The default authorization policies provided by Logic Composer are coarse-grained. If these coarse-grained authorization policies cannot meet your needs, you can customize authorization policies. For example, if you want to manage the operation permissions of a RAM identity on a workflow, you must customize authorization policies to meet this fine-grained requirement.
Background information
For more information about how to create a custom policy, see Create a custom policy.
If you set the configuration mode to JSON when you create a custom policy, you must understand the structure and syntax of the policy. For more information, see Policy structure and syntax. The following table describes values of the Action and Resource parameters in a statement.
API operations for authorization
API |
Authorized action |
Authorized resource |
Description |
ListFlows |
composer:ListFlows |
acs:composer:$regionid:$accountid:flow/* |
Queries workflows. |
GetFlow |
composer:GetFlow |
acs:composer:$regionid:$accountid:flow/$flowId |
Queries the details of a workflow. |
CreateFlow |
composer:CreateFlow |
acs:composer:$regionid:$accountid:flow/* |
Creates a workflow. |
DeleteFlow |
composer:DeleteFlow |
acs:composer:$regionid:$accountid:flow/$flowId |
Deletes a workflow. |
UpdateFlow |
composer:UpdateFlow |
acs:composer:$regionid:$accountid:flow/$flowId |
Modifies a workflow. |
CloneFlow |
composer:CloneFlow |
acs:composer:$regionid:$accountid:flow/* |
Copies a workflow. |
InvokeFlow |
composer:InvokeFlow |
acs:composer:$regionid:$accountid:flow/$flowId |
Runs a workflow. |
ListVersions |
composer:ListVersions |
acs:composer:$regionid:$accountid:flow/$flowId |
Queries all versions of a workflow. |
GetVersion |
composer:GetVersion |
acs:composer:$regionid:$accountid:flow/$flowId |
Queries a specific version of a workflow. |