Help & DocumentationCloud Access ManagementUser GuideTroubleshootingCreating a policy based on fault reports

Creating a policy based on fault reports

Last updated: 2019-12-03 14:47:52

PDF

Contents:

Introduction

This document describes how to resolve faults by referencing the fault reports to create a policy. After the fault is resolved, the sub-account will be able to manage the resources of the root account within the scope of the newly configured permissions.

Example

When a sub-account associated with the QcloudCVMReadOnlyAccess policy attempts to reinstall a CVM, the following error is reported:

If you want to authorize the sub-account to proceed with this operation, you can reference this error information to create and associate a custom policy.

Directions

  1. Login to the CAM Console and go to Policies. Click Create Custom Policy.
  2. Click Create by Policy Generator.
  3. Fill in the following information in the Select Service and Action page. See the following image for reference:
  • Effect (required): Select whether or not the action is allowed. In this example, select Allow.
  • Service (required): Select the product to authorize the permission for. In this example, it will be CVM referenced in the operation field of the error.
  • Action (required): Select the action. In this example, select ResetInstance as referenced in the operation field of the error.
  • Resource (required): Enter the resource description in the six-part format. In this example, copy and enter qcs:id/1158313:cvm:ap-guangzhou:uin/2159973417:instance/instance/ins-esuithv2 as seen in the error.
  • Condition (optional): Set the conditions that are required for the permissions to be effective, such as a specified access IP. This is left blank for this example.
  1. Click Add Statement>Next to go to the policy editor page.
  2. In the policy editor page, you can edit the policy name and add notes. Verify the policy content. The policy name and content are automatically generated by the console.
    • The policy name is policygen by default. The suffix number is generated based on the creation date. This is customizable.
    • The content of the policy corresponds to the service and action selected in Step 3. You can modify this according to your business needs.
  3. Click Create Policy to complete the creation of the custom policy by using the policy generator.
  4. For more information on sub-account authorizations, see Authorization Management. After authorization, the sub-account will be granted the needed permissions, resolving the fault.