Creating an IAM Policy

Describes the procedure to create an IAM policy.

Prerequisites

You must be a fabric manager to perform this operation.

About this task

You can create an IAM policy that comprises one or more statements for different resource types. Resources are of the following types:

  • Fabric
  • Volumes
  • Buckets

For instance, you can allow a set of fabric-level permissions for multiple fabrics, including external S3 servers and/or external NFS servers by selecting the resource type as fabric for your statement. Another statement can be added for denial of various actions or operations related to specified buckets for the selected fabrics in the same policy.

An IAM policy is enforced when it is active and is attached or assigned to an identity like an SSO user, SSO group, and/or a user-defined role. The selected actions are allowed on the selected resources to the SSO users and/or SSO groups, when the policy is tagged/assigned to a user-defined role.

Follow the steps given below to create a IAM policy.

Procedure

  1. Log on to the Data Fabric UI.
  2. Select Fabric Manager for the fabric manager view.
  3. Click the Administration tab.
  4. On the IAM Policies card, click Create Policy.
  5. Enter the Name and Description for the IAM policy.
  6. Turn the Active toggle off, if you wish to make the policy inactive. The Active toggle is on, by default.
  7. Click Manage Resources and select the resource and the respective operations to allow or deny permissions on.
  8. Click Add for Statements to add a statement to the policy.
  9. Select the Resource type . Select fabric to add fabric-level permissions, volume to add permissions specific to volumes, or bucket to add permissions specific to buckets.<add link>.
  10. If you have chosen volume or bucket as the resource, select one or more Fabrics from the Fabric dropdown to which the volumes or buckets belong, and then click Apply.
  11. Click Add for Selected Resources, select one or more fabrics or volumes or buckets, depending the resource type selected.
  12. Select the resource-type specific actions that are to be allowed or denied on the selected resources.
  13. Select the Effect. Select Deny to deny the selected actions on the selected resources. Allow is the default value.
  14. Repeat steps 7 through 12 to add more statements, if required.
  15. Click Save.

Results

An IAM policy is created. The newly created IAM policy is visible under the list of policies on the IAM policies card. The policy can be assigned to one or more identities such as SSO users, SSO groups, and/or user-defined roles.