本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用自定义 IAM 策略管理 Amazon Connect Cases 所需的权限
如果您使用自定义 IAM 策略来管理对 Amazon Connect Cases 的访问权限,则您的用户需要本文中列出的部分或全部权限,具体取决于他们需要执行的任务。
## 查看案例域详细信息
有两个选项可以向用户授予 IAM 权限,使其能够在 Amazon Connect 控制台上查看 Cases 域详细信息。
### 选项 1:所需的最低 IAM 权限
要在 Amazon Connect 控制台中查看 Cases 域详细信息,用户必须具有以下 IAM 权限:
+ `connect:ListInstances`
+ `ds:DescribeDirectories`
+ `connect:ListIntegrationAssociations`
+ `cases:GetDomain`
以下是具有这些权限的示例 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowsViewingConnectConsole",
"Effect": "Allow",
"Action": [
"connect:ListInstances",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Sid": "ListIntegrationAssociations",
"Effect": "Allow",
"Action": [
"connect:ListIntegrationAssociations"
],
"Resource": "*"
},
{
"Sid": "CasesGetDomain",
"Effect": "Allow",
"Action": [
"cases:GetDomain"
],
"Resource": "*"
}
]
}
```
------
注意以下几点:
+ 需要对资源 `*` 执行`cases:GetDomain` 操作
+ `connect:ListIntegrationAssociations` 操作支持 `instance` 资源类型。请参阅 [Amazon Connect 定义的操作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html#amazonconnect-actions-as-permissions)中的表格。
### 选项 2:使用 `cases:GetDomain` 和 `profile:SearchProfiles` 更新现有 Amazon Connect 策略
包括[AmazonConnectReadOnlyAccess](security-iam-amazon-connect-permissions.md#amazonconnectreadonlyaccesspolicy)策略并添加`cases:GetDomain`,如以下示例所示。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CasesGetDomain",
"Effect": "Allow",
"Action": [
"cases:GetDomain"
],
"Resource": "*"
}
]
}
```
------
## 加入 Cases
有两个选项可用于授予用户使用 Amazon Connect 控制台加入 Cases 的 IAM 权限。
### 选项 1:所需的最低权限
要使用 Amazon Connect 控制台加入 Cases,用户必须拥有以下 IAM 权限:
+ `connect:ListInstances`
+ `ds:DescribeDirectories`
+ `connect:ListIntegrationAssociations`
+ `cases:GetDomain`
+ `cases:CreateDomain`
+ `connect:CreateIntegrationAssociation`
+ `connect:DescribeInstance`
+ `iam:PutRolePolicy`
+ `profile:SearchProfiles`
以下是具有这些权限的示例 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowsViewingConnectConsole",
"Effect": "Allow",
"Action": [
"connect:ListInstances",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Sid": "ListIntegrationAssociations",
"Effect": "Allow",
"Action": [
"connect:ListIntegrationAssociations"
],
"Resource": "*"
},
{
"Sid": "CasesGetDomain",
"Effect": "Allow",
"Action": [
"cases:GetDomain"
],
"Resource": "*"
},
{
"Sid": "CasesCreateDomain",
"Effect": "Allow",
"Action": [
"cases:CreateDomain"
],
"Resource": "*"
},
{
"Sid": "CreateIntegrationAssociationsAndDependencies",
"Effect": "Allow",
"Action": [
"connect:CreateIntegrationAssociation",
"connect:DescribeInstance"
],
"Resource": "*"
},
{
"Sid": "AttachAnyPolicyToAmazonConnectRole",
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*"
},
{
"Sid": "ProfileSearchProfiles",
"Effect": "Allow",
"Action": [
"profile:SearchProfiles"
],
"Resource": "*"
}
]
}
```
------
注意以下几点:
+ 需要对资源 `*` 执行`cases:GetDomain` 操作
+ 您可以通过使用 [Amazon Connect 的操作、资源和条件键](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html)中的信息将权限范围限定为特定的 Amazon Connect 任务。
+ `profile:SearchProfiles` 操作是必需的,因为 `CreateCase` API 调用 `SearchProfiles` API 来搜索要验证的客户资料,然后将相应的资料与案例关联。
### 选项 2:使用现有策略的组合
以下策略组合也将发挥作用:
+ **AmazonConnect\_ FullAccess** 政策
+ 用于修改服务相关角色的策略 `iam:PutRolePolicy`。有关示例,请参阅[AWS 托管策略: AmazonConnect\_ FullAccess 策略](security-iam-amazon-connect-permissions.md#amazonconnectfullaccesspolicy)。
+ 以下 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CasesGetDomain",
"Effect": "Allow",
"Action": [
"cases:GetDomain",
"cases:CreateDomain"
],
"Resource": "*"
},
{
"Sid": "ProfileSearchProfiles",
"Effect": "Allow",
"Action": [
"profile:SearchProfiles"
],
"Resource": "*"
}
]
}
```
------