子账号通过Domain API访问主账号资源时需要遵循鉴权规则。本文为您介绍Domain API鉴权的规则。

当子账号通过Domain API访问主账号的Domain资源时,Domain后台会向RAM进行权限检查,以确保资源拥有者已向调用者授予了相关资源的相关权限。

根据涉及到的资源及API的语义,每个Domain API会相应地确定需要检查哪些资源的权限。下表具体介绍了各API的鉴权规则:

表 1. 资源级别授权
API 鉴权Action 鉴权Resource
SaveSingleTaskForUpdatingContactInfo domain:DomainInfoModification acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfoByNewContact acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfoByRegistrantProfileId acs:domain:*:$accountid:domain/$domainName
SaveTaskForUpdatingRegistrantInfoByRegistrantProfileID acs:domain:*:$accountid:domain/$domainName
SaveTaskForUpdatingRegistrantInfoByIdentityCredential acs:domain:*:$accountid:domain/$domainName
SaveTaskForSubmittingDomainRealNameVerificationByRegistrantProfileID domain:RealNameVerificationOperation acs:domain:*:$accountid:domain/$domainName
CancelDomainVerification acs:domain:*:$accountid:domain/$domainName
SaveTaskForSubmittingDomainRealNameVerificationByIdentityCredential acs:domain:*:$accountid:domain/$domainName
TransferInReenterTransferAuthorizationCode domain:DomainTransferInOperation acs:domain:*:$accountid:domain/$domainName
TransferInRefetchWhoisEmail acs:domain:*:$accountid:domain/$domainName
TransferInResendMailToken acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferIn acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferOut domain:DomainTransferOutOperation acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForQueryingTransferAuthorizationCode acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForModifyingDnsHost domain:DnsHostModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForSynchronizingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForDeletingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForModifyingDomainDns domain:DnsModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForTransferProhibitionLock domain:SecuritySetting acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForTransferProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingOrderRenew domain:CreateOrderRenew acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForCreatingOrderRenew acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingOrderRedeem domain:CreateOrderRedeem acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForCreatingOrderRedeem acs:domain:*:$accountid:domain/$domainName
表 2. 操作级别授权
API 鉴权Action 鉴权Resource
QueryDomainList domain:QueryCommonInfo acs:domain:*:$accountid:*
QueryDomainByInstanceId acs:domain:*:$accountid:*
QueryContactInfo acs:domain:*:$accountid:*
QueryDomainSuffix acs:domain:*:$accountid:*
QueryAdvancedDomainList acs:domain:*:$accountid:*
VerifyContactField acs:domain:*:$accountid:*
QueryTaskList domain:QueryDomainTask acs:domain:*:$accountid:*
QueryTaskInfoHistory acs:domain:*:$accountid:*
QueryTaskDetailList acs:domain:*:$accountid:*
QueryTaskDetailHistory acs:domain:*:$accountid:*
PollTaskResult acs:domain:*:$accountid:*
QueryChangeLogList domain:QueryChangeLog acs:domain:*:$accountid:*
QueryTransferInByInstanceId domain:QueryDomainTransferIn acs:domain:*:$accountid:*
QueryTransferInList acs:domain:*:$accountid:*
CheckTransferInFeasibility acs:domain:*:$accountid:*
TransferInCheckMailToken domain:TransferInCheckMailToken acs:domain:*:$accountid:*
QueryTransferOutInfo domain:QueryDomainTransferOut acs:domain:*:$accountid:*
QueryDnsHost domain:QueryDnsHost acs:domain:*:$accountid:*
QueryFailReasonForRegistrantProfileRealNameVerification domain:QueryRegistrantProfile acs:domain:*:$accountid:*
QueryRegistrantProfileRealNameVerificationInfo acs:domain:*:$accountid:*
QueryRegistrantProfiles acs:domain:*:$accountid:*
QueryDomainGroupList domain:QueryDomainGroup acs:domain:*:$accountid:*
QueryFailReasonForDomainRealNameVerification domain:QueryRealNameVerification acs:domain:*:$accountid:*
QueryDomainRealNameVerificationInfo acs:domain:*:$accountid:*
ListEmailVerification domain:QueryEmailVerification acs:domain:*:$accountid:*
QueryEmailVerification acs:domain:*:$accountid:*
AcknowledgeTaskResult domain:AcknowledgeTaskResult acs:domain:*:$accountid:*
SaveRegistrantProfile domain:RegistrantProfileOperation acs:domain:*:$accountid:*
DeleteRegistrantProfile acs:domain:*:$accountid:*
RegistrantProfileRealNameVerification acs:domain:*:$accountid:*
DeleteDomainGroup domain:DomainGroupOperation acs:domain:*:$accountid:*
SaveDomainGroup acs:domain:*:$accountid:*
UpdateDomainToDomainGroup acs:domain:*:$accountid:*
DeleteEmailVerification domain:EmailVerificationOperation acs:domain:*:$accountid:*
VerifyEmail acs:domain:*:$accountid:*
ResendEmailVerification acs:domain:*:$accountid:*
SubmitEmailVerification acs:domain:*:$accountid:*
SaveBatchDomainRemark domain:DomainInfoModification acs:domain:*:$accountid:*
SaveSingleTaskForCreatingOrderActivate domain:CreateOrderActivate acs:domain:*:$accountid:*
SaveBatchTaskForCreatingOrderActivate acs:domain:*:$accountid:*
SaveSingleTaskForCreatingOrderTransfer domain:CreateOrderTransfer acs:domain:*:$accountid:*
SaveBatchTaskForCreatingOrderTransfer acs:domain:*:$accountid:*
表 3. 服务级别授权
API 鉴权Action 鉴权Resource
* domain:* acs:domain:*:$accountid:*