本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用自定义 IAM 策略管理案例所需的权限
如果您使用自定义 IAM 策略来管理对 Amazon Connect 案例的访问权限,则您的用户需要本文中列出的部分或全部权限,具体取决于他们需要完成的任务。
查看Cases 域详细信息
向用户授予在 Amazon Connect 控制台上查看案例域详情的 IAM 权限有两个选项。
选项 1:所需的最低 IAM 权限
要在 Amazon Connect 控制台中查看Cases 域详细信息,用户必须具有以下 AAAAM IAAAAM
-
connect:ListInstances -
ds:DescribeDirectories -
connect:ListIntegrationAssociations -
cases:GetDomain
以下是具有这些权限的 IAM 策略示例:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }
请注意以下几点:
-
cases:GetDomain需要对资源执行操作* -
connect:ListIntegrationAssociations操作支持instance资源类型。请参阅 A mazon Connect 定义的操作中的表。
选项 2:更新现有的Amazon Connect 政策cases:GetDomain
包括该AmazonConnectReadOnlyAccess策略,并添加以下cases:GetDomain策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }
载入 Cases
有两种方法可以向用户授予使用 Amazon Connect 控制台登录案例的 IAM 权限。
选项 1:所需的最低所需的最低所需的最低要求
要使用 Amazon Connect 控制台载入 AAAAM IAAAAM IAAAAM IAAAM
-
connect:ListInstances -
ds:DescribeDirectories -
connect:ListIntegrationAssociations -
cases:GetDomain -
cases:CreateDomain -
connect:CreateIntegrationAssociation -
connect:DescribeInstance -
iam:PutRolePolicy
以下是具有这些权限的 IAM 策略示例:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" }, { "Sid": "CasesCreateDomain", "Effect": "Allow", "Action": [ "cases:CreateDomain" ], "Resource": "*" }, { "Sid": "CreateIntegrationAssociationsAndDependencies", "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DescribeInstance" ], "Resource": "*" }, { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }
请注意以下几点:
-
cases:GetDomain需要对资源执行操作* -
您可以使用 Amazon Connect 的操作、资源和条件键中的信息,将权限范围限定到特定 Amazon Connect 任务。
选项 2:使用现有策略的组合
以下策略组合也将起作用:
-
AmazonConnect_FullAccess 政策
-
iam:PutRolePolicy修改服务相关角色。有关示例,请参阅 AmazonConnect_FullAccess 政策。 -
以下 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain", "cases:CreateDomain" ], "Resource": "*" } ] }
