Permission evaluation logic

This topic describes the permission evaluation logic of IAM.

1. If you use the AccessKey of your Kingsoft Cloud account to generate a signature and initiate an access request, and the resource belongs to your Kingsoft Cloud account, access will be allowed. Otherwise, access will be denied.

2. If you use the AccessKey of an IAM user to generate a signature and initiate an access request, and the resource belongs to the Kingsoft Cloud account of the IAM user, the system will call the permission evaluation operation to verify the policies attached to the IAM user and determine whether to allow the access.

3. IAM evaluates all policies attached to an IAM user based on the default/implicit deny rule and determines whether a request of an IAM user is allowed as follows:

   • 3.1 If the request is explicitly denied, IAM returns an authorization failure. Otherwise, IAM goes to the next step.
   • 3.2 If the request is explicitly allowed, IAM returns an authorization success. Otherwise, IAM goes to the next step.
   • 3.3 IAM returns an authorization failure because it implicitly denies all requests by default.

   That is, a request that is explicitly denied in a policy will be denied even though it is explicitly allowed in another policy. If a request is not explicitly allowed in any policy, the request is implicitly denied by default.