This document belongs to Cloud WAF — Enterprise Web Protection Management Platform
CLI tool:zcloud· 5 modules: guard / sys / analytics / cli_release / auth
Full API index: /api/openapi.json · Sitemap: /sitemap.xml · AI Quick Read: /llms.txt
Permission Matrix
RBAC Model
Cloud WAF uses a classic Resource × Action × Role RBAC model:
- Resource: a logical grouping of business entities, e.g.
guard.domain(domain management),sys.user(user management); identified by a uniquePrefix - Action: an operation on the resource, e.g.
list,create,delete - Full permission key:
<resource_prefix>.<action_key>, e.g.guard.domain.list— the smallest grant unit - Role: a set of permission keys; users acquire permissions by being assigned roles
The permission matrix is maintained by the server-side permission registry and exposed through GET /api/sys/permissions/tree with localized i18n names.
Full Resource / Action Listing
The tables below enumerate every grantable Resource × Action combination, suitable for use as the keys parameter of PUT /api/sys/roles/{id}/permissions (comma-separated).
sys Module (System Management)
| Module | Resource (Prefix) | Action (Key) | Full Permission Key |
|---|---|---|---|
| sys | sys.user | list | sys.user.list |
| sys | sys.user | view | sys.user.view |
| sys | sys.user | create | sys.user.create |
| sys | sys.user | edit | sys.user.edit |
| sys | sys.user | delete | sys.user.delete |
| sys | sys.user | resetpwd | sys.user.resetpwd |
| sys | sys.user | lock | sys.user.lock |
| sys | sys.user | assign | sys.user.assign |
| sys | sys.role | list | sys.role.list |
| sys | sys.role | view | sys.role.view |
| sys | sys.role | create | sys.role.create |
| sys | sys.role | edit | sys.role.edit |
| sys | sys.role | delete | sys.role.delete |
| sys | sys.role | perm | sys.role.perm |
| sys | sys.oem | view | sys.oem.view |
| sys | sys.oem | create | sys.oem.create |
| sys | sys.oem | edit | sys.oem.edit |
| sys | sys.oem | delete | sys.oem.delete |
| sys | sys.security | view | sys.security.view |
| sys | sys.security | edit | sys.security.edit |
| sys | sys.session | view | sys.session.view |
| sys | sys.session | kick | sys.session.kick |
| sys | sys.audit | view | sys.audit.view |
guard Module (Web Protection)
| Module | Resource (Prefix) | Action (Key) | Full Permission Key |
|---|---|---|---|
| guard | guard.domain | list | guard.domain.list |
| guard | guard.domain | view | guard.domain.view |
| guard | guard.domain | create | guard.domain.create |
| guard | guard.domain | edit | guard.domain.edit |
| guard | guard.domain | delete | guard.domain.delete |
| guard | guard.domain | settings | guard.domain.settings |
| guard | guard.cert | list | guard.cert.list |
| guard | guard.cert | view | guard.cert.view |
| guard | guard.cert | upload | guard.cert.upload |
| guard | guard.cert | edit | guard.cert.edit |
| guard | guard.cert | delete | guard.cert.delete |
| guard | guard.cert | bind | guard.cert.bind |
| guard | guard.policy | list | guard.policy.list |
| guard | guard.policy | view | guard.policy.view |
| guard | guard.policy | create | guard.policy.create |
| guard | guard.policy | edit | guard.policy.edit |
| guard | guard.policy | delete | guard.policy.delete |
| guard | guard.bwlist | list | guard.bwlist.list |
| guard | guard.bwlist | create | guard.bwlist.create |
| guard | guard.bwlist | edit | guard.bwlist.edit |
| guard | guard.bwlist | delete | guard.bwlist.delete |
| guard | guard.bwlist | ip_list | guard.bwlist.ip_list |
| guard | guard.bwlist | ip_add | guard.bwlist.ip_add |
| guard | guard.bwlist | ip_delete | guard.bwlist.ip_delete |
| guard | guard.waf | list | guard.waf.list |
| guard | guard.waf | create | guard.waf.create |
| guard | guard.waf | edit | guard.waf.edit |
| guard | guard.waf | delete | guard.waf.delete |
| guard | guard.waf | status | guard.waf.status |
| guard | guard.cc | list | guard.cc.list |
| guard | guard.cc | create | guard.cc.create |
| guard | guard.cc | edit | guard.cc.edit |
| guard | guard.cc | delete | guard.cc.delete |
| guard | guard.cc | status | guard.cc.status |
| guard | guard.acl | list | guard.acl.list |
| guard | guard.acl | create | guard.acl.create |
| guard | guard.acl | edit | guard.acl.edit |
| guard | guard.acl | delete | guard.acl.delete |
| guard | guard.acl | status | guard.acl.status |
