This topic describes how to use RAM Policy Editor.
Address
Usage
A Resource Access Management (RAM) policy consists of one or more rules. RAM Policy Editor allows you to add or remove rules for a policy and generate policy JSON text in a graphical interface. You can copy the generated policy JSON text and paste it into the policy JSON editor in the RAM console. For more information, see Create custom policies.
To add a rule to a policy in RAM Policy Editor, you must configure the following fields for the rule: Effect, Actions, Resources, and Conditions.
Effect
Specifies whether the rule allows or denies access to resources.
Actions
Specifies the actions performed to access resources. In most cases, you can select from the following general actions provided in the drop-down list:
oss:*
: specifies all supported actions.oss:Get*
: specifies all read actions.oss:Put*
: specifies all write actions.
For more information, visit RAM Policy Editor README.
Resources
Specifies one or more resources. Common resource configuration scenarios:
Specify only a bucket, with objects in the bucket excluded. Example:
my-bucket
.Specify all objects within a bucket, with the bucket itself excluded. Example:
my-bucket/*
.Specify a directory within a bucket, with the objects in the directory excluded. Example:
my-bucket/dir
.Specify all objects within a directory, with the directory itself excluded. Example:
my-bucket/dir/*
(the policy does not apply to the dir directory).Specify the complete resource path. Example
acs:oss:*:174649585760xxxx:my-bucket/dir
(174649585760xxxx
is the user UID, which you can check in the OSS console)
EnablePath
To specify a directory in a policy, you also need to grant the permission to call the ListObjects operation on the parent directory of directory. For example, to grant read and write permissions on
my-bucket/users/dir/*
, you also need to allow the ListObjects operation on the following resources:ListObjects my-bucket ListObjects my-bucket/users ListObjects my-bucket/users/dir
If you select the EnablePath check box, the preceding permissions are automatically granted.
Conditions
Specifies the conditions that must be met to access the resources. You can specify multiple conditions in a policy.
Examples
The following sample policy grants all OSS permissions on the specified resources: