AND/OR Condition in Authority Description

In case execution authority controls are applied multiply, each control will have conditions below:

Conditions of AND ,OR

OR condition

a.In case multiple conditions are described in resources within an IAM role.
b.In case the user belongs to multiple IAM groups.

AND condition

c.In case an IAM group is linked with multiple IAM Roles.

The followings show detailed examples of the cases above that use the AND condition or OR condition.

a.In case multiple conditions are described in resources within an IAM role.

If there are two or more descriptions in array resources, the OR condition will be applied.
Any IAM role created under the following conditions will have Keystone or API Execution Authority of Management Function.
resources[
    {
        "basePath" : "/ecl-keystone",
        "ipAddress" : "*",
        "path" : "*",
        "verb" : "*"
    },
    {
    "basePath" : "/ecl-sss",
        "ipAddress" : "*",
        "path" : "*",
        "verb" : "*"
    }
]

b.In case the user belongs to multiple IAM groups.

If the user belongs to multiple IAM groups, the OR conditions of those groups' execution authority control will be applied.
For example, there is a case that add the user to the group which links with the IAM role used in the example at a.Multiple conditions are described in resources within an IAM role. and the group which links to the IAM role below.
In this case, the user has execution authority to Keystone, management function or virtual servers.
resources[
    {
        "basePath" : "/ecl-nova",
        "ipAddress" : "*",
        "path" : "*",
        "verb" : "*"
    }
]

c.In case an IAM group is linked with multiple IAM Roles.

If an IAM Group is linked with multiple IAM Roles, those IAM roles will apply the AND condition.
Create an IAM Role having the conditions below respectively.
In the case that these IAM roles are linked with an IAM group, the user who belongs to this IAM group can execute only GET of management function that meets the condition covering all APIs and all GET APIs of management function.
resources[
    {
        "basePath" : "/ecl-sss",
        "ipAddress" : "*",
        "path" : "*"
    }
]
resources[
    {
        "verb" : "GET"
    }
]

Note

To set any And condition, parameters of basePath, ipAddress, path and verb should be defined to either of two IAM Roles.