/AWS1/CL_IAMEVALUATIONRESULT¶
Contains the results of a simulation.
This data type is used by the return parameter of
SimulateCustomPolicy
and
SimulatePrincipalPolicy
.
CONSTRUCTOR¶
IMPORTING¶
Required arguments:¶
iv_evalactionname TYPE /AWS1/IAMACTIONNAMETYPE /AWS1/IAMACTIONNAMETYPE¶
The name of the API operation tested on the indicated resource.
iv_evaldecision TYPE /AWS1/IAMPOLICYEVALDCSNTYPE /AWS1/IAMPOLICYEVALDCSNTYPE¶
The result of the simulation.
Optional arguments:¶
iv_evalresourcename TYPE /AWS1/IAMRESOURCENAMETYPE /AWS1/IAMRESOURCENAMETYPE¶
The ARN of the resource that the indicated API operation was tested on.
it_matchedstatements TYPE /AWS1/CL_IAMSTATEMENT=>TT_STATEMENTLISTTYPE TT_STATEMENTLISTTYPE¶
A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.
it_missingcontextvalues TYPE /AWS1/CL_IAMCTXKEYNAMESRSLST00=>TT_CTXKEYNAMESRESULTLISTTYPE TT_CTXKEYNAMESRESULTLISTTYPE¶
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "*", either explicitly, or when the
ResourceArnsparameter blank. If you include a list of resources, then any missing context values are instead included under theResourceSpecificResultssection. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
io_orgsdecisiondetail TYPE REF TO /AWS1/CL_IAMORGSDECISIONDETAIL /AWS1/CL_IAMORGSDECISIONDETAIL¶
A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.
io_permsboundarydcsndetail TYPE REF TO /AWS1/CL_IAMPERMSBNDRYDCSNDET /AWS1/CL_IAMPERMSBNDRYDCSNDET¶
Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.
it_evaldecisiondetails TYPE /AWS1/CL_IAMEVALDCSNDETSTYPE_W=>TT_EVALDECISIONDETAILSTYPE TT_EVALDECISIONDETAILSTYPE¶
Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.
If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (
*), then the parameter is not returned.When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return
true. For more information about how policies are evaluated, see Evaluating policies within a single account.If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.
it_resourcespecificresults TYPE /AWS1/CL_IAMRESOURCESPFRESULT=>TT_RESOURCESPFRESULTLISTTYPE TT_RESOURCESPFRESULTLISTTYPE¶
The individual results of the simulation of the API operation specified in EvalActionName on each resource.
Queryable Attributes¶
EvalActionName¶
The name of the API operation tested on the indicated resource.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_EVALACTIONNAME() |
Getter for EVALACTIONNAME, with configurable default |
ASK_EVALACTIONNAME() |
Getter for EVALACTIONNAME w/ exceptions if field has no valu |
HAS_EVALACTIONNAME() |
Determine if EVALACTIONNAME has a value |
EvalResourceName¶
The ARN of the resource that the indicated API operation was tested on.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_EVALRESOURCENAME() |
Getter for EVALRESOURCENAME, with configurable default |
ASK_EVALRESOURCENAME() |
Getter for EVALRESOURCENAME w/ exceptions if field has no va |
HAS_EVALRESOURCENAME() |
Determine if EVALRESOURCENAME has a value |
EvalDecision¶
The result of the simulation.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_EVALDECISION() |
Getter for EVALDECISION, with configurable default |
ASK_EVALDECISION() |
Getter for EVALDECISION w/ exceptions if field has no value |
HAS_EVALDECISION() |
Determine if EVALDECISION has a value |
MatchedStatements¶
A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_MATCHEDSTATEMENTS() |
Getter for MATCHEDSTATEMENTS, with configurable default |
ASK_MATCHEDSTATEMENTS() |
Getter for MATCHEDSTATEMENTS w/ exceptions if field has no v |
HAS_MATCHEDSTATEMENTS() |
Determine if MATCHEDSTATEMENTS has a value |
MissingContextValues¶
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "*", either explicitly, or when the
ResourceArnsparameter blank. If you include a list of resources, then any missing context values are instead included under theResourceSpecificResultssection. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_MISSINGCONTEXTVALUES() |
Getter for MISSINGCONTEXTVALUES, with configurable default |
ASK_MISSINGCONTEXTVALUES() |
Getter for MISSINGCONTEXTVALUES w/ exceptions if field has n |
HAS_MISSINGCONTEXTVALUES() |
Determine if MISSINGCONTEXTVALUES has a value |
OrganizationsDecisionDetail¶
A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ORGSDECISIONDETAIL() |
Getter for ORGANIZATIONSDECISIONDETAIL |
PermissionsBoundaryDecisionDetail¶
Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_PERMSBOUNDARYDCSNDETAIL() |
Getter for PERMSBOUNDARYDECISIONDETAIL |
EvalDecisionDetails¶
Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.
If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (
*), then the parameter is not returned.When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return
true. For more information about how policies are evaluated, see Evaluating policies within a single account.If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_EVALDECISIONDETAILS() |
Getter for EVALDECISIONDETAILS, with configurable default |
ASK_EVALDECISIONDETAILS() |
Getter for EVALDECISIONDETAILS w/ exceptions if field has no |
HAS_EVALDECISIONDETAILS() |
Determine if EVALDECISIONDETAILS has a value |
ResourceSpecificResults¶
The individual results of the simulation of the API operation specified in EvalActionName on each resource.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_RESOURCESPECIFICRESULTS() |
Getter for RESOURCESPECIFICRESULTS, with configurable defaul |
ASK_RESOURCESPECIFICRESULTS() |
Getter for RESOURCESPECIFICRESULTS w/ exceptions if field ha |
HAS_RESOURCESPECIFICRESULTS() |
Determine if RESOURCESPECIFICRESULTS has a value |
Public Local Types In This Class¶
Internal table types, representing arrays and maps of this class, are defined as local types:
TT_EVALUATIONRESULTSLISTTYPE¶
TYPES TT_EVALUATIONRESULTSLISTTYPE TYPE STANDARD TABLE OF REF TO /AWS1/CL_IAMEVALUATIONRESULT WITH DEFAULT KEY
.