View a markdown version of this page

使用自定义 IAM 策略管理 Connect 客户案例所需的权限 - Amazon Connect Customer

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用自定义 IAM 策略管理 Connect 客户案例所需的权限

如果您使用自定义 IAM 策略来管理对 Connect 客户案例的访问权限,则您的用户需要本文中列出的部分或全部权限,具体取决于他们需要执行的任务。

查看案例域详细信息

有两个选项可以授予用户在 Connect 客户控制台上查看 Cases 域名详细信息的 IAM 权限。

选项 1:所需的最低 IAM 权限

要在 Connect 客户控制台中查看 Cases 域详细信息,用户必须拥有以下 IAM 权限:

  • connect:ListInstances

  • ds:DescribeDirectories

  • connect:ListIntegrationAssociations

  • cases:GetDomain

以下是具有这些权限的示例 IAM 策略:

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }

注意以下几点:

  • 需要对资源 * 执行cases:GetDomain 操作

  • connect:ListIntegrationAssociations 操作支持 instance 资源类型。请参阅 Connect 客户定义的操作中的表格。

选项 2:使用案例:GetDomain和个人资料更新现有 Connect 客户政策:SearchProfiles

包括AmazonConnectReadOnlyAccess策略并添加cases:GetDomain,如以下示例所示。

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }

加入 Cases

有两个选项可以向用户授予 IAM 权限,让他们使用 Connect 客户控制台加入案例。

选项 1:所需的最低权限

要使用 Connect 客户控制台加入案例,用户必须拥有以下 IAM 权限:

  • connect:ListInstances

  • ds:DescribeDirectories

  • connect:ListIntegrationAssociations

  • cases:GetDomain

  • cases:CreateDomain

  • connect:CreateIntegrationAssociation

  • connect:DescribeInstance

  • iam:PutRolePolicy

  • profile:SearchProfiles

以下是具有这些权限的示例 IAM 策略:

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" }, { "Sid": "CasesCreateDomain", "Effect": "Allow", "Action": [ "cases:CreateDomain" ], "Resource": "*" }, { "Sid": "CreateIntegrationAssociationsAndDependencies", "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DescribeInstance" ], "Resource": "*" }, { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Sid": "ProfileSearchProfiles", "Effect": "Allow", "Action": [ "profile:SearchProfiles" ], "Resource": "*" } ] }

注意以下几点:

选项 2:使用现有策略的组合

以下策略组合也将发挥作用:

  • AmazonConnect_ FullAccess 政策

  • 用于修改服务相关角色的策略 iam:PutRolePolicy。有关示例,请参阅AWS 托管策略: AmazonConnect_ FullAccess 策略

  • 以下 IAM 策略:

    JSON
    { "Version":"2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain", "cases:CreateDomain" ], "Resource": "*" }, { "Sid": "ProfileSearchProfiles", "Effect": "Allow", "Action": [ "profile:SearchProfiles" ], "Resource": "*" } ] }