If the system policies of Resource Access Management (RAM) do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve your resource security. This topic describes the scenarios of custom policies in ApsaraDB RDS. This topic also provides custom policy examples.
Custom policy introduction
RAM policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Scenarios and examples of custom policies
RAM authorization
To use a custom policy, you must understand the permission management requirements of your business and the authorization information about ApsaraDB RDS. For more information, see RAM authorization.
