All Products
Search

This Product

    Resource Access Management:Create custom policies

    Document Center

    Resource Access Management:Create custom policies

    Last Updated:Dec 20, 2024

    You can create custom policies to manage permissions in a fine-grained manner.

    Methods to create a custom policy

    • Create a custom policy on the Visual editor tab

      When you create a custom policy on the Visual editor tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. Then, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.

    • Create a custom policy on the JSON tab

      When you create a custom policy on the JSON tab, you must compile a policy document based on the syntax and structure of Resource Access Management (RAM) policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.

    • Create a custom policy by importing a policy template or system policy

      • Import a policy template: RAM provides policy templates that are created based on years of business practices and are suitable for common scenarios. For example, RAM provides policy templates that are applicable to system administrators, financial personnel, and network administrators. You need to only import an appropriate policy template and modify the template based on your business requirements. This way, you can create a custom policy in a convenient manner.

      • Import a system policy: You can import a system policy and modify the policy based on your business requirements. This way, you can create a custom policy in a convenient and efficient manner.

    Create a custom policy on the Visual editor tab

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

      image

    4. On the Create Policy page, click the Visual editor tab.

      image

    5. Configure a policy.

      For more information, see Policy elements.

      1. In the Effect section, select Allow or Deny.

      2. In the Service section, select an Alibaba Cloud service.

        Note

        The Alibaba Cloud services that you can select are displayed in the Service section.

      3. In the Action section, select All action(s) or Select action(s).

        The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.

      4. In the Resource section, select All resource(s) or Specified resource(s).

        The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.

        Note

        The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.

      5. In the Condition section, click Add condition to configure a condition.

        Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need only to select a condition key and configure the Operator and Value parameters.

      6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.

    6. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

      The system performs the following operations during the advanced optimization:

      • Split resources or conditions that are incompatible with actions.

      • Narrow down resources.

      • Deduplicate or merge policy statements.

    7. On the Create Policy page, click OK.

    8. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    Create a custom policy on the JSON tab

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

      image

    4. On the Create Policy page, click the JSON tab.

      image

    5. Enter the policy content.

      For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    6. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

      The system performs the following operations during the advanced optimization:

      • Split resources or conditions that are incompatible with actions.

      • Narrow down resources.

      • Deduplicate or merge policy statements.

    7. On the Create Policy page, click OK.

    8. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    Create a custom policy by importing a policy template or system policy

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

      image

    4. On the Create Policy page, click Import Policy.

      image

    5. In the Import Policy dialog box, select Policy Template or System Policy from the drop-down list in the upper-right corner. Then, import a policy template or system policy.

      image

      1. Select a policy template or system policy.

      2. For specific policy templates, configure parameters based on your business requirements.

      3. Specify whether the policy document of the selected policy template or system policy overwrites the original policy document.

        By default, the policy document of the selected policy template or system policy overwrites the original policy document. You can also select Do NOT overwrite but append new statements to append the policy document of the selected policy template or system policy to the end of the original policy document.

      4. Click Import.

    6. On the Visual editor or JSON tab, view and modify the policy document of the imported policy template or system policy.

    7. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

      The system performs the following operations during the advanced optimization:

      • Split resources or conditions that are incompatible with actions.

      • Narrow down resources.

      • Deduplicate or merge policy statements.

    8. On the Create Policy page, click OK.

    9. In the Create Policy dialog box, configure the Name and Description parameters and click OK.