Overview of Effective Conditions

Recent Pages

Overview of Effective Conditions

Last updated: 2024-01-23 17:54:33

When configuring access management policies, you can specify the conditions under which the policy takes effect. These conditions are optional. After the conditions are configured, when a user sends a request to Tencent Cloud, the system will match the condition keys and values in the request context with those specified in the policy. Only when the conditions are matched will the corresponding permission policy take effect.
Composition of Effective Conditions
Effective conditions are composed of one or more condition clauses. A condition clause consists of a condition key, an operator, and a condition value. A single condition key can have one or more condition values.
"condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
####Example of a Condition Clause
The request IP is 192.168.1.1, and the request date is before 2022-05-31 00:00:00. The Condition is as follows:
"condition":{
               "ip_equal": {
                   "qcs:ip": "192.168.1.1"
               },
﻿
               "date_less_than": {
                   "qcs:current_time": "2022-05-31 00:00:00"
               }
           }
Matching Logic for Effective Conditions
The evaluation logic for effective conditions is as follows:
Evaluation Logic
Note
Condition Fulfillment
A single condition key can have one or more condition values. During condition checking, if the value of the condition key matches any of the specified values, the condition is fulfilled.
Condition Clause Fulfillment
Under a condition clause with the same condition operation type, if there are multiple condition keys, all condition keys must be satisfied for the condition clause to be deemed fulfilled.
Condition Block Fulfillment
The condition block is considered fulfilled only if all condition clauses within it are fulfilled simultaneously.
Condition operators (except null_equal) suffixed with if_exist
indicates that the context information remains effective even if it does not contain the corresponding key-value pair.
for_all_value
Qualifiers are used in conjunction with condition operators, indicating that the policy will only take effect when each condition value in the context information meets the requirements.
for_any_value
Qualifiers are used in conjunction with condition operators, indicating that the policy will take effect if any of the condition values in the context information meets the requirements.
Note
Authorization by tag only supports 'for_any_value'.
Effective Condition Example
"condition":{
               "ip_equal": {
                   "qcs:ip": "192.168.1.1"
               }
           }
The condition value in the request is represented by the condition key, which in this example is qcs:ip. The context key value is compared with the value you specified as a text value, for example, 192.168.1.1. The type of comparison to be performed is specified by the condition operator (ip_equal in this example).
In certain scenarios, it is necessary to match multiple access situations to meet practical needs. In such cases, you can specify multiple condition values when setting the Condition. For instance, the user must be within the 10.217.182.3/24 or 111.21.33.72/24 network segments to upload objects (cos:PutObject). The content of the permission policy is as follows:
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
               "cos:PutObject"
           ],
           "resource": [
               "*"
           ],
           "condition":{
               "ip_equal": {
                   "qcs:ip": [
                       "10.217.182.3/24",
                       "111.21.33.72/24"
                   ]
               }
           }
       }
   ]
}
﻿

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support

tencent cloud

Recent Pages

Overview of Effective Conditions

Composition of Effective Conditions

####Example of a Condition Clause

Matching Logic for Effective Conditions

Effective Condition Example

Was this page helpful?

Was this page helpful?

Evaluation Logic	Note
Condition Fulfillment	A single condition key can have one or more condition values. During condition checking, if the value of the condition key matches any of the specified values, the condition is fulfilled.
Condition Clause Fulfillment	Under a condition clause with the same condition operation type, if there are multiple condition keys, all condition keys must be satisfied for the condition clause to be deemed fulfilled.
Condition Block Fulfillment	The condition block is considered fulfilled only if all condition clauses within it are fulfilled simultaneously.
Condition operators (except null_equal) suffixed with if_exist	indicates that the context information remains effective even if it does not contain the corresponding key-value pair.
for_all_value	Qualifiers are used in conjunction with condition operators, indicating that the policy will only take effect when each condition value in the context information meets the requirements.
for_any_value	Qualifiers are used in conjunction with condition operators, indicating that the policy will take effect if any of the condition values in the context information meets the requirements.

tencent cloud

Sign Up

Log in

Recent Pages

Overview of Effective Conditions

Composition of Effective Conditions

####Example of a Condition Clause

Matching Logic for Effective Conditions

Effective Condition Example

Was this page helpful?

Was this page helpful?