If a user or application is the principal of multiple policies, whether as sole principal or as part of a group, they benefit from all the permissions defined in each of these policies.
Policies
IAM Policies are statements that define the permissions of users, groups, and applications in Scaleway Organizations.
They are composed of:
- a principal - a user, group, or application,
- one or more IAM rules - consisting of permission sets bound to a scope.
Principal
A principal is an entity that can be attached to a policy. Currently, you can attach either a user, a group, or an application to a policy. Only one principal can be attached to each policy.
Rules
A rule is the part of a policy that defines the permissions of the policy’s principal, and the scope of these permissions. It consists of a scope (at Project level or Organization level) and one or more permission sets (eg. “list all Instances”).
A policy can have one or many rules. Note that rules can only give access to the specified actions/resources. You cannot create a rule that explicitly denies access to specific actions/resources. In any case, the default starting point for any user or application other than the Organization’s owner, is that they have zero permissions other than those defined via policies attached to them.
Scope
A scope defines where the permission sets should apply. At Scaleway, a scope can be at Project or Organization level.
- Projects group your Scaleway resources (eg. Instances, Object Storage buckets, Managed Databases etc.) together. An Organization may have many Projects, or just one default Project. If you choose to define scope at Project level, you can select one, many, or all Projects. When you then define the permission sets for this scope, you can give access to different resources within the Project(s).
- an Organization is made of one or several Projects. IAM, billing, support and abuse tickets and project management are managed at Organization level, so choose an Organization scope to give access to these features.
Permission sets
A permission set consists of one or multiple permissions to perform actions on resources or features. Each permission set has a clear description, e.g. InstancesFullAccess
, InstancesReadOnly
, RelationalDatabaseFullAccess
, BillingReadOnly
.
You can find a detailed list of all permission sets available at Scaleway in the permission sets reference page.
Example rule
The rule below defines various levels of access to different resources in Project A.
- Scope
- Project “A”
- Permission set
InstancesFullAccess
,ObjectStorageReadOnly
,RelationalDatabasesFullAccess
Example policy
The policy below states that the application production-c
can create, list, delete and manage Instances and Databases in Project A, but for Object Storage it can only list and read the resources.
- Principal
- IAM Application
production-c
Rule 1:
- Scope
- Project “A”
- Permission set
InstancesFullAccess
,ObjectStorageReadOnly
,RelationalDatabasesFullAccess
Rule 2:
- Scope
- Project “F”
- Permission set
ContainerRegistryFullAccess
,ContainersReadOnly
,RelationalDatabasesFullAccess
There is no notion of priority when it comes to IAM policies. Policies do not compete with each other, they simply combine to bestow all the permissions defined within them to any given principal.
JSON policy example
{"application": "production-c","rules": [{"projects": ["A"],"permission_sets": ["InstancesFullAccess", "ObjectStorageReadOnly", "RelationalDatabasesFullAccess"]},{"projects": ["F"],"permission_sets": ["ContainerRegistryFullAccess", "ContainersReadOnly", "RelationalDatabasesFullAccess"]}]}
If necessary, we could add more rules to the policy, giving production-c
additional permissions in other Projects, or at Organization level.