发布/订阅策略示例 - Amazon IoT Core
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

发布/订阅策略示例

您使用的策略取决于您的连接方式 Amazon IoT Core。您可以使用MQTT客户端HTTP、或进行连接 WebSocket。 Amazon IoT Core 当您与MQTT客户端连接时,您正在使用 X.509 证书进行身份验证。当你通过 WebSocket 协议进行HTTP连接时,你就是在使用签名版本 4 和 Amazon Cognito 进行身份验证。

注意

对于注册的设备,我们建议您将事物策略变量用于 Connect 操作,并将事物附加到用于连接的主体。

在MQTT和 Amazon IoT Core 策略中使用通配符

MQTT而且 Amazon IoT Core 策略有不同的通配符,您应该在仔细考虑之后再选择它们。在中MQTT,通配符+#MQTT主题筛选器中用于订阅多个主题名称。 Amazon IoT Core 策略使用*?作为通配符并遵循IAM策略惯例。在策略文档中,* 表示字符的任意组合,问号 ? 表示任何单个字符。在策略文件中,MQTT通配符+#被视为没有特殊含义的字符。要描述策略resource属性中的多个主题名称和主题过滤器,请使用*?通配符代替MQTT通配符。

如果选择要在策略文档中使用的通配符,请考虑 * 字符不限于单个主题级别。在主题筛选器中,+角色仅限于单个MQTT主题级别。为了帮助将通配符规范限制为单个MQTT主题筛选器级别,请考虑使用多个?字符。有关在策略资源中使用通配符的更多信息以及通配符匹配内容的更多示例,请参阅在资源中使用通配符。ARNs

下表显示了在MQTT客户端MQTT和 Amazon IoT Core 策略中使用的不同通配符。

通配符 是MQTT通配符字符 中的示例 MQTT 是 Amazon IoT Core 策略通配符吗 MQTT客户 Amazon IoT Core 策略中的示例
# Yes some/# 不支持 不适用
+ Yes some/+/topic 不支持 不适用
* 不适用 Yes

topicfilter/some/*/topic

topicfilter/some/sensor*/topic

? 不支持 不适用 Yes

topic/some/?????/topic

topicfilter/some/sensor???/topic

向特定主题发布、订阅消息/从特定主题接收消息的策略

以下显示的是已注册和未注册设备向名为“some_specific_topic”的主题发布、订阅消息/从名为“some_specific_topic”的主题接收消息的示例。这些示例还强调了 PublishReceive 使用“主题”作为资源,Subscribe 使用“主题筛选器”作为资源。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。它还为名为“some_specific_topic”的主题提供 PublishSubscribeReceive 权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some_specific_topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic" ] } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。它还为名为“some_specific_topic”的主题提供 PublishSubscribeReceive 权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some_specific_topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic" ] } ] }

向具有特定前缀的主题发布、订阅消息/从具有特定前缀的主题接收消息的策略

以下显示的是已注册和未注册的设备向具有前缀“topic_prefix”的主题发布、订阅消息/从具有前缀“topic_prefix”的主题接收消息的示例。

注意

请注意此示例中通配符 * 的使用。尽管 * 对于在单个语句中为多个主题名称提供权限很有用,但它给设备提供的权限可能比所需权限更多,从而导致意想不到的后果。因此,我们建议您要经过深思熟虑后再使用通配符 *

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。它还会为具有前缀“topic_prefix”的主题提供 PublishSubscribeReceive 权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix*" ] } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。它还会为具有前缀“topic_prefix”的主题提供 PublishSubscribeReceive 权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix*" ] } ] }

向特定于每台设备的主题发布、订阅消息/从特定于每台设备的主题接收消息的策略

以下显示的是已注册和未注册的设备向特定于给定设备的主题发布、订阅消息/从特定于给定设备的主题接收消息的示例。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。它提供向特定事物主题 (sensor/device/${iot:Connection.Thing.ThingName}) 发布内容的权限,还提供订阅特定事物主题 (command/device/${iot:Connection.Thing.ThingName}) 和从特定事物主题接收内容的权限。如果注册表中的事物名称为 “thing1”,则设备将能够发布到主题 “sensor/device/thing1". The device will also be able to subscribe to and receive from the topic "command/device/thing1”。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/sensor/device/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/command/device/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/command/device/${iot:Connection.Thing.ThingName}" ] } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。它提供发布到客户特定主题 (sensor/device/${iot:ClientId}) 的权限,还提供订阅客户特定主题 (command/device/${iot:ClientId}) 和从此客户特定主题接收内容的权限。如果设备以 clientId 1 的 clientId 身份连接,它将能够发布到主题 “sensor/device/clientId1”。该设备还将能够订阅和接收 device/clientId1/command 主题的内容。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/sensor/device/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/command/device/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/command/device/${iot:Connection.Thing.ThingName}" ] } ] }

