You can use custom policies to meet various requirements for access control. The Resource Access Management (RAM) console allows you to configure custom policies in visualized mode or script mode. This topic describes the terms, scenarios, procedure, syntax, and examples of custom policies.

Scenarios

System policies are coarse-grained. You can use custom policies to perform fine-grained access control.

Procedure

In the RAM console, you can create a custom policy on the Create Policy page. For more information, see Create a custom policy.

Visualized mode

Click the Visual Editor tab and configure the policy. For more information, see Create a custom policy on the Visual Editor Beta tab.

Visualized mode

Syntax

Before you configure a RAM policy, you must understand the basic elements and syntax of RAM policies. For more information, see Policy elements and Policy structure and syntax.

The following sample code provides an example of the AliyunLiveReadOnlyAccess system policy of ApsaraVideo Live:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "live:Describe*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The following section describes the parameters.

  • Version

    Version specifies the version of the policy. In this example, the Version parameter is set to 1.

  • Statement

    A single policy can contain multiple statements. Each statement contains the following elements: Action, Effect, Resource, and Condition. The system checks the statements of each request. Matched statements contain the Effect element whose value is Allow or Deny. Matched statements for which Effect is set to Deny take precedence. If all matched statements have the Effect element set to Allow, the request passes the authentication. If one matched statement has the Effect element set to Deny or no statements are matched, the request is denied.

  • Action

    Actions in ApsaraVideo Live correspond to API operations. The Action value is in the live:API operