mode{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["iam:ShowUserPolicy"], "Effect": "Allow", "Resource": [ "srn:e:::::iam:user/*", # Expression for all user resources "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource ] } ] }{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["iam:ShowUserPolicy"], "Effect": "Allow", "Resource": [ "srn:e:::::iam:user/*", # Expression for all user resources "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource ] } ] }Normal: All users specific policy example Abnormal: user resource not described example
Color mode{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["iam:ShowUserPolicy"], "Effect": "Allow", "Resource": [ "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource ] } ] }{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["iam:ShowUserPolicy"], "Effect": "Allow", "Resource": [ "srn:e:::::iam:policy/c23fb561c689455993874fa5d5ed4a2f" # Expression for specific policy resource ] } ] }Abnormal: user resource not described example
Statement.Condition
Statement.Condition defines application conditions for a specific target to which the policy applies within the policy.
- Write with case sensitivity.
- Write a condition expression to compare the attribute condition key (or global condition key), value of the resource defined in the policy with the actual request (or resource attribute) value using condition operators.
"Condition" : {
"{qualifier:}{operator}" : {
"{condition-key}" : ["{condition-value}"],
"{condition-key2}" : ["{condition-value}"]
}
}
| Item | Required | Case Sensitive | Description |
|---|---|---|---|
| operator | Required | O | Condition operator
|
| condition-key | Required | X | Policy condition key (global condition key, resource attribute condition key)
|
| condition-value | Required | Depends on operator | Policy condition value |
| qualifier | Optional | O |
|
Table. Description of Statement.Condition Option Items
Guide
When 2 or more values are defined for a Condition Key of the same Condition Operator, the judgment between Values operates as OR. However, if the Operator is of Negative Operator type, the operation operates as NOR, not OR.
- Positive Operator type and example (when userName is “foo” or “bar” and company is “Samsung”)
"Condition": {
"StringEquals": {
"iam:userName": [ # When User's name is foo or bar
"foo", "bar"
],
"iam:userCompany": [ # When User's company is Samsung
"Samsung"
]
}
}
- Negative Operator type and example (all IPs where IP is not in the 1.1.1.1/24 and 2.2.2.2/24 ranges)
"Condition": {
"NotIpAddress": {
"scp:SourceIp": [ # When request IP is neither 1.1.1.1 nor 2.2.2.2
"1.1.1.1/24", "2.2.2.2/24"
]
}
}
Condition Operator
Condition operators provide 7 types (string, numeric, date, Bool, IP, SRN, Null) operators.
String operators
Condition Operator Operator Type Description StringEquals Positive Operator Exact match, case sensitive StringNotEquals Negative Operator Mismatch StringEqualsIsIgnoreCase Positive Operator Exact match, case insensitive StringNotEqualsIsIgnoreCase Negative Operator Mismatch, case insensitive StringLike Positive Operator Case sensitive match, wildcard with multi-character match (*) can be included in value StringNotLike Negative Operator Case sensitive mismatch, wildcard with multi-character match (*) can be included in value Table. String OperatorsNumeric operators
Condition Operator Operator Type Description NumericEquals Positive Operator Match NumericNotEquals Negative Operator Mismatch NumericLessThan Positive Operator Less than match NumericLessThanEquals Positive Operator Less than or equal match NumericGreaterThan Positive Operator Greater than match NumericGreaterThanEquals Positive Operator Greater than or equal match Table. Numeric OperatorsDate operators
Condition Operator Operator Type Description DateEquals Positive Operator Match specific date DateNotEquals Negative Operator Mismatch DateLessThan Positive Operator Match before specific date/time DateLessThanEquals Positive Operator Match on or before specific date/time DateGreaterThan Positive Operator Match after specific date/time DateGreaterThanEquals Positive Operator Match on or after specific date/time Table. Date OperatorsBool operators
Condition Operator Operator Type Description Bool Positive Operator True, False match Table. Bool OperatorsIP operators
Condition Operator Operator Type Description IpAddress Positive Operator Specified IP address or range NotIpAddress Negative Operator All IP addresses except specified IP address or range Table. IP OperatorsSRN operators
Condition Operator Operator Type Description SrnEquals, SrnLike Positive Operator SRN match SrnNotEquals, SrnNotLike Negative Operator SRN mismatch Table. SRN OperatorsNull operators
Condition Operator Operator Type Description Null Positive Operator - When key is missing or value is null → True
- When key exists and value is not null → False
Table. Null Operators
Condition Key
Condition keys are divided into global condition keys and resource attribute keys.
Note
Condition keys are not case sensitive.
Global Condition Key
A condition key predefined in Samsung Cloud Platform that defines data such as request information, resource common information (ex-tag), network information, etc.
| Condition Key | Data Type | Singular/Plural | Description | Example |
|---|---|---|---|---|
| scp:UserId | string | single | Request user id | “scp:UserId” : [“efda56a968cd45b2873d9bf5fab58e95”] |
| scp:UserName | string | single | Request user name | “scp:UserName” : [“foo”] |
| scp:MultiFactorAuthPresent | bool | string | Whether request was made through MFA authentication | “scp:MultiFactorAuthPresent” : [“True”] |
| scp:RequestedRegion | string | single | Request region | “scp:RequestedRegion” : [“kr-west1”] |
| scp:RequestAttribute/{AttributeKey} | string | single | Request attribute value (AttributeKey)
| “scp:RequestAttribute/body[‘foo’]” : [“true”] |
| scp:TagKeys | string | single / multiple | Request tag key | “scp:TagKeys” : [“tag-key”] |
| scp:RequestTag | string | single | Request tag key value | “scp:RequestTag/tag-key” : [“tag-value”] |
| scp:ResourceTag/{TagKey} | string | single | Resource tag key value | “scp:ResourceTag/foo” : [“bab”] |
| scp:SourceIp | ip_address | single | IP of the subject currently requesting | “scp:SourceIp” : [“1.1.1.1/24”] |
| scp:CurrentTime | datetime | single | Request time (UTC based, ISO 8601 format) | “scp:CurrentTime” : [“2025-11-06T16:10:38Z”] |
Table. Types and Formats of Supported Global Condition Keys
Resource Attribute Key
An attribute key for a specific resource, used when checking condition values based on resource attribute values.
"{service}:{resource_type}{attribute_name}"
Guide
Resource attributes can only be defined for targets with
abac:true in attributes defined in Resource definition, and if undefined attribute values are entered, that condition policy is ignored (Not found).- Resource attribute name usage example
"iam:userLastname" (O) # Attribute name defined in resource (service: iam, resource: user, attribute_name : lastname)
"iam:userLASTNAME" (O) # Attribute name defined in resource (case insensitive)
"iam:userLast_name" (X) # If not an attribute name defined in resource
"iam:userEmail" (X) # If abac is false
"iam:state" (X) # If abac field is not defined
Color mode
kind: scp-resourcemanager:resource-definition
service_type: scp-iam
name: scp-iam:user
resources_uri: /v1/users
resource_type: user
display_name:
ko: '사용자'
en: 'User'
product_id: IAM
attributes:
state:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.state
firstname:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.first_name
abac: true
lastname:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.last_name
abac: true
email:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.email
abac: falsekind: scp-resourcemanager:resource-definition
service_type: scp-iam
name: scp-iam:user
resources_uri: /v1/users
resource_type: user
display_name:
ko: '사용자'
en: 'User'
product_id: IAM
attributes:
state:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.state
firstname:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.first_name
abac: true
lastname:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.last_name
abac: true
email:
type: string
uri: /v1/users/{resource_id}
method: GET
jsonpath: $.email
abac: falseNote
- Resource attribute names use attribute data defined in
attributesdefined inResource definition. - For more information about Resource definition, see the Resource Definition guide.
Condition Key Definition Example
- Global condition key example: A policy that allows group detail lookup only when the value of the key (Environment) of a specific policy resource tag is “Local” or “Dev”
Color mode
{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:showPolicy"],
"Effect": "Allow",
"Resource": ["*"],
"Condition": {
"StringEquals": {
"scp:ResourceTag/Environment": [ # Definition form using global condition key (scp:ResourceTag)
"Local", "Dev"
]
}
}
}
]
}{
"Version": "2024-07-01",
"Statement": [
{
"Sid": "statement1",
"Action": ["iam:showPolicy"],
"Effect": "Allow",
"Resource": ["*"],
"Condition": {
"StringEquals": {
"scp:ResourceTag/Environment": [ # Definition form using global condition key (scp:ResourceTag)
"Local", "Dev"
]
}
}
}
]
}- Resource attribute key exampleColor mode
{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["server:showInstance"], "Effect": "Allow", "Resource": ["*"], "Condition" : { "StringEquals" : { "virtual-servers:instanceFlavor" : ["m1.small"] # When the flavor attribute of the instance resource of the virtual-servers service is "m1.small" } } } ] }{ "Version": "2024-07-01", "Statement": [ { "Sid": "statement1", "Action": ["server:showInstance"], "Effect": "Allow", "Resource": ["*"], "Condition" : { "StringEquals" : { "virtual-servers:instanceFlavor" : ["m1.small"] # When the flavor attribute of the instance resource of the virtual-servers service is "m1.small" } } } ] }Resource attribute key example
Policy Condition Value
Defines the value for the condition key.
Note
When multiple policy condition values are defined, each condition value operates as OR.
"Condition" : {
"StringEquals" : {
"scp:resourceTag/key1": ["value1", "value2", "value3"] # When the value of the resource tag key is key1 is value1 or value2 or value3
}
Qualifier
Defines the operation method when the request context value extracted from the Condition key has multiple values (omit when request context value is 1).
Qualifiers are divided into ForAnyValue, ForAllValues, and if no qualifier is written, ForAnyValue is defined as the default value.
ForAnyValue: True when at least one of the values extracted from the request context matches the Operand defined in the ConditionForAllValues: True when the values extracted from the request context are a subset of the Operand list defined in the Condition
{
...
"Condition" : {
"ForAllValues:StringEquals" : {
"scp:TagKeys": ["key1", "key2", "key3"]
}
}
}
Qualifier Operation Example
- When the request value extracted from
“scp:TagKeys”is 1: Operates as OR for each Operand regardless of qualifier - When the request value extracted from
“scp:TagKeys”is 2 or more: Result difference according to qualifier
Color mode
# When the extracted request context value is ["key1", "key2", "key4"]
Operand: ["key1", "key2", "key3"]
# key1 among request context values is included in Operand, so True
# key2 among request context values is included in Operand, so True
# key4 among request context values is not included in Operand, so False
ForAnyValue judges as True if at least 1 of the 3 request context values matches
ForAllValues judges as final True only if all 3 request context values are True# When the extracted request context value is ["key1", "key2", "key4"]
Operand: ["key1", "key2", "key3"]
# key1 among request context values is included in Operand, so True
# key2 among request context values is included in Operand, so True
# key4 among request context values is not included in Operand, so False
ForAnyValue judges as True if at least 1 of the 3 request context values matches
ForAllValues judges as final True only if all 3 request context values are True