向主题名称中包含事物属性的主题发布、订阅消息/从主题名称中包含事物属性的主题接收消息的策略

以下显示的是已注册的设备向名称中包含事物属性的主题发布、订阅消息/从名称中包含事物属性的主题接收消息的示例。

注意

仅在 Amazon IoT Core 注册表中注册的设备存在事物属性。对于未注册的设备,没有相应的示例。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。它提供发布到主题 (sensor/${iot:Connection.Thing.Attributes[version]}),以及订阅主题名称中包含事物属性的主题 (command/${iot:Connection.Thing.Attributes[location]}) 和从该主题接收内容的权限。如果注册表中的事物名称version=v1包含和location=Seattle,则设备将能够发布到主题 “sensor/v1", and subscribe to and receive from the topic "command/Seattle”。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/sensor/${iot:Connection.Thing.Attributes[version]}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/command/${iot:Connection.Thing.Attributes[location]}" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/command/${iot:Connection.Thing.Attributes[location]}" ] } ] }
Unregistered devices

由于仅在 Amazon IoT Core 注册表中注册的设备存在事物属性,因此未注册的事物没有相应的示例。

拒绝向主题名称的子主题发布消息的策略

以下显示的是已注册和未注册的设备向除某些子主题之外的所有主题发布消息的示例。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。它允许发布到所有以“department/”为前缀的主题,但不允许发布到“department/admins”子主题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/department/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/department/admins" ] } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。它允许发布到所有以“department/”为前缀的主题,但不允许发布到“department/admins”子主题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/department/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/department/admins" ] } ] }

拒绝接收来自主题名称的子主题的消息的策略

以下显示的是已注册和未注册的设备订阅除某些子主题之外具有特定前缀的主题,以及从此类主题接收消息的示例。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。此策略允许设备订阅任何具有前缀“topic_prefix”的主题。通过NotResource在的语句中使用iot:Receive,我们允许设备接收来自设备已订阅的所有主题的消息,但以 “to prefix/restricted". For example, with this policy, devices can subscribe to "topic_prefix/topic1" and even "topic_prefix/restricted", however, they will only receive messages from the topic "topic_prefix/topic1" and no messages from the topic "topic_prefix/restricted pic_” 为前缀的主题除外。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix/*" }, { "Effect": "Allow", "Action": "iot:Receive", "NotResource": "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix/restricted/*" } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。此策略允许设备订阅任何具有前缀“topic_prefix”的主题。通过NotResource在的语句中使用iot:Receive,我们允许设备接收来自设备已订阅的所有主题的消息,但前缀为 “to prefix/restricted". For example, with this policy, devices can subscribe to "topic_prefix/topic1" and even "topic_prefix/restricted". However, they will only receive messages from the topic "topic_prefix/topic1" and no messages from the topic "topic_prefix/restricted pic_” 的主题除外。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix/*" }, { "Effect": "Allow", "Action": "iot:Receive", "NotResource": "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix/restricted/*" } ] }

使用MQTT通配符订阅主题的政策

MQTT通配符 + 和 # 被视为文字字符串,但在策略中使用时,它们不被视为通配符。 Amazon IoT Core 在中MQTT,+ 和 # 仅在订阅主题筛选器时才被视为通配符,但在所有其他上下文中则视为文字字符串。我们建议您仅在仔细考虑后才将这些MQTT通配符用作 Amazon IoT Core 策略的一部分。

