@ibm-cloud/platform-services

/** * (C) Copyright IBM Corp. 2025. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /// <reference types="node" /> import { IncomingHttpHeaders, OutgoingHttpHeaders } from 'http'; import { AbortSignal, BaseService, UserOptions } from 'ibm-cloud-sdk-core'; /** * IAM Policy Management API * * API Version: 1.0.1 */ declare class IamPolicyManagementV1 extends BaseService { static DEFAULT_SERVICE_URL: string; static DEFAULT_SERVICE_NAME: string; /************************* * Factory method ************************/ /** * Constructs an instance of IamPolicyManagementV1 with passed in options and external configuration. * * @param {UserOptions} [options] - The parameters to send to the service. * @param {string} [options.serviceName] - The name of the service to configure * @param {Authenticator} [options.authenticator] - The Authenticator object used to authenticate requests to the service * @param {string} [options.serviceUrl] - The base URL for the service * @returns {IamPolicyManagementV1} */ static newInstance(options: UserOptions): IamPolicyManagementV1; /** * Construct a IamPolicyManagementV1 object. * * @param {Object} options - Options for the service. * @param {string} [options.serviceUrl] - The base URL for the service * @param {OutgoingHttpHeaders} [options.headers] - Default headers that shall be included with every request to the service. * @param {Authenticator} options.authenticator - The Authenticator object used to authenticate requests to the service * @constructor * @returns {IamPolicyManagementV1} */ constructor(options: UserOptions); /************************* * policies ************************/ /** * Get policies by attributes. * * Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account * and filter by attribute values. This can be done through query parameters. The following attributes are supported: * account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query * parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If * the caller does not have read access to any policies an empty array is returned. * * @param {Object} params - The parameters to send to the service. * @param {string} params.accountId - The account GUID that the policies belong to. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {string} [params.iamId] - Optional IAM ID used to identify the subject. * @param {string} [params.accessGroupId] - Optional access group id. * @param {string} [params.type] - Optional type of policy. * @param {string} [params.serviceType] - Optional type of service. * @param {string} [params.tagName] - Optional name of the access tag in the policy. * @param {string} [params.tagValue] - Optional value of the access tag in the policy. * @param {string} [params.sort] - Optional top level policy field to sort results. Ascending sort is default. * Descending sort available by prepending '-' to field. Example '-last_modified_at'. * @param {string} [params.format] - Include additional data per policy returned * * `include_last_permit` - returns details of when the policy last granted a permit decision and the number of times * it has done so * * `display` - returns the list of all actions included in each of the policy roles. * @param {string} [params.state] - The state of the policy. * * `active` - returns active policies * * `deleted` - returns non-active policies. * @param {number} [params.limit] - The number of documents to include in the collection. * @param {string} [params.start] - Page token that refers to the page of the collection to return. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyCollection>>} */ listPolicies(params: IamPolicyManagementV1.ListPoliciesParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyCollection>>; /** * Create a policy. * * Creates a policy to grant access between a subject and a resource. There are two types of policies: **access** and * **authorization**. A policy administrator might want to create an access policy which grants access to a user, * service-id, or an access group. They might also want to create an authorization policy and setup access between * services. * * ### Access * * To create an access policy, use **`"type": "access"`** in the body. The possible subject attributes are * **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute for assigning access for a user or * service-id. Use the **`access_group_id`** subject attribute for assigning access for an access group. Assign roles * that are supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or * **`service_group_id`** attribute and the **`accountId`** attribute. The IAM Services group (`IAM`) is a subset of * account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users * Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail. * * ### Authorization * * Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify * their support of authorization policies. To create an authorization policy, use **`"type": "authorization"`** in * the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject * attributes might be provided. The following attributes are supported: * serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are * supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access * or greater to the target resource in order to grant the role. Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject * must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. * * ### Attribute Operators * * Currently, only the `stringEquals` and the `stringMatch` operators are available. Resource attributes may support * one or both operators. For more information, see [Assigning access by using wildcard * policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). * * ### Attribute Validations * * Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like * geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated * against Global Catalog locations. * * @param {Object} params - The parameters to send to the service. * @param {string} params.type - The policy type; either 'access' or 'authorization'. * @param {PolicySubject[]} params.subjects - The subjects associated with a policy. * @param {PolicyRole[]} params.roles - A set of role Cloud Resource Names (CRNs) granted by the policy. * @param {PolicyResource[]} params.resources - The resources associated with a policy. * @param {string} [params.description] - Customer-defined description. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>} */ createPolicy(params: IamPolicyManagementV1.CreatePolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>; /** * Update a policy. * * Update a policy to grant access between a subject and a resource. A policy administrator might want to update an * existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy). * * ### Access * * To update an access policy, use **`"type": "access"`** in the body. The possible subject attributes are * **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute for assigning access for a user or * service-id. Use the **`access_group_id`** subject attribute for assigning access for an access group. Assign roles * that are supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * The policy resource must include either the **`serviceType`**, **`serviceName`**, or **`resourceGroupId`** * attribute and the **`accountId`** attribute.` If the subject is a locked service-id, the request will fail. * * ### Authorization * * To update an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match * the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following * attributes are supported: * serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are * supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access * or greater to the target resource in order to grant the role. Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject * must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. * * ### Attribute Operators * * Currently, only the `stringEquals` and the `stringMatch` operators are available. Resource attributes might support * one or both operators. For more information, see [Assigning access by using wildcard * policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). * * ### Attribute Validations * * Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like * geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated * against Global Catalog locations. * * @param {Object} params - The parameters to send to the service. * @param {string} params.policyId - The policy ID. * @param {string} params.ifMatch - The revision number for updating a policy and must match the ETag value of the * existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag * response header. * @param {string} params.type - The policy type; either 'access' or 'authorization'. * @param {PolicySubject[]} params.subjects - The subjects associated with a policy. * @param {PolicyRole[]} params.roles - A set of role Cloud Resource Names (CRNs) granted by the policy. * @param {PolicyResource[]} params.resources - The resources associated with a policy. * @param {string} [params.description] - Customer-defined description. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>} */ replacePolicy(params: IamPolicyManagementV1.ReplacePolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>; /** * Retrieve a policy by ID. * * Retrieve a policy by providing a policy ID. * * @param {Object} params - The parameters to send to the service. * @param {string} params.policyId - The policy ID. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateMetaData>>} */ getPolicy(params: IamPolicyManagementV1.GetPolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateMetaData>>; /** * Delete a policy by ID. * * Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service * ID. If the subject of the policy is a locked service-id, the request will fail. * * @param {Object} params - The parameters to send to the service. * @param {string} params.policyId - The policy ID. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>} */ deletePolicy(params: IamPolicyManagementV1.DeletePolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>; /** * Restore a deleted policy by ID. * * Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To * restore a policy, use **`"state": "active"`** in the body. * * @param {Object} params - The parameters to send to the service. * @param {string} params.policyId - The policy ID. * @param {string} params.ifMatch - The revision number for updating a policy and must match the ETag value of the * existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag * response header. * @param {string} [params.state] - The policy state. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>} */ updatePolicyState(params: IamPolicyManagementV1.UpdatePolicyStateParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.Policy>>; /************************* * roles ************************/ /** * Get roles by filters. * * Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can * be done through query parameters. Currently, we only support the following attributes: account_id, service_name, * service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are * mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the * caller does not have read access to any roles an empty array is returned. * * @param {Object} [params] - The parameters to send to the service. