All Products
Search
Document Center

Resource Management:Create a custom access control policy

Last Updated:Dec 15, 2023

You can create a custom access control policy to limit some operations on some resources. Custom access control policies only define permission boundaries for folders and members in a resource directory.

Methods used to create a custom access control policy

  • Create a custom access control policy on the Visual editor tab

    When you create a custom access control policy on the Visual editor tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. In addition, the system can check your configurations to ensure the validity of the policy. On this tab, you can perform simple operations to create a custom access control policy.

  • Create a custom access control policy on the JSON tab

    When you create a custom access control policy on the JSON tab, you must compile the document of the policy based on the syntax and structure of access control policies. On this tab, you can create a custom access control policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of access control policies.

Create a custom access control policy on the Visual editor tab

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Resource Directory > Control Policy.

  3. On the Policies tab, click Create Policy.

  4. On the Create Policy page, click the Visual editor tab.

  5. Configure the policy and click Next to edit policy information.

    1. In the Effect section, select Allow or Deny.

    2. In the Service section, select an Alibaba Cloud service.

      Note

      The Alibaba Cloud services that you can select are displayed in the Service section.

    3. In the Action section, select All action(s) or Select action(s).

      The system displays the actions that can be configured based on the Alibaba Cloud service you select in the Service section. If you select Select action(s), you must select actions.

    4. In the Resource section, select All resource(s) or Specified resource(s).

      The system displays the resources that can be configured based on the actions you select in the Action section. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs). You can also select Match all to specify all resources for each selected action.

      Note

      The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the policy takes effect as expected.

    5. Optional: In the Condition section, click Add condition to configure conditions.

      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.

    6. Click Add statement and repeat the preceding steps to configure multiple statements for the policy.

  6. Configure the Name and Description parameters.

  7. Check and optimize the policy document.

    • Basic optimization

      The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • Optional: Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. Then, the system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Create a custom access control policy on the JSON tab

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Resource Directory > Control Policy.

  3. On the Policies tab, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the policy document and click Next to edit policy information.

    For more information about the syntax and structure of access control policies, see Languages of access control policies.

  6. Configure the Name and Description parameters.

  7. Check and optimize the policy document.

    • Basic optimization

      The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • Optional: Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. Then, the system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

What to do next

After a custom access control policy is created, you must attach it to folders or members for it to take effect. For more information, see Attach a custom access control policy.

References