Page History
...
- Find all groups the user belongs too.
- Find all 'effective' policies the groups are associated to. Effective includes all :
- All policy associations in the DB for the given account Id
- All policy associations in the DB
...
- for the groups that the given account Id is associated to
- All 'recursive= true' policy associations in the DB for the parent groups of the groups the given account Id is associated to. Parent group is found out form the 'path' property of a group.
- If any policy has a permission attached that 'Allows' the API, grant permission to make this call
- Else, if no Allow entry is found for any policy for this API, deny the permission
What is 'recursive = true' permission?
- This flag indicates a permission to an entity which is accessible in a group hierarchy downwards upto the 'leaf' group. The hierarchy is defined using the 'path' property of the group.
- This design is used to map the 'domain' hierarchy of CloudStack and facilitate access check for entities that span the domain tree like Network, AffinityGroup.
- This property 'recursive' is not exposed in IAM APIs, but only used by CloudStack orchestration when such domain-wide resources are created in the system through normal CS APIs.
IAM Interface to check API Access
...
Overview
Content Tools
Apps