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {string} [params.accountId] - Optional account GUID in which the roles belong to. * @param {string} [params.serviceName] - Optional name of IAM enabled service. * @param {string} [params.sourceServiceName] - Optional name of source IAM enabled service. * @param {string} [params.policyType] - Optional Policy Type. * @param {string} [params.serviceGroupId] - Optional id of service group. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.RoleCollection>>} */ listRoles(params?: IamPolicyManagementV1.ListRolesParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.RoleCollection>>; /** * Create a role. * * Creates a custom role for a specific service within the account. An account owner or a user assigned the * Administrator role on the Role management service can create a custom role. Any number of actions for a single * service can be mapped to the new role, but there must be at least one service-defined action to successfully create * the new role. * * @param {Object} params - The parameters to send to the service. * @param {string} params.displayName - The display the name of the role that is shown in the console. * @param {string[]} params.actions - The actions of the role. For more information, see [IAM roles and * actions](https://cloud.ibm.com/docs/account?topic=account-iam-service-roles-actions). * @param {string} params.name - The name of the role that is used in the CRN. This must be alphanumeric and * capitalized. * @param {string} params.accountId - The account GUID. * @param {string} params.serviceName - The service name. * @param {string} [params.description] - The description of the role. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>} */ createRole(params: IamPolicyManagementV1.CreateRoleParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>; /** * Update a role. * * Update a custom role. A role administrator might want to update an existing role by updating the display name, * description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed. * * @param {Object} params - The parameters to send to the service. * @param {string} params.roleId - The role ID. * @param {string} params.ifMatch - The revision number for updating a role and must match the ETag value of the * existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response * header. * @param {string} params.displayName - The display the name of the role that is shown in the console. * @param {string[]} params.actions - The actions of the role. For more information, see [IAM roles and * actions](https://cloud.ibm.com/docs/account?topic=account-iam-service-roles-actions). * @param {string} [params.description] - The description of the role. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>} */ replaceRole(params: IamPolicyManagementV1.ReplaceRoleParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>; /** * Retrieve a role by ID. * * Retrieve a role by providing a role ID. * * @param {Object} params - The parameters to send to the service. * @param {string} params.roleId - The role ID. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>} */ getRole(params: IamPolicyManagementV1.GetRoleParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.CustomRole>>; /** * Delete a role by ID. * * Delete a role by providing a role ID. * * @param {Object} params - The parameters to send to the service. * @param {string} params.roleId - The role ID. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>} */ deleteRole(params: IamPolicyManagementV1.DeleteRoleParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>; /************************* * v2Policies ************************/ /** * Get policies by attributes. * * Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account * and filter by attribute values. This can be done through query parameters. The following attributes are supported: * account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query * parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If * the caller does not have read access to any policies an empty array is returned. * * @param {Object} params - The parameters to send to the service. * @param {string} params.accountId - The account GUID in which the policies belong to. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {string} [params.iamId] - Optional IAM ID used to identify the subject. * @param {string} [params.accessGroupId] - Optional access group id. * @param {string} [params.type] - Optional type of policy. * @param {string} [params.serviceType] - Optional type of service. * @param {string} [params.serviceName] - Optional name of service. * @param {string} [params.serviceGroupId] - Optional ID of service group. * @param {string} [params.sort] - Optional top level policy field to sort results. Ascending sort is default. * Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit * information is only included when 'format=include_last_permit', for example, * "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on: * - 'id' * - 'type' * - 'href' * - 'created_at' * - 'created_by_id' * - 'last_modified_at' * - 'last_modified_by_id' * - 'state' * - 'last_permit_at' * - 'last_permit_frequency'. * @param {string} [params.format] - Include additional data per policy returned * * `include_last_permit` - returns details of when the policy last granted a permit decision and the number of times * it has done so * * `display` - returns the list of all actions included in each of the policy roles and translations for all * relevant fields. * @param {string} [params.state] - The state of the policy. * * `active` - returns active policies * * `deleted` - returns non-active policies. * @param {number} [params.limit] - The number of documents to include in the collection. * @param {string} [params.start] - Page token that refers to the page of the collection to return. