Back to Details

cx-platform-admin

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Platform Admin Skill

Platform Admin Skill

Use this skill for managing access, authentication, and authorization in Coralogix. It covers API key management, role and scope definitions, user administration, team groups, SAML SSO configuration, and IP access restrictions.
当需要管理Coralogix中的访问权限、身份验证和授权时,使用此Skill。它涵盖API密钥管理、角色与作用域定义、用户管理、团队组、SAML SSO配置以及IP访问限制。

Destructive Operation Safety

破坏性操作安全注意事项

All write operations (create, update, delete, set-idp, set-active, set-status) require interactive confirmation. The CLI will prompt before executing. To skip the prompt in scripts, pass 
--yes
.
IMPORTANT: NEVER pass 
--yes
without explicit user approval. Before executing any write operation:
  1. Describe the exact operation to the user (what will be created/modified/deleted)
  2. Wait for the user to confirm
  3. Only then execute with 
    --yes
Read-only operations (list, get, search, system, sp-params, send-data-keys) do not require confirmation and can be run freely.
所有写入操作(创建、更新、删除、set-idp、set-active、set-status)都需要交互式确认。CLI在执行前会提示确认。若要在脚本中跳过提示,需传入
--yes
参数。
重要提示:未经用户明确批准,绝不要传入
--yes
 在执行任何写入操作前:
  1. 向用户描述确切的操作内容(将创建/修改/删除什么)
  2. 等待用户确认
  3. 确认后再传入
    --yes
    执行
只读操作(列表、获取、搜索、system、sp-params、send-data-keys)无需确认,可自由执行。

Read-Only Mode

只读模式

Use 
--read-only
(or 
CX_READ_ONLY=1
) to block all write operations at the CLI level. This is useful for safe exploration - you can query any IAM resource without risk of accidental modifications.
使用
--read-only
(或
CX_READ_ONLY=1
)可在CLI层面阻止所有写入操作。这适用于安全探索场景——你可以查询任何IAM资源,无需担心意外修改。

Agent Mode

Agent模式

When running inside an AI agent (Claude Code, Cursor, Codex, etc.), cx automatically detects the agent environment and fails fast on write operations instead of hanging on a stdin prompt. The error message instructs you to get user confirmation first, then re-run with 
--yes
.
当在AI Agent(Claude Code、Cursor、Codex等)中运行时,cx会自动检测Agent环境,若执行写入操作会直接失败,而非挂起等待标准输入提示。错误信息会指示你先获取用户确认,再传入
--yes
重新运行。

CLI Commands

CLI命令

API Keys

API密钥

CommandPurpose
cx iam api-keys list
List all API keys
cx iam api-keys get <id>
Get a single API key
cx iam api-keys create --from-file
Create an API key
cx iam api-keys update --from-file <id>
Update an API key
cx iam api-keys delete <id>
Delete an API key
cx iam api-keys send-data-keys
List send-data API keys
cx iam api-keys admin list
List all team members' keys
cx iam api-keys admin delete --ids <id1> <id2>
Bulk delete keys
cx iam api-keys admin set-status --ids <id1> --active true/false
Activate/deactivate keys
命令用途
cx iam api-keys list
列出所有API密钥
cx iam api-keys get <id>
获取单个API密钥
cx iam api-keys create --from-file
创建API密钥
cx iam api-keys update --from-file <id>
更新API密钥
cx iam api-keys delete <id>
删除API密钥
cx iam api-keys send-data-keys
列出send-data API密钥
cx iam api-keys admin list
列出所有团队成员的密钥
cx iam api-keys admin delete --ids <id1> <id2>
批量删除密钥
cx iam api-keys admin set-status --ids <id1> --active true/false
激活/停用密钥

Roles & Scopes

角色与作用域

CommandPurpose
cx iam roles list
List custom roles
cx iam roles get <id>
Get a role definition
cx iam roles create --from-file
Create a custom role
cx iam roles update --from-file <id>
Update a custom role
cx iam roles delete <id>
Delete a custom role
cx iam roles system
List system (built-in) roles
cx iam scopes list
List all scopes
cx iam scopes get <id>
Get a scope definition
cx iam scopes create --from-file
Create a scope
cx iam scopes update --from-file
Update a scope
cx iam scopes delete <id>
Delete a scope
命令用途
cx iam roles list
列出自定义角色
cx iam roles get <id>
获取角色定义
cx iam roles create --from-file
创建自定义角色
cx iam roles update --from-file <id>
更新自定义角色
cx iam roles delete <id>
删除自定义角色
cx iam roles system
列出系统(内置)角色
cx iam scopes list
列出所有作用域
cx iam scopes get <id>
获取作用域定义
cx iam scopes create --from-file
创建作用域
cx iam scopes update --from-file
更新作用域
cx iam scopes delete <id>
删除作用域

