If system policies cannot meet your specific requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. This topic describes the scenarios of ApsaraVideo Live custom policies and provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Common scenarios and sample custom policies
You can obtain the names of API operations that you can specify for the Action parameter in the List of operations by function topic.
The following example shows a policy that allows requesters from only the IP address 192.168.x.x to call a specific operation.
{
"Version": "1",
"Statement": [
{
"Action": "Live:Describe*",
"Resource": "*",
"Effect": "Allow",
"Condition":
{
"IpAddress":
{
"acs:SourceIp": "192.168.x.x"
}
}
}
]
}