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2PolicyCollection>>} */ listV2Policies(params: IamPolicyManagementV1.ListV2PoliciesParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2PolicyCollection>>; /** * Create a policy. * * Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: * **access**. A policy administrator might want to create an access policy that grants access to a user, service-id, * or an access group. * * ### Access * * To create an access policy, use **`"type": "access"`** in the body. The supported subject attributes are * **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute to assign access to a user or * service-id. Use the **`access_group_id`** subject attribute to assign access to an access group. Assign roles that * are supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or * **`service_group_id`** attribute and the **`accountId`** attribute. In the rule field, you can specify a single * condition by using **`key`**, **`value`**, and condition **`operator`**, or a set of **`conditions`** with a * combination **`operator`**. The possible combination operators are **`and`** and **`or`**. * * Currently, we support two types of patterns: * * 1. `time-based`: Used to specify a time-based restriction * * Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the * Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following * rule: * ```json * "rule": { * "operator": "and", * "conditions": [{ * "key": "{{environment.attributes.day_of_week}}", * "operator": "dayOfWeekAnyOf", * "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"] * }, * "key": "{{environment.attributes.current_time}}", * "operator": "timeGreaterThanOrEquals", * "value": "09:00:00+00:00" * }, * "key": "{{environment.attributes.current_time}}", * "operator": "timeLessThanOrEquals", * "value": "17:00:00+00:00" * }] * } * ``` You can use the following operators in the **`key`** and **`value`** pair: * ``` * 'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', * 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', * 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', * 'dayOfWeekEquals', 'dayOfWeekAnyOf' * ``` * * The pattern field that matches the rule is required when rule is provided. For the business hour rule example * above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions * operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and * [Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the * subject is a locked service-id, the request will fail. * * 2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes. * * Combine conditions to specify an attribute-based condition using AND/OR-based operators. * * For example, a policy can grant access based on multiple conditions applied on the resource attributes below: * ```json * "pattern": "attribute-based-condition:resource:literal-and-wildcard" * "rule": { * "operator": "or", * "conditions": [ * { * "operator": "and", * "conditions": [ * { * "key": "{{resource.attributes.prefix}}", * "operator": "stringEquals", * "value": "home/test" * }, * { * "key": "{{environment.attributes.delimiter}}", * "operator": "stringEquals", * "value": "/" * } * ] * }, * { * "key": "{{resource.attributes.path}}", * "operator": "stringMatch", * "value": "home/David/_*" * } * ] * } * ``` * * In addition to satisfying the `resources` section, the policy grants permission only if either the `path` begins * with `home/David/` **OR** the `prefix` is `home/test` and the `delimiter` is `/`. This mechanism helps you * consolidate multiple policies in to a single policy, making policies easier to administer and stay within the * policy limit for an account. View the list of operators that can be used in the condition * [here](/docs/account?topic=account-wildcard#string-comparisons). * * ### Authorization * * Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify * their support of authorization policies. To create an authorization policy, use **`"type": "authorization"`** in * the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject * attributes might be provided. The following attributes are supported: * serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are * supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access * or greater to the target resource in order to grant the role. Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject * must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. * * ### Attribute Operators * * Currently, only the `stringEquals`, `stringMatch`, and `stringEquals` operators are available. For more * information, see [Assigning access by using wildcard * policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). * * ### Attribute Validations * * Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like * geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated * against Global Catalog locations. * * @param {Object} params - The parameters to send to the service. * @param {Control} params.control - Specifies the type of access that is granted by the policy. * @param {string} params.type - The policy type; either 'access' or 'authorization'. * @param {string} [params.description] - Description of the policy. * @param {V2PolicySubject} [params.subject] - The subject attributes for whom the policy grants access. * @param {V2PolicyResource} [params.resource] - The resource attributes to which the policy grants access. * @param {string} [params.pattern] - Indicates pattern of rule, either 'time-based-conditions:once', * 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'. * @param {V2PolicyRule} [params.rule] - Additional access conditions associated with the policy. