This document describes domain API authentication rules.

DNS API authentication rules for access to the main account resources by sub-accounts.

When a RAM user requests access to the Domain resources of the primary account by using the Domain APIs, the Domain backend sends a request to RAM to perform the request authentication. This authentication ensures that the resource owner indeed has granted access to these resources to the caller.

For each Domain API, the resources need to be checked are determined by the involved resources and the semantics of the API. The following table lists the authentication rules for each API.

表 1. Resource level authorization
API Authorization action Authorization Resource
SaveSingleTaskForUpdatingContactInfo domain:DomainInfoModification acs:domain:*:$accountid:domain/$domainName 
SaveBatchTaskForUpdatingContactInfo acs:domain:*:$accountid:domain/$domainName 
SaveBatchTaskForUpdatingContactInfoByNewContact acs:domain:*:$accountid:domain/$domainName 
TransferInReenterTransferAuthorizationCode domain:DomainTransferInOperation acs:domain:*:$accountid:domain/$domainName 
TransferInRefetchWhoisEmail acs:domain:*:$accountid:domain/$domainName 
TransferInResendMailToken acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForCancelingTransferIn acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForCancelingTransferOut domain:DomainTransferOutOperation acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForQueryingTransferAuthorizationCode acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForModifyingDnsHost domain:DnsHostModification acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForCreatingDnsHost acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForSynchronizingDnsHost acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForDeletingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForModifyingDomainDns domain:DnsModification acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForTransferProhibitionLock domain:SecuritySetting acs:domain:*:$accountid:domain/$domainName 
SaveBatchTaskForTransferProhibitionLock acs:domain:*:$accountid:domain/$domainName 
SaveSingleTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName 
SaveBatchTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
表 2. Operation Level authorization
API Authorization action Authorization Resource
QueryDomainList domain:QueryCommonInfo acs:domain:*:$accountid:* 
QueryDomainByInstanceId acs:domain:*:$accountid:* 
QueryContactInfo acs:domain:*:$accountid:* 
VerifyContactField acs:domain:*:$accountid:* 
QueryTaskList domain:QueryDomainTask acs:domain:*:$accountid:* 
QueryTaskInfoHistory acs:domain:*:$accountid:* 
QueryTaskDetailList acs:domain:*:$accountid:* 
QueryTaskDetailHistory acs:domain:*:$accountid:* 
PollTaskResult acs:domain:*:$accountid:* 
QueryChangeLogList domain:QueryChangeLog acs:domain:*:$accountid:* 
QueryTransferInByInstanceId domain:QueryDomainTransferIn acs:domain:*:$accountid:* 
QueryTransferInList acs:domain:*:$accountid:* 
CheckTransferInFeasibility acs:domain:*:$accountid:* 
TransferInCheckMailToken domain:TransferInCheckMailToken acs:domain:*:$accountid:* 
QueryTransferOutInfo domain:QueryDomainTransferOut acs:domain:*:$accountid:* 
QueryDnsHost domain:QueryDnsHost acs:domain:*:$accountid:* 
QueryRegistrantProfiles domain:QueryRegistrantProfile acs:domain:*:$accountid:* 
ListEmailVerification domain:QueryEmailVerification acs:domain:*:$accountid:* 
AcknowledgeTaskResult domain:AcknowledgeTaskResult acs:domain:*:$accountid:* 
SaveRegistrantProfile domain:RegistrantProfileOperation acs:domain:*:$accountid:* 
DeleteRegistrantProfile acs:domain:*:$accountid:* 
DeleteEmailVerification domain:EmailVerificationOperation acs:domain:*:$accountid:* 
VerifyEmail acs:domain:*:$accountid:* 
ResendEmailVerification acs:domain:*:$accountid:* 
SubmitEmailVerification acs:domain:*:$accountid:* 
表 3. Service level authorization
API Authorization action Authorization Resource
* domain:* acs:domain:*:$accountid:*