Understanding Policy

This page takes a detailed look at Policy.


Policy is a set of permissions defined to perform specific actions on SpaceONE resources. Permissions define the scopes that can be managed for Cloud Resources. For an overall description of the authority management system, please refer to Role Based Access Control.

Policy Type

Once defined, the policy can be shared so that it can be used by roles in other domains. Depending on whether or not this is possible, the policy is divided into two types.

  • MANAGED: A policy defined globally in the Repository service. The policy is directly managed and shared by the entire system administrator. This is a common policy convenient for most users.
  • CUSTOM: You can use a policy with self-defined permissions for each domain. It is useful to manage detailed permission for each domain.

Policy can be classified as following according to Permission Scope.

  • Basic: Includes overall permission for all resources in SpaceONE.
  • Predefined : Includes granular permission for specific services (alert manager, billing, etc.).

Managed Policy

The policy below is a full list of Managed Policies managed by the CloudONE team. Detailed permission is automatically updated if necessary. Managed Policy was created to classify policies according to the major roles within the organization.

Policy TypePolicy NamePolicy IdPermission DescriptionReference
MANAGED-BasicDomain Admin Accesspolicy-managed-domain-adminHas all privileges except for the following
Create/delete domain
api_type is SYSTEM/NO_AUTH
Manage DomainOwner (create/change/delete)
Manage plug-in identity.Auth Plugin management ( change)
MANAGED-BasicDomain Viewer Accesspolicy-managed-domain-viewerRead permission among Domain Admin Access permissionspolicy-managed-domain-viewer
MANAGED-BasicProject Admin Accesspolicy-managed-project-adminExclude the following permissions from Domain Admin Access Policy
Manage providers (create/change/inquire/delete)
Manage Role/Policy (create/change/delete)
Manage plug-ins inventory.Collector (create/change /delete)
plugin management monitoring.DataSource (create/change/delete)
plugin management notification.Protocol (create/change/delete)
MANAGED-BasicProject Viewer Accesspolicy-managed-project-viewerRead permission among Permissions of Project Admin Access Policypolicy-managed-project-viewer
MANAGED-PredefinedAlert Manager Full Accesspolicy-managed-alert-manager-full-accessFull access to Alert Managerpolicy-managed-alert-manager-full-access

Custom Policy

If you want to manage the policy of a domain by yourself, please refer to the Managing Custom Policy document.