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2Policy>>} */ createV2Policy(params: IamPolicyManagementV1.CreateV2PolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2Policy>>; /** * Update a policy. * * Update a policy to grant access between a subject and a resource. A policy administrator might want to update an * existing policy. * * ### Access * * To update an access policy, use **`"type": "access"`** in the body. The supported subject attributes are * **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute to assign access to a user or * service-id. Use the **`access_group_id`** subject attribute to assign access to an access group. Assign roles that * are supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or * **`service_group_id`** attribute and the **`accountId`** attribute. In the rule field, you can specify a single * condition by using **`key`**, **`value`**, and condition **`operator`**, or a set of **`conditions`** with a * combination **`operator`**. The possible combination operators are **`and`** and **`or`**. * * Currently, we support two types of patterns: * * 1. `time-based`: Used to specify a time-based restriction * * Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the * Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following * rule: * ```json * "rule": { * "operator": "and", * "conditions": [{ * "key": "{{environment.attributes.day_of_week}}", * "operator": "dayOfWeekAnyOf", * "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"] * }, * "key": "{{environment.attributes.current_time}}", * "operator": "timeGreaterThanOrEquals", * "value": "09:00:00+00:00" * }, * "key": "{{environment.attributes.current_time}}", * "operator": "timeLessThanOrEquals", * "value": "17:00:00+00:00" * }] * } * ``` You can use the following operators in the **`key`** and **`value`** pair: * ``` * 'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', * 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', * 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', * 'dayOfWeekEquals', 'dayOfWeekAnyOf' * ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example * above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions * operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and * [Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the * subject is a locked service-id, the request will fail. * * 2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes. * * Combine conditions to specify an attribute-based condition using AND/OR-based operators. * * For example, a policy can grant access based on multiple conditions applied on the resource attributes below: * ```json * "pattern": "attribute-based-condition:resource:literal-and-wildcard" * "rule": { * "operator": "or", * "conditions": [ * { * "operator": "and", * "conditions": [ * { * "key": "{{resource.attributes.prefix}}", * "operator": "stringEquals", * "value": "home/test" * }, * { * "key": "{{environment.attributes.delimiter}}", * "operator": "stringEquals", * "value": "/" * } * ] * }, * { * "key": "{{resource.attributes.path}}", * "operator": "stringMatch", * "value": "home/David/_*" * } * ] * } * ``` * * In addition to satisfying the `resources` section, the policy grants permission only if either the `path` begins * with `home/David/` **OR** the `prefix` is `home/test` and the `delimiter` is `/`. This mechanism helps you * consolidate multiple policies in to a single policy, making policies easier to administer and stay within the * policy limit for an account. View the list of operators that can be used in the condition * [here](/docs/account?topic=account-wildcard#string-comparisons). * * ### Authorization * * To update an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match * the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following * attributes are supported: * serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are * supported by the service or platform roles. For more information, see [IAM roles and * actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access * or greater to the target resource in order to grant the role. Use only the resource attributes supported by the * service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). * Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject * must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. * * ### Attribute Operators * * Currently, only the `stringEquals`, `stringMatch`, and `stringEquals` operators are available. For more * information, see [Assigning access by using wildcard * policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). * * ### Attribute Validations * * Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like * geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated * against Global Catalog locations. * * @param {Object} params - The parameters to send to the service. * @param {string} params.id - The policy ID. * @param {string} params.ifMatch - The revision number for updating a policy and must match the ETag value of the * existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response * header. * @param {Control} params.control - Specifies the type of access that is granted by the policy. * @param {string} params.type - The policy type; either 'access' or 'authorization'. * @param {string} [params.description] - Description of the policy. * @param {V2PolicySubject} [params.subject] - The subject attributes for whom the policy grants access. * @param {V2PolicyResource} [params.resource] - The resource attributes to which the policy grants access. * @param {string} [params.pattern] - Indicates pattern of rule, either 'time-based-conditions:once', * 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'. * @param {V2PolicyRule} [params.rule] - Additional access conditions associated with the policy. