本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 在 Step Functions 中為非管理員使用者建立精細許可
<a name="concept-create-iam-advanced"></a>

IAM 中的預設受管政策，例如 `ReadOnly`，並未完全涵蓋所有類型的 AWS Step Functions 許可。本節描述不同類型的許可，並提供一些範例組態。

Step Functions 有四類許可。視您想要提供給使用者的存取權而定，您可以使用這些類別中的許可來控制存取權。

[服務層級許可](#concept-create-iam-advanced-service)  
套用至**未**對特定資源採取行動的 API 元件。

[狀態機器層級許可](#concept-create-iam-advanced-state)  
適用於會對特定狀態機器採取行動的所有 API 元件。

[執行層級許可](#concept-create-iam-advanced-execution)  
套用到會對特定執行作業採取行動的所有 API 元件。

[活動層級許可](#concept-create-iam-advanced-activity)  
適用於會對特定活動或對活動的特定執行個體採取行動的所有 API 元件。

## 服務層級許可
<a name="concept-create-iam-advanced-service"></a>

此許可層級適用於所有**未**對特定資源採取行動的 API 動作。這些包括 `[CreateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateStateMachine.html)`、`[CreateActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateActivity.html)`、`[ListActivities](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListActivities.html)`、 `[ListStateMachines](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListStateMachines.html)`和 `[ValidateStateMachineDefinition](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ValidateStateMachineDefinition.html)`。

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "states:ListStateMachines",
                "states:ListActivities",
                "states:CreateStateMachine",
                "states:CreateActivity",
                "states:ValidateStateMachineDefinition"
            ],
            "Resource": [
                "arn:aws:states:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/my-execution-role"
            ]
        }
    ]
}
```

## 狀態機器層級許可
<a name="concept-create-iam-advanced-state"></a>

此許可層級適用於會對特定狀態機器採取行動的所有 API 動作。這些 API 操作需要狀態機器的 Amazon Resource Name (ARN) 作為請求的一部分，例如 `[DeleteStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DeleteStateMachine.html)`、`[StartExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html)`、 `[DescribeStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeStateMachine.html)`和 `[ListExecutions](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListExecutions.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeStateMachine",
        "states:StartExecution",
        "states:DeleteStateMachine",
        "states:ListExecutions",
        "states:UpdateStateMachine",
        "states:TestState",
        "states:RevealSecrets"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:stateMachine:StateMachinePrefix*" 
      ]
    }
  ]
}
```

## 執行層級許可
<a name="concept-create-iam-advanced-execution"></a>

此許可層級適用於會對特定執行作業採取行動的所有 API 動作。這些 API 操作需要執行的 ARN 做為要求的一部分，例如 `[DescribeExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeExecution.html)`、`[GetExecutionHistory](https://docs.aws.amazon.com/step-functions/latest/apireference/API_GetExecutionHistory.html)` 和 `[StopExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StopExecution.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:DescribeStateMachineForExecution",
        "states:GetExecutionHistory",
        "states:StopExecution"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:execution:*:ExecutionPrefix*"
      ]
    }
  ]
}
```

## 活動層級許可
<a name="concept-create-iam-advanced-activity"></a>

此許可層級適用於會對特定活動或其特定執行個體採取行動的所有 API 動作。這些 API 操作需要活動 ARN 或執行個體的字符作為請求的一部分，例如 `[DeleteActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DeleteActivity.html)`、`[GetActivityTask](https://docs.aws.amazon.com/step-functions/latest/apireference/API_GetActivityTask.html)`、 `[DescribeActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeActivity.html)`和 `[SendTaskHeartbeat](https://docs.aws.amazon.com/step-functions/latest/apireference/API_SendTaskHeartbeat.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeActivity",
        "states:DeleteActivity",
        "states:GetActivityTask",
        "states:SendTaskHeartbeat"
      ],
      "Resource": [
        "arn:aws:states:*:*:activity:ActivityPrefix*"
      ]
    }
  ]
}
```