| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2020-04-16 |
access, users, service IDs, access group, IAM, policy, characters, wildcard, operators, asterisk, question mark, *, ?, JSON document, policy document |
account |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:tip: .tip} {:note: .note} {:term: .term}
{: #wildcard}
When you're assigning access to certain IAM-enabled services, you can use advanced operators in a policy{: term} to grant access to resources that satisfy specific naming conventions. By using wildcard policies, you can reduce the number of policies that are required for managing access to some resources. {:shortdesc}
When you use the stringEquals operator, an exact string match is performed between the query and the target string. When you use the stringMatch operator, a case-sensitive string match is performed between the pattern and the target string using either an asterisk (*), question mark (?), or both. An asterisk (*) represents any sequence of zero or more characters in the string, and a question mark (?) represents any single character. See the following examples:
*dev*matches any string that containsdevdev*matches any string that begins withdev*devmatches any string that ends withdev
To assign access, you need the administrator role on the resource. For more information, see IAM access.
Refer to the documentation for the specific service that you are assigning access for to get details about the supported operators for specific attributes for that service. {: note}
{: #policy-js}
Most access policies are stored in {{site.data.keyword.cloud}} as JSON documents.
{: #policy-doc-asterisk}
The following example shows how you might create a policy that gives a user access to manage all {{site.data.keyword.messagehub}} topics that start with dev in a particular account.
{
"type": "access",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-12345"
}
]
}
],
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Manager"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "d727f71e99b14534b3267fab8cc9b09a"
},
{
"name": "serviceName",
"value": "messagehub"
},
{
"name": "resourceType",
"value": "topic"
},
{
"name": "resource",
"operator": "stringMatch",
"value": "dev*"
}
]
}
]
}
{: codeblock}
{: #policy-doc-multiwildcards}
The following example shows how you can create a policy that gives a user access to edit any {{site.data.keyword.messagehub}} topic that ends in 81 with two characters before the numerical characters in a particular account.
{
"type": "access",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-12345"
}
]
}
],
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "d727f71e99b14534b3267fab8cc9b09a"
},
{
"name": "serviceName",
"value": "messagehub"
},
{
"name": "resourceType",
"operator": "stringEquals"
"value": "topic",
},
{
"name": "resource",
"operator": "stringMatch",
"value": "*??81"
}
]
}
]
}
{: codeblock}