Copyright	(c) 2013-2023 Brendan Hay
License	Mozilla Public License, v. 2.0.
Maintainer	Brendan Hay
Stability	auto-generated
Portability	non-portable (GHC extensions)
Safe Haskell	Safe-Inferred
Language	Haskell2010

Amazonka.Organizations.DetachPolicy

Contents

Creating a Request
Request Lenses
Destructuring the Response

Description

Detaches a policy from a target root, organizational unit (OU), or account.

If the policy being detached is a service control policy (SCP), the changes to permissions for Identity and Access Management (IAM) users and roles in affected accounts are immediate.

Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullAWSAccess policy with an SCP that limits the permissions that can be delegated, you must attach the replacement SCP before you can remove the default SCP. This is the authorization strategy of an "allow list". If you instead attach a second SCP and leave the FullAWSAccess SCP still attached, and specify "Effect": "Deny" in the second SCP to override the "Effect": "Allow" in the FullAWSAccess policy (or any other attached SCP), you're using the authorization strategy of a "deny list".

This operation can be called only from the organization's management account.

Synopsis

data DetachPolicy = DetachPolicy' {
- policyId :: Text
- targetId :: Text
}
newDetachPolicy :: Text -> Text -> DetachPolicy
detachPolicy_policyId :: Lens' DetachPolicy Text
detachPolicy_targetId :: Lens' DetachPolicy Text
data DetachPolicyResponse = DetachPolicyResponse' {
}
newDetachPolicyResponse :: DetachPolicyResponse

Creating a Request

data DetachPolicy Source #

See: newDetachPolicy smart constructor.

Constructors

DetachPolicy'

Fields

policyId :: Text
The unique identifier (ID) of the policy you want to detach. You can get the ID from the ListPolicies or ListPoliciesForTarget operations.
The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).
targetId :: Text
The unique identifier (ID) of the root, OU, or account that you want to detach the policy from. You can get the ID from the ListRoots, ListOrganizationalUnitsForParent, or ListAccounts operations.
The regex pattern for a target ID string requires one of the following:
- Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
- Account - A string that consists of exactly 12 digits.
- Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

Instances

Instances details

ToJSON DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods toJSON :: DetachPolicy -> Value # toEncoding :: DetachPolicy -> Encoding # toJSONList :: [DetachPolicy] -> Value # toEncodingList :: [DetachPolicy] -> Encoding #
ToHeaders DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods toHeaders :: DetachPolicy -> [Header] #
ToPath DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods toPath :: DetachPolicy -> ByteString #
ToQuery DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods toQuery :: DetachPolicy -> QueryString #
AWSRequest DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Associated Types type AWSResponse DetachPolicy # Methods request :: (Service -> Service) -> DetachPolicy -> Request DetachPolicy # response :: MonadResource m => (ByteStringLazy -> IO ByteStringLazy) -> Service -> Proxy DetachPolicy -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse DetachPolicy))) #
Generic DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Associated Types type Rep DetachPolicy :: Type -> Type # Methods from :: DetachPolicy -> Rep DetachPolicy x # to :: Rep DetachPolicy x -> DetachPolicy #
Read DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods readsPrec :: Int -> ReadS DetachPolicy # readList :: ReadS [DetachPolicy] # readPrec :: ReadPrec DetachPolicy # readListPrec :: ReadPrec [DetachPolicy] #
Show DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods showsPrec :: Int -> DetachPolicy -> ShowS # show :: DetachPolicy -> String # showList :: [DetachPolicy] -> ShowS #
NFData DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods rnf :: DetachPolicy -> () #
Eq DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods (==) :: DetachPolicy -> DetachPolicy -> Bool # (/=) :: DetachPolicy -> DetachPolicy -> Bool #
Hashable DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods hashWithSalt :: Int -> DetachPolicy -> Int # hash :: DetachPolicy -> Int #
type AWSResponse DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy type AWSResponse DetachPolicy = DetachPolicyResponse
type Rep DetachPolicy Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy type Rep DetachPolicy = D1 ('MetaData "DetachPolicy" "Amazonka.Organizations.DetachPolicy" "amazonka-organizations-2.0-JONpdX4PtttLcKxQshpOlA" 'False) (C1 ('MetaCons "DetachPolicy'" 'PrefixI 'True) (S1 ('MetaSel ('Just "policyId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Just "targetId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)))

newDetachPolicy Source #

Arguments

:: Text	`$sel:policyId:DetachPolicy'`
-> Text	`DetachPolicy`
-> DetachPolicy

Create a value of DetachPolicy with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:policyId:DetachPolicy', detachPolicy_policyId - The unique identifier (ID) of the policy you want to detach. You can get the ID from the ListPolicies or ListPoliciesForTarget operations.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

DetachPolicy, detachPolicy_targetId - The unique identifier (ID) of the root, OU, or account that you want to detach the policy from. You can get the ID from the ListRoots, ListOrganizationalUnitsForParent, or ListAccounts operations.

The regex pattern for a target ID string requires one of the following:

Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
Account - A string that consists of exactly 12 digits.
Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

Request Lenses

detachPolicy_policyId :: Lens' DetachPolicy Text Source #

The unique identifier (ID) of the policy you want to detach. You can get the ID from the ListPolicies or ListPoliciesForTarget operations.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

detachPolicy_targetId :: Lens' DetachPolicy Text Source #

The unique identifier (ID) of the root, OU, or account that you want to detach the policy from. You can get the ID from the ListRoots, ListOrganizationalUnitsForParent, or ListAccounts operations.

The regex pattern for a target ID string requires one of the following:

Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
Account - A string that consists of exactly 12 digits.
Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

Destructuring the Response

data DetachPolicyResponse Source #

See: newDetachPolicyResponse smart constructor.

Constructors

DetachPolicyResponse'

Instances

Instances details

Generic DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Associated Types type Rep DetachPolicyResponse :: Type -> Type # Methods from :: DetachPolicyResponse -> Rep DetachPolicyResponse x # to :: Rep DetachPolicyResponse x -> DetachPolicyResponse #
Read DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods readsPrec :: Int -> ReadS DetachPolicyResponse # readList :: ReadS [DetachPolicyResponse] # readPrec :: ReadPrec DetachPolicyResponse # readListPrec :: ReadPrec [DetachPolicyResponse] #
Show DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods showsPrec :: Int -> DetachPolicyResponse -> ShowS # show :: DetachPolicyResponse -> String # showList :: [DetachPolicyResponse] -> ShowS #
NFData DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods rnf :: DetachPolicyResponse -> () #
Eq DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy Methods (==) :: DetachPolicyResponse -> DetachPolicyResponse -> Bool # (/=) :: DetachPolicyResponse -> DetachPolicyResponse -> Bool #
type Rep DetachPolicyResponse Source #
Instance details Defined in Amazonka.Organizations.DetachPolicy type Rep DetachPolicyResponse = D1 ('MetaData "DetachPolicyResponse" "Amazonka.Organizations.DetachPolicy" "amazonka-organizations-2.0-JONpdX4PtttLcKxQshpOlA" 'False) (C1 ('MetaCons "DetachPolicyResponse'" 'PrefixI 'False) (U1 :: Type -> Type))

newDetachPolicyResponse :: DetachPolicyResponse Source #

Create a value of DetachPolicyResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.