Users & Groups

用户与组

CommandPurpose
cx iam users search
Search users (optional 
--query
, 
--status
)
cx iam users get <user-id>
Get a single user
cx iam users create --from-file
Create user(s)
cx iam users update --from-file
Update user(s)
cx iam users set-status --user-ids <id> --status ACTIVE/INACTIVE
Activate/deactivate users
cx iam groups list
List all team groups
cx iam groups get <id>
Get a group by ID
cx iam groups get-by-name <name>
Get a group by name
cx iam groups users <group-id>
List users in a group
cx iam groups create --from-file
Create a group
cx iam groups update --from-file <id>
Update a group
cx iam groups delete <id>
Delete a group
命令用途
cx iam users search
搜索用户(可选
--query
--status
参数)
cx iam users get <user-id>
获取单个用户信息
cx iam users create --from-file
创建用户
cx iam users update --from-file
更新用户信息
cx iam users set-status --user-ids <id> --status ACTIVE/INACTIVE
激活/停用用户
cx iam groups list
列出所有团队组
cx iam groups get <id>
通过ID获取组信息
cx iam groups get-by-name <name>
通过名称获取组信息
cx iam groups users <group-id>
列出组内用户
cx iam groups create --from-file
创建组
cx iam groups update --from-file <id>
更新组信息
cx iam groups delete <id>
删除组

SAML & IP Access

SAML与IP访问

CommandPurpose
cx iam saml get
Get SAML configuration
cx iam saml sp-params
Get service provider parameters
cx iam saml set-idp --from-file
Set IDP parameters
cx iam saml set-active --active true/false
Activate/deactivate SAML
cx iam ip-access get
Get IP access settings
cx iam ip-access create --from-file
Create IP access rules
cx iam ip-access update --from-file
Update IP access rules
cx iam ip-access delete
Delete IP access settings
All commands support 
-o json
for structured output and 
-p <profile>
for profile selection.
命令用途
cx iam saml get
获取SAML配置
cx iam saml sp-params
获取服务提供商参数
cx iam saml set-idp --from-file
设置IDP参数
cx iam saml set-active --active true/false
激活/停用SAML
cx iam ip-access get
获取IP访问设置
cx iam ip-access create --from-file
创建IP访问规则
cx iam ip-access update --from-file
更新IP访问规则
cx iam ip-access delete
删除IP访问设置
所有命令都支持
-o json
以输出结构化数据,以及
-p <profile>
以选择配置文件。

Access Audit Workflow

访问审计流程

Use this workflow to produce a comprehensive access report:
使用以下流程生成全面的访问报告:

Step 1: List All Users

步骤1:列出所有用户

bash
cx iam users search -o json
cx iam users search -o json | jq '[.[] | {id, name: .user_name, status, role_ids}]'
bash
cx iam users search -o json
cx iam users search -o json | jq '[.[] | {id, name: .user_name, status, role_ids}]'

Step 2: List Roles

步骤2:列出角色

bash
cx iam roles list -o json
cx iam roles system -o json
Cross-reference user role IDs with role definitions to understand permissions.
bash
cx iam roles list -o json
cx iam roles system -o json
将用户角色ID与角色定义交叉引用,以理解权限范围。

Step 3: List Groups and Memberships

步骤3:列出组与成员身份

bash
cx iam groups list -o json
cx iam groups list -o json | jq '[.[] | {id, name, member_count: (.members | length)}]'
For each group, check members:
bash
cx iam groups users <group-id> -o json
bash
cx iam groups list -o json
cx iam groups list -o json | jq '[.[] | {id, name, member_count: (.members | length)}]'
针对每个组,检查成员:
bash
cx iam groups users <group-id> -o json

Step 4: Inventory API Keys

步骤4:清点API密钥

bash
cx iam api-keys list -o json
cx iam api-keys admin list -o json
cx iam api-keys send-data-keys -o json
Identify old or unused keys:
bash
cx iam api-keys list -o json | jq '[.[] | {id, name, created_at, active}] | sort_by(.created_at)'
bash
cx iam api-keys list -o json
cx iam api-keys admin list -o json
cx iam api-keys send-data-keys -o json
识别陈旧或未使用的密钥:
bash
cx iam api-keys list -o json | jq '[.[] | {id, name, created_at, active}] | sort_by(.created_at)'