| guard | guard.forward | list | guard.forward.list |
| guard | guard.forward | create | guard.forward.create |
| guard | guard.forward | edit | guard.forward.edit |
| guard | guard.forward | delete | guard.forward.delete |
| guard | guard.schedule | list | guard.schedule.list |
| guard | guard.schedule | view | guard.schedule.view |
| guard | guard.schedule | switch | guard.schedule.switch |
| guard | guard.schedule | init | guard.schedule.init |
| guard | guard.schedule | reset | guard.schedule.reset |
| guard | guard.schedule | records | guard.schedule.records |
| guard | guard.schedule | batch | guard.schedule.batch |
| guard | guard.schedule | affairs | guard.schedule.affairs |
| guard | guard.apply | list | guard.apply.list |
| guard | guard.apply | view | guard.apply.view |
| guard | guard.apply | create | guard.apply.create |
| guard | guard.apply | retry | guard.apply.retry |
| guard | guard.apply | quit | guard.apply.quit |
analytics Module (Dashboard)
| Module | Resource (Prefix) | Action (Key) | Full Permission Key |
|---|---|---|---|
| analytics | analytics.overview | view | analytics.overview.view |
| analytics | analytics.overview | export | analytics.overview.export |
| analytics | analytics.access | view | analytics.access.view |
| analytics | analytics.protect | view | analytics.protect.view |
| analytics | analytics.ai | view | analytics.ai.view |
| analytics | analytics.ai | logs | analytics.ai.logs |
| analytics | analytics.bot | view | analytics.bot.view |
| analytics | analytics.bot | session | analytics.bot.session |
| analytics | analytics.alert | view | analytics.alert.view |
| analytics | analytics.alert | ack | analytics.alert.ack |
Action Naming Conventions
Cross-module consistency for action naming:
| Action Key | Semantics | Typical HTTP Method |
|---|---|---|
list |
List query (with pagination) | GET (collection) |
view |
Detail query | GET (one) |
create |
Create | POST |
edit |
Edit (update existing resource) | PUT / PATCH |
delete |
Delete | DELETE |
resetpwd |
Reset password (sys.user only) | PUT |
lock |
Lock/unlock (sys.user only) | PUT |
assign |
Assign roles (sys.user only) | PUT |
perm |
Read/write role permissions (sys.role only) | GET / PUT |
settings |
Full config read/write (guard.domain only) | GET / PUT |
upload |
Upload (e.g. certs) | POST |
bind |
Bind/unbind relationship (cert↔domain) | POST / DELETE |
ip_list / ip_add / ip_delete |
IP sub-resource under bwlist | GET / POST / DELETE |
status |
Enable/disable (waf/cc/acl rules) | PUT |
retry / quit |
Task retry / cancel (guard.apply) | POST / PATCH |
export |
Report export (analytics.overview) | POST |
logs |
Detail logs (analytics.ai) | GET |
session |
Session detail (analytics.bot) | GET |
ack |
Acknowledge alert (analytics.alert) | PATCH |
Usage Example: Granting a Role
Bind a batch of permission keys to a role with the CLI:
# Grant the "Operator" role all read permissions on domains and certs
# Note: the CLI flag is --permissions (required), not --keys
zcloud sys roles set-permissions 5 \
--permissions guard.domain.list,guard.domain.view,guard.cert.list,guard.cert.view
Or via API:
curl -sS -X PUT https://waf.example.com/api/sys/roles/5/permissions \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"keys": ["guard.domain.list", "guard.domain.view"]}'
Fetch the Full Tree with i18n Names
The frontend permission page renders directly from this endpoint (with localized display names):
curl -sS https://waf.example.com/api/sys/permissions/tree \
-H "Authorization: Bearer $TOKEN" \
-H "Accept-Language: en-US" \
| jq
Response includes module / resources[] / actions[]; each entry carries key and an i18n name.
Minimum-Privilege Recipes for CI
Example 1: CI only needs cert publishing → grant
guard.cert.list, guard.cert.view, guard.cert.upload, guard.cert.delete, guard.cert.bind
Example 2: CI only reads dashboards → grant
analytics.overview.view, analytics.access.view, analytics.protect.view
Never grant administrator-level rights to a CI account. Minimum privilege is the first gate that limits blast radius.
Related Documents
- Authentication — relationship between roles and sessions
- API Documentation — permission keys per endpoint
- CLI Tools — equivalent CLI commands
Cloud WAF · Permission matrix generated from the server-side permission registry