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2Policy>>} */ replaceV2Policy(params: IamPolicyManagementV1.ReplaceV2PolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2Policy>>; /** * Retrieve a policy by ID. * * Retrieve a policy by providing a policy ID. * * @param {Object} params - The parameters to send to the service. * @param {string} params.id - The policy ID. * @param {string} [params.format] - Include additional data for policy returned * * `include_last_permit` - returns details of when the policy last granted a permit decision and the number of times * it has done so * * `display` - returns the list of all actions included in each of the policy roles and translations for all * relevant fields. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2PolicyTemplateMetaData>>} */ getV2Policy(params: IamPolicyManagementV1.GetV2PolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.V2PolicyTemplateMetaData>>; /** * Delete a policy by ID. * * Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service * ID. If the subject of the policy is a locked service-id, the request will fail. * * @param {Object} params - The parameters to send to the service. * @param {string} params.id - The policy ID. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>} */ deleteV2Policy(params: IamPolicyManagementV1.DeleteV2PolicyParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.EmptyObject>>; /************************* * policyTemplates ************************/ /** * List policy templates by attributes. * * List policy templates and filter by attributes by using query parameters. The following attributes are supported: * `account_id`, `policy_service_name`, `policy_service_type`, `policy_service_group_id` and `policy_type`. * `account_id` is a required query parameter. These attributes `policy_service_name`, `policy_service_type` and * `policy_service_group_id` are mutually exclusive. Only policy templates that have the specified attributes and that * the caller has read access to are returned. If the caller does not have read access to any policy templates an * empty array is returned. * * @param {Object} params - The parameters to send to the service. * @param {string} params.accountId - The account GUID that the policy templates belong to. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {string} [params.state] - The policy template state. * @param {string} [params.name] - The policy template name. * @param {string} [params.policyServiceType] - Service type, Optional. * @param {string} [params.policyServiceName] - Service name, Optional. * @param {string} [params.policyServiceGroupId] - Service group id, Optional. * @param {string} [params.policyType] - Policy type, Optional. * @param {number} [params.limit] - The number of documents to include in the collection. * @param {string} [params.start] - Page token that refers to the page of the collection to return. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateCollection>>} */ listPolicyTemplates(params: IamPolicyManagementV1.ListPolicyTemplatesParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateCollection>>; /** * Create a policy template. * * Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to * grant access to multiple subjects. * * @param {Object} params - The parameters to send to the service. * @param {string} params.name - Required field when creating a new template. Otherwise, this field is optional. If * the field is included, it changes the name value for all existing versions of the template. * @param {string} params.accountId - Enterprise account ID where this template is created. * @param {TemplatePolicy} params.policy - The core set of properties associated with the template's policy object. * @param {string} [params.description] - Description of the policy template. This is shown to users in the enterprise * account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates. * @param {boolean} [params.committed] - Committed status of the template. * @param {string} [params.acceptLanguage] - Language code for translations * * `default` - English * * `de` - German (Standard) * * `en` - English * * `es` - Spanish (Spain) * * `fr` - French (Standard) * * `it` - Italian (Standard) * * `ja` - Japanese * * `ko` - Korean * * `pt-br` - Portuguese (Brazil) * * `zh-cn` - Chinese (Simplified, PRC) * * `zh-tw` - (Chinese, Taiwan). * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateLimitData>>} */ createPolicyTemplate(params: IamPolicyManagementV1.CreatePolicyTemplateParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplateLimitData>>; /** * Retrieve latest version of a policy template. * * Retrieve the latest version of a policy template by providing a policy template ID. * * @param {Object} params - The parameters to send to the service. * @param {string} params.policyTemplateId - The policy template ID. * @param {string} [params.state] - The policy template state. * @param {OutgoingHttpHeaders} [params.headers] - Custom request headers * @returns {Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplate>>} */ getPolicyTemplate(params: IamPolicyManagementV1.GetPolicyTemplateParams): Promise<IamPolicyManagementV1.Response<IamPolicyManagementV1.PolicyTemplate>>; /** * Dele