Step 5: Check IP Restrictions

步骤5:检查IP限制

bash
cx iam ip-access get -o json
bash
cx iam ip-access get -o json

Step 6: Check SAML Configuration

步骤6:检查SAML配置

bash
cx iam saml get -o json
cx iam saml sp-params -o json
bash
cx iam saml get -o json
cx iam saml sp-params -o json

Step 7: Cross-Reference

步骤7:交叉引用

Produce a summary: which users have admin roles, which API keys are old, which groups have broad access.
生成总结:哪些用户拥有管理员角色,哪些API密钥已过期,哪些组拥有广泛的访问权限。

API Key Rotation

API密钥轮换

Safe key rotation workflow:
  1. List current keys: 
    cx iam api-keys list -o json
  2. Identify keys to rotate: filter by age or name
  3. Create replacement key: 
    cx iam api-keys create --from-file new-key.json --yes
    (after user approval)
  4. Deploy the new key to all systems using the old key
  5. Verify the new key works in all integrations
  6. Delete the old key: 
    cx iam api-keys delete <old-key-id> --yes
    (after user approval)
WARNING: Never delete an API key before its replacement is deployed and verified. Deleting an active key immediately breaks all integrations using it.
安全的密钥轮换流程:
  1. 列出当前密钥
    cx iam api-keys list -o json
  2. 确定需要轮换的密钥:按创建时间或名称筛选
  3. 创建替换密钥
    cx iam api-keys create --from-file new-key.json --yes
    (需用户批准后执行)
  4. 部署新密钥到所有使用旧密钥的系统
  5. 验证新密钥在所有集成中均可正常使用
  6. 删除旧密钥
    cx iam api-keys delete <old-key-id> --yes
    (需用户批准后执行)
警告: 在替换密钥部署并验证可用前,绝不要删除旧密钥。删除活跃密钥会立即中断所有使用该密钥的集成。

Safety Callouts

安全注意事项

Deleting API keys breaks any integration using that key immediately. Always create a replacement first.
Deactivating users (
cx iam users set-status --status INACTIVE
) takes effect immediately. The user loses access with no grace period.
Changing SAML configuration (
cx iam saml set-idp
or 
cx iam saml set-active
) can lock out the entire team if misconfigured. Always verify SP parameters first with 
cx iam saml sp-params
.
Deleting IP access rules (
cx iam ip-access delete
) removes all IP restrictions immediately, potentially exposing the account.
删除API密钥会立即中断所有使用该密钥的集成。请务必先创建替换密钥。
停用用户
cx iam users set-status --status INACTIVE
)会立即生效。用户将立即失去访问权限,无缓冲期。
修改SAML配置
cx iam saml set-idp
cx iam saml set-active
)若配置错误,可能导致整个团队无法登录。请始终先使用
cx iam saml sp-params
验证服务提供商参数。
删除IP访问规则
cx iam ip-access delete
)会立即移除所有IP限制,可能导致账户暴露风险。

Key Principles

核心原则

  • Audit before modifying - run the full access audit workflow before making changes
  • Never delete keys without replacement - create new key → deploy → verify → delete old
  • Use 
    -o json
    for structured reports     - enables jq filtering for precise access analysis
  • Multi-profile for cross-environment audits - use 
    -p <profile>
    or 
    --all-profiles
    to audit staging + production
  • Template from existing - 
    cx iam roles get <id> -o json > role.json
    before creating new roles
  • 修改前先审计 - 在进行任何更改前,先执行完整的访问审计流程
  • 无替换不删除密钥 - 先创建新密钥 → 部署 → 验证 → 再删除旧密钥
  • 使用
    -o json
    生成结构化报告     - 支持使用jq进行过滤,以精准分析访问权限
  • 多配置文件跨环境审计 - 使用
    -p <profile>
    --all-profiles
    审计 staging 和生产环境
  • 从现有模板创建 - 创建新角色前,先执行
    cx iam roles get <id> -o json > role.json
    导出现有角色作为模板

Related Skills

相关技能

  • cx-cost-optimization
     - review what API keys are used for and whether they're still needed
  • cx-cost-optimization
     - 审查API密钥的用途及是否仍需保留