以下显示了在策略中使用MQTT通配符的已注册和未注册事物的示例。 Amazon IoT Core 这些通配符被视为文字字符串。

Registered devices

对于在注册 Amazon IoT Core 表中注册的设备,以下策略允许与 clientId 注册表中事物名称匹配的设备进行连接。此策略允许设备订阅主题“部门/+/员工”和“位置/#”。由于 + 和 # 在 Amazon IoT Core 策略中被视为文字字符串,因此设备可以订阅主题 “部门/+/员工”,但也不能订阅主题 “”。department/engineering/employees". Similarly, devices can subscribe to the topic "location/#" but not to the topic "location/Seattle". However, once the device subscribes to the topic "department/+/employees", the policy will allow them to receive messages from the topic "department/engineering/employees". Similarly, once the device subscribes to the topic "location/#", they will receive messages from the topic "location/Seattle

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/department/+/employees" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/location/#" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:us-east-1:123456789012:topic/*" } ] }
Unregistered devices

对于未在注册 Amazon IoT Core 表中注册的设备,以下策略允许设备使用 clientId 1、clientId 2 或 clientId 3 进行连接。此策略允许设备订阅主题“部门/+/员工”和“位置/#”。由于 + 和 # 在 Amazon IoT Core 策略中被视为文字字符串,因此设备可以订阅主题 “部门/+/员工”,但也不能订阅主题 “”。department/engineering/employees". Similarly, devices can subscribe to the topic "location/#" but not "location/Seattle". However, once the device subscribes to the topic "department/+/employees", the policy will allow them to receive messages from the topic "department/engineering/employees". Similarly, once the device subscribes to the topic "location/#", they will receive messages from the topic "location/Seattle

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientId1", "arn:aws:iot:us-east-1:123456789012:client/clientId2", "arn:aws:iot:us-east-1:123456789012:client/clientId3" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/department/+/employees" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/location/#" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:us-east-1:123456789012:topic/*" } ] }

针对HTTP和 WebSocket客户的政策

当你通过 WebSocket 协议进行HTTP连接时,你就是在使用签名版本 4 和 Amazon Cognito 进行身份验证。Amazon Cognito 身份可以是经过身份验证的,也可以是未经身份验证的。经过身份验证的身份属于已通过任何受支持的身份提供商进行身份验证的用户。未经身份验证的身份通常属于未使用身份提供商进行身份验证的来宾用户。Amazon Cognito 提供了唯一标识符和 Amazon 凭证来支持未经身份验证的身份。有关更多信息,请参阅 使用 Amazon Cognito 身份的授权

对于以下操作,请通过 Amazon IoT Core 使用附加到 Amazon Cognito 身份的 Amazon IoT Core 策略。AttachPolicy API这将缩小附加到由经过身份验证的身份组成的 Amazon Cognito 身份池的权限范围。

  • iot:Connect

  • iot:Publish

  • iot:Subscribe

  • iot:Receive

  • iot:GetThingShadow

  • iot:UpdateThingShadow

  • iot:DeleteThingShadow

这意味着 Amazon Cognito 身份需要IAM角色策略和策略的许可。 Amazon IoT Core 您可以通过将IAM角色策略附加到池中,将 Amazon IoT Core 策略附加到 Amazon Cognito 身份。 Amazon IoT Core AttachPolicy API

经过身份验证和未经身份验证的用户是不同的身份类型。如果您未将 Amazon IoT 策略附加到 Amazon Cognito Identity,则经过身份验证的用户将无法在中进行授权, Amazon IoT 并且无法访问 Amazon IoT 资源和操作。

注意

对于其他 Amazon IoT Core 操作或未经身份验证的身份, Amazon IoT Core 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。

HTTP

要允许未经身份验证的 Amazon Cognito 身份发布有关特定于 Amazon Cognito 身份的主题的消息HTTP,请将IAM以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户,请使用将上述策略附加到 Amazon Cognito 身份池角色和 Amazon Cognito 身份。 Amazon IoT Core AttachPolicyAPI

注意

在授权 Amazon Cognito 身份时 Amazon IoT Core ,会考虑这两个策略并授予指定的最低权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。

MQTT

要允许未经身份验证的 Amazon Cognito 身份MQTT发布有关您账户中特定 WebSocket 于亚马逊 Cognito 身份的主题的消息,请将IAM以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户,请使用将上述策略附加到 Amazon Cognito 身份池角色和 Amazon Cognito 身份。 Amazon IoT Core AttachPolicyAPI

注意

在授权 Amazon Cognito 身份时 Amazon IoT Core ,会同时考虑两者并授予指定的最低权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。