本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# Amazon WorkSpaces 主控台操作許可參考
<a name="wsp-console-permissions-ref"></a>

有些 Amazon WorkSpaces APIs 只能透過 AWS 管理主控台呼叫。它們不是公有 APIs，因此無法以程式設計方式呼叫，而且不是由任何 SDK 提供。這些 API 操作包括：
+ workspaces：DirectoryAccessManagement
+ workspaces：CreateRootClientCertificate
+ workspaces：UpdateRootClientCertificate
+ workspaces：DeleteRootClientCertificate
+ workspaces：DescribeConsent
+ workspaces：UpdateConsent

## WorkSpaces 主控台操作和動作所需的許可
<a name="wsp-console-operations"></a>

主控台對其功能使用其他 API 動作，因此 WorkSpaces 公有 APIs的許可可能不足。例如，具有透過 CLI/SDK 使用 [CreateWorkspaces](https://docs.aws.amazon.com/workspaces/latest/api/API_CreateWorkspaces.html) API 許可的使用者可能會在嘗試在主控台上建立 WorkSpace 時遇到錯誤，因為他們缺少選取或建立使用者的特定許可。此資料表列出只能在 WorkSpaces 主控台上使用的功能，以及讓使用者能夠使用主控台這些特定部分所需的額外許可。

[範例政策](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#workspaces-example-iam-policies)區段提供許可清單，以針對個人、集區和 BYOL WorkSpaces 執行所有 WorkSpaces 任務。

或者，您也可以使用精細許可來套用最低權限許可來執行任務。

此資料表列出依賴 SDK 未提供的 APIs 的 WorkSpaces 主控台功能，以及讓使用者能夠使用主控台這些特定部分的必要許可。除了 SDK 提供的 APIs 所需的其他動作之外，還應該新增這些許可。


| WorkSpaces 主控台操作 | 所需的許可 | 
| --- | --- | 
|  [WorkSpaces 個人快速設定](https://docs.aws.amazon.com/workspaces/latest/adminguide/managing-wsp-personal.html#getting-started)  |  workspaces：DirectoryAccessManagement ds：\$1 ec2：CreateVpc ec2：CreateSubnet ec2:CreateNetworkInterface ec2：CreateInternetGateway ec2：CreateRouteTable ec2：CreateRoute ec2：CreateTags ec2：CreateSecurityGroup ec2：DescribeInternetGateways ec2：DescribeSecurityGroups ec2：DescribeRouteTables ec2：DescribeVpcs ec2：DescribeSubnets ec2:DescribeNetworkInterfaces ec2：DescribeAvailabilityZones ec2:AttachInternetGateway ec2:AssociateRouteTable ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress iam:CreateRole iam:GetRole iam：PutRolePolicy workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaces  | 
|  [限制對 WorkSpaces Personal 受信任裝置的存取](https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html#configure-restriction)  |  workspaces：CreateRootClientCertificate workspaces：UpdateRootClientCertificate workspaces：DeleteRootClientCertificate ds:DescribeDirectories ec2：DescribeSubnets ec2：DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces：DescribeTags workspaces:DescribeClientProperties workspaces：DescribeConnectClientAddins workspaces：DirectoryAccessManagement  | 
|  [在主控台的 WorkSpace WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-workspaces-personal.html)：create/search/describe Directory Service 目錄使用者  |  workspaces：DirectoryAccessManagement workspaces:DescribeAccount workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceBundles workspaces：DescribeTags workspaces：CreateTags workspaces:DescribeClientProperties kms:ListKeys kms:ListAliases kms:描述金鑰 ds:DescribeTrusts ds:DescribeDirectories ec2：DescribeSubnets ec2：DescribeSecurityGroups  | 
|  在[ WorkSpaces Personal 中管理使用者](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-users.html) – 編輯使用者並傳送使用者邀請電子郵件  |  workspaces：DirectoryAccessManagement workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces：DescribeTags workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceSnapshots workspaces：DescribeWorkspaceImages workspaces:DescribeConnectionAliases  | 
|  [更新 WorkSpaces Personal 的 AD Connector 帳戶 (AD Connector)](https://docs.aws.amazon.com/workspaces/latest/adminguide/connect-account.html)  |  workspaces：DirectoryAccessManagement ds:DescribeDirectories ds：UpdateDirectory ec2：DescribeSubnets ec2：DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces：DescribeTags workspaces:DescribeClientProperties workspaces：DescribeConnectClientAddins  | 
|  [選取 WorkSpaces Personal 的組織單位](https://docs.aws.amazon.com/workspaces/latest/adminguide/select-ou.html)  |  workspaces：DirectoryAccessManagement ds:DescribeDirectories ec2：DescribeSubnets ec2：DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces：DescribeTags workspaces:DescribeClientProperties workspaces：DescribeConnectClientAddins workspaces:ModifyWorkspaceCreationProperties  | 
|  [啟用您的 BYOL 帳戶](https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows-images.html) – 確認了解使用 BYOL WorkSpaces 的要求  |  workspaces：DescribeConsent workspaces：UpdateConsent workspaces:DescribeAccount workspaces:ListAccountLinks workspaces:DescribeWorkspaceBundles workspaces：DescribeWorkspaceImages workspaces:DescribeWorkspaceDirectories  |