This document describes domain API authentication rules.

Sub-accounts are subject to authorization rules when accessing master account resources through the domain API.

When a sub-account requests access to domain resources of the master account by using the domain APIs, the domain backend checks authentication in RAM to ensure that the resource owner has authorized the sub-account to do so.

Based on the resources involved and the definition of API, each domain API determines resources whose permissions need to be checked accordingly. The following table describes the authentication rules for each API:

Table 1. Resource level authorization
API Authorization action Authorization resource
SaveSingleTaskForUpdatingContactInfo domain:DomainInfoModification acs:cdn:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfo acs:cdn:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfoByNewContact acs:cdn:*:$accountid:domain/$domainName
TransferInReenterTransferAuthorizationCode domain:DomainTransferInOperation acs:cdn:*:$accountid:domain/$domainName
TransferInRefetchWhoisEmail acs:cdn:*:$accountid:domain/$domainName
TransferInResendMailToken acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferIn acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferOut domain:DomainTransferOutOperation acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForQueryingTransferAuthorizationCode acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForModifyingDnsHost domain:DnsHostModification acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingDnsHost acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForSynchronizingDnsHost acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForDeletingDnsHost acs:cdn:*:$accountid:domain/$domainName
SaveBatchTaskForModifyingDomainDns domain:DnsModification acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForTransferProhibitionLock domain:SecuritySetting acs:cdn:*:$accountid:domain/$domainName
SaveBatchTaskForTransferProhibitionLock acs:cdn:*:$accountid:domain/$domainName
SaveSingleTaskForUpdateProhibitionLock acs:cdn:*:$accountid:domain/$domainName
SaveBatchTaskForUpdateProhibitionLock acs:cdn:*:$accountid:domain/$domainName
Table 2. Operation level authorization
API Authorization action Authorization resource
QueryDomainList domain:QueryCommonInfo acs:domain:*:$accountid:* 
QueryDomainByInstanceId acs:domain:*:$accountid:* 
QueryContactInfo acs:domain:*:$accountid:* 
VerifyContactField acs:domain:*:$accountid:* 
QueryTaskList domain:QueryDomainTask acs:domain:*:$accountid:* 
QueryTaskInfoHistory  acs:domain:*:$accountid:* 
QueryTaskDetailList acs:domain:*:$accountid:* 
QueryTaskDetailHistory acs:domain:*:$accountid:* 
PollTaskResult acs:domain:*:$accountid:* 
QueryChangeLogList domain:QueryChangeLog acs:domain:*:$accountid:* 
QueryTransferInByInstanceId domain:QueryDomainTransferIn acs:domain:*:$accountid:* 
QueryTransferInList acs:domain:*:$accountid:* 
CheckTransferInFeasibility acs:domain:*:$accountid:* 
TransferInCheckMailToken domain:TransferInCheckMailToken acs:domain:*:$accountid:* 
QueryTransferOutInfo domain:QueryDomainTransferOut acs:domain:*:$accountid:* 
QueryDnsHost domain:QueryDnsHost acs:domain:*:$accountid:* 
QueryRegistrantProfiles domain:QueryRegistrantProfile acs:domain:*:$accountid:* 
ListEmailVerification domain:QueryEmailVerification acs:domain:*:$accountid:* 
AcknowledgeTaskResult domain:AcknowledgeTaskResult acs:domain:*:$accountid:* 
SaveRegistrantProfile domain:RegistrantProfileOperation acs:domain:*:$accountid:* 
DeleteRegistrantProfile acs:domain:*:$accountid:* 
DeleteEmailVerification domain:EmailVerificationOperation acs:domain:*:$accountid:* 
VerifyEmail acs:domain:*:$accountid:* 
ResendEmailVerification acs:domain:*:$accountid:* 
SubmitEmailVerification acs:domain:*:$accountid:* 
Table 3. Service level authorization
API Authentication action Authentication resource
* domain:* acs:domain:*:$accountid:*