Actions, resources, and condition keys for Amazon WorkDocs - Service Authorization Reference

Actions, resources, and condition keys for Amazon WorkDocs

Amazon WorkDocs (service prefix: workdocs) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon WorkDocs

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AbortDocumentVersionUpload Grants permission to abort the upload of the specified document version that was previously initiated by InitiateDocumentVersionUpload Write
ActivateUser Grants permission to activate the specified user. Only active users can access Amazon WorkDocs Write
AddNotificationPermissions [permission only] Grants permission to add principals that are allowed to call notification subscription APIs for a given WorkDocs site Write
AddResourcePermissions Grants permission to create a set of permissions for the specified folder or document Write
AddUserToGroup [permission only] Grants permission to add a user to a group Write
CheckAlias [permission only] Grants permission to check an alias Read
CreateComment Grants permission to add a new comment to the specified document version Write
CreateCustomMetadata Grants permission to add one or more custom properties to the specified resource Write
CreateFolder Grants permission to create a folder with the specified name and parent folder Write
CreateInstance [permission only] Grants permission to create an instance Write
CreateLabels Grants permission to add labels to the given resource Write
CreateNotificationSubscription Grants permission to configure WorkDocs to use Amazon SNS notifications Write
CreateUser Grants permission to create a user in a Simple AD or Microsoft AD directory Write
DeactivateUser Grants permission to deactivate the specified user, which revokes the user's access to Amazon WorkDocs Write
DeleteComment Grants permission to delete the specified comment from the document version Write
DeleteCustomMetadata Grants permission to delete custom metadata from the specified resource Write
DeleteDocument Grants permission to permanently delete the specified document and its associated metadata Write
DeleteDocumentVersion Grants permission to delete versions of a specified document Write
DeleteFolder Grants permission to permanently delete the specified folder and its contents Write
DeleteFolderContents Grants permission to delete the contents of the specified folder Write
DeleteInstance [permission only] Grants permission to delete an instance Write
DeleteLabels Grants permission to delete one or more labels from a resource Write
DeleteNotificationPermissions [permission only] Grants permission to delete principals that are allowed to call notification subscription APIs for a given WorkDocs site Write
DeleteNotificationSubscription Grants permission to delete the specified subscription from the specified organization Write
DeleteUser Grants permission to delete the specified user from a Simple AD or Microsoft AD directory Write
DeregisterDirectory [permission only] Grants permission to deregister a directory Write
DescribeActivities Grants permission to fetch user activities in a specified time period List
DescribeAvailableDirectories [permission only] Grants permission to describe available directories List
DescribeComments Grants permission to list all the comments for the specified document version List
DescribeDocumentVersions Grants permission to retrieve the document versions for the specified document List
DescribeFolderContents Grants permission to describe the contents of the specified folder, including its documents and sub-folders List
DescribeGroups Grants permission to describe the user groups List
DescribeInstanceExports [permission only] Grants permission to describe the export history for an instance List
DescribeInstances [permission only] Grants permission to describe instances List
DescribeNotificationPermissions [permission only] Grants permission to describe principals that are allowed to call notification subscription APIs for a given WorkDocs site List
DescribeNotificationSubscriptions Grants permission to list the specified notification subscriptions List
DescribeResourcePermissions Grants permission to view a description of a specified resource's permissions List
DescribeRootFolders Grants permission to describe the root folders List
DescribeUsers Grants permission to view a description of the specified users. You can describe all users or filter the results (for example, by status or organization) List
DownloadDocumentVersion [permission only] Grants permission to download a specified document version Read
GetCurrentUser Grants permission to retrieve the details of the current user Read
GetDocument Grants permission to retrieve the specified document object Read
GetDocumentPath Grants permission to retrieve the path information (the hierarchy from the root folder) for the requested document Read
GetDocumentVersion Grants permission to retrieve version metadata for the specified document Read
GetFolder Grants permission to retrieve the metadata of the specified folder Read
GetFolderPath Grants permission to retrieve the path information (the hierarchy from the root folder) for the specified folder Read
GetGroup [permission only] Grants permission to retrieve details for the specified group Read
GetResources Grants permission to get a collection of resources Read
InitiateDocumentVersionUpload Grants permission to create a new document object and version object Write
RegisterDirectory [permission only] Grants permission to register a directory Write
RemoveAllResourcePermissions Grants permission to remove all the permissions from the specified resource Write
RemoveResourcePermission Grants permission to remove the permission for the specified principal from the specified resource Write
RestoreDocumentVersions Grants permission to restore versions of a specified document Write
SearchResources Grants permission to search metadata and the content of resources List
StartInstanceExport [permission only] Grants permission to start an export for an instance Write

organization*

UpdateDocument Grants permission to update the specified attributes of the specified document Write
UpdateDocumentVersion Grants permission to change the status of the document version to ACTIVE Write
UpdateFolder Grants permission to update the specified attributes of the specified folder Write
UpdateInstanceAlias [permission only] Grants permission to update an instance alias Write
UpdateUser Grants permission to update the specified attributes of the specified user, and grants or revokes administrative privileges to the Amazon WorkDocs site Write
UpdateUserAdministrativeSettings [permission only] Grants permission to update the administrative settings for a user Write

Resource types defined by Amazon WorkDocs

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
organization arn:${Partition}:workdocs:${Region}:${Account}:organization/${ResourceId}

Condition keys for Amazon WorkDocs

WorkDocs has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.