本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# IAM Identity Center 的身分型政策範例
本主題提供您可以建立的 IAM 政策範例,以授予使用者和角色管理 IAM Identity Center 的許可。
**重要**
建議您先檢閱簡介主題,這些主題說明可用於管理 IAM Identity Center 資源存取權的基本概念和選項。如需詳細資訊,請參閱[管理 IAM Identity Center 資源存取許可的概觀](iam-auth-access-overview.md)。
本主題中的各節涵蓋下列內容:
+ [自訂政策範例](#policyexample)
+ [使用 IAM Identity Center 主控台所需的許可](#requiredpermissionsconsole)
## 自訂政策範例
本節提供需要自訂 IAM 政策的常見使用案例範例。這些範例政策是身分型政策,不會指定主體元素。這是因為使用身分型政策時,您不會指定取得許可的委託人。反之,您可以將政策連接至委託人。當您將身分型許可政策連接至 IAM 角色時,角色信任政策中識別的委託人會取得許可。您可以在 IAM 中建立身分型政策,並將其連接到使用者、群組和/或角色。您也可以在 IAM Identity Center 中建立許可集時,將這些政策套用至 IAM Identity Center 使用者。
**注意**
當您為環境建立政策時,請使用這些範例,並確保在生產環境中部署這些政策之前,先測試正面 (「授予存取」) 和負面 (「拒絕存取」) 測試案例。如需測試 IAM 政策的詳細資訊,請參閱《[IAM 使用者指南》中的使用 IAM 政策模擬器測試 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。 **
**Topics**
+ [範例 1:允許使用者檢視 IAM Identity Center](#policyexamplesetupenable)
+ [範例 2:允許使用者在 IAM Identity Center AWS 帳戶 中管理對 的許可](#policyexamplemanageconnecteddirectory)
+ [範例 3:允許使用者在 IAM Identity Center 中管理應用程式](#policyexamplemanageapplication)
+ [範例 4:允許使用者管理 Identity Center 目錄中的使用者和群組](#policyexamplemanageusersgroups)
### 範例 1:允許使用者檢視 IAM Identity Center
下列許可政策會將唯讀許可授予使用者,讓他們可以檢視 IAM Identity Center 中設定的所有設定和目錄資訊。
**注意**
此政策僅供參考。在生產環境中,我們建議您使用 IAM Identity Center 的 `ViewOnlyAccess` AWS 受管政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"iam:ListPolicies",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso-directory:DescribeDirectory",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups"
],
"Resource": "*"
}
]
}
```
------
### 範例 2:允許使用者在 IAM Identity Center AWS 帳戶 中管理對 的許可
下列許可政策會授予許可,以允許使用者為您的 建立、管理和部署許可集 AWS 帳戶。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*"
},
{
"Sid": "IAMListPermissions",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
]
}
```
------
**注意**
列出的其他許可`"Sid": "IAMListPermissions"`、 和 `"Sid": "AccessToSSOProvisionedRoles"`區段只需要讓使用者在 AWS Organizations 管理帳戶中建立指派。在某些情況下,您可能還需要將 `iam:UpdateSAMLProvider` 新增至這些區段。
### 範例 3:允許使用者在 IAM Identity Center 中管理應用程式
下列許可政策授予許可,允許使用者在 IAM Identity Center 中檢視和設定應用程式,包括來自 IAM Identity Center 目錄中的預先整合 SaaS 應用程式。
**注意**
管理應用程式的使用者和群組指派需要下列政策範例中使用的`sso:AssociateProfile`操作。它還允許使用者 AWS 帳戶 使用現有的許可集將使用者和群組指派給 。如果使用者必須在 IAM Identity Center 中管理 AWS 帳戶 存取權,且需要管理許可集所需的許可,請參閱 [範例 2:允許使用者在 IAM Identity Center AWS 帳戶 中管理對 的許可](#policyexamplemanageconnecteddirectory)。
自 2020 年 10 月起,許多這些操作只能透過 AWS 主控台使用。此範例政策包含「讀取」動作,例如清單、取得和搜尋,這些動作與此案例的主控台無錯誤操作相關。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:CreateApplicationInstance",
"sso:ImportApplicationInstanceServiceProviderMetadata",
"sso:DeleteApplicationInstance",
"sso:DeleteProfile",
"sso:DisassociateProfile",
"sso:GetApplicationTemplate",
"sso:UpdateApplicationInstanceServiceProviderConfiguration",
"sso:UpdateApplicationInstanceDisplayData",
"sso:DeleteManagedApplicationInstance",
"sso:UpdateApplicationInstanceStatus",
"sso:GetManagedApplicationInstance",
"sso:UpdateManagedApplicationInstanceStatus",
"sso:CreateManagedApplicationInstance",
"sso:UpdateApplicationInstanceSecurityConfiguration",
"sso:UpdateApplicationInstanceResponseConfiguration",
"sso:GetApplicationInstance",
"sso:CreateApplicationInstanceCertificate",
"sso:UpdateApplicationInstanceResponseSchemaConfiguration",
"sso:UpdateApplicationInstanceActiveCertificate",
"sso:DeleteApplicationInstanceCertificate",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListApplicationInstances",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:ListProfileAssociations",
"sso:ListInstances",
"sso:GetProfile",
"sso:GetSSOStatus",
"sso:GetSsoConfiguration",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeUsers",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------
### 範例 4:允許使用者管理 Identity Center 目錄中的使用者和群組
下列許可政策授予許可,允許使用者在 IAM Identity Center 中建立、檢視、修改和刪除使用者和群組。
在某些情況下,對 IAM Identity Center 中的使用者和群組的直接修改會受到限制。例如,當 Active Directory 或啟用自動佈建的外部身分提供者被選取為身分來源時。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:DisableUser",
"sso-directory:EnableUser",
"sso-directory:SearchGroups",
"sso-directory:DeleteGroup",
"sso-directory:AddMemberToGroup",
"sso-directory:DescribeDirectory",
"sso-directory:UpdateUser",
"sso-directory:ListMembersInGroup",
"sso-directory:CreateUser",
"sso-directory:DescribeGroups",
"sso-directory:SearchUsers",
"sso:ListDirectoryAssociations",
"sso-directory:RemoveMemberFromGroup",
"sso-directory:DeleteUser",
"sso-directory:DescribeUsers",
"sso-directory:UpdateGroup",
"sso-directory:CreateGroup"
],
"Resource": "*"
}
]
}
```
------
## 使用 IAM Identity Center 主控台所需的許可
若要讓使用者在沒有錯誤的情況下使用 IAM Identity Center 主控台,則需要額外的許可。如果已建立比最低必要許可更嚴格的 IAM 政策,主控台將無法對具有該政策的使用者如預期般運作。下列範例列出在 IAM Identity Center 主控台中確保無錯誤操作可能需要的一組許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:DescribeRegisteredRegions",
"sso:GetApplicationInstance",
"sso:GetApplicationTemplate",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetMfaDeviceManagementForDirectory",
"sso:GetPermissionSet",
"sso:GetProfile",
"sso:GetSharedSsoConfiguration",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus",
"sso:GetTrust",
"sso:ListAccountAssignmentCreationStatus",
"sso:ListAccountAssignmentDeletionStatus",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplications",
"sso:ListApplicationTemplates",
"sso:ListDirectoryAssociations",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListProfileAssociations",
"sso:ListProfiles",
"sso:ListTagsForResource",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------