All Products
Search

This Product

    Resource Management:Examples of using an access control policy to limit resource sharing

    Document Center

    Resource Management:Examples of using an access control policy to limit resource sharing

    Last Updated:Nov 06, 2023

    This topic provides examples on how to use an access control policy to limit resource sharing.

    Background information

    To use an access control policy to limit resource sharing, perform the following steps:

    1. Enable the Control Policy feature.

    2. Create a custom access control policy.

    3. Attach the custom access control policy.

    Policy examples

    Policy used to prohibit resource sharing outside a resource directory

    The preceding policy prohibits the creation of resource shares through which resources are shared to accounts outside the current resource directory.

    Document:

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "resourcesharing:CreateResourceShare",
                "resourcesharing:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "resourcesharing:RequestedAllowExternalTargets": "true"
                }
            }
        }
    ]
}

    Policy used to prohibit resource sharing with unexpected accounts

    The preceding policy allows resource sharing only with the account 192796193830**** and all members in the folder rd-3G****/r-Wm****. You can change the value of the resourcesharing:Target parameter based on your business requirements.

    Document:

    {
    "Version": "1",
    "Statement": [
      {
        "Effect": "Deny",
            "Action": [
                "resourcesharing:AssociateResourceShare",
                "resourcesharing:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "resourcesharing:Target": [
                        "rd-3G****/r-Wm****/*",
                        "rd-3G****/r-Wm****",
                        "192796193830****"
                    ]
                }
            }
        }
    ]
}

    Policy used to prohibit the acceptance of resource sharing invitations from accounts outside a resource directory

    The preceding policy prohibits the acceptance of resource sharing invitations from accounts outside the current resource directory. If principals and resource owners belong to the same resource directory, no resource sharing invitations are initiated. Therefore, this policy does not affect resource sharing within the same resource directory.

    Document:

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "resourcesharing:AcceptResourceShareInvitation",
            "Resource": "*"
        }
    ]
}

    Policy used to prohibit sharing of unexpected types of resources

    The preceding policy allows sharing of only vSwitches, images, and snapshots.

    Document:

    {
  "Version":  "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "resourcesharing:CreateResourceShare",
        "resourcesharing:UpdateResourceShare",
        "resourcesharing:AssociateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
        }
      }
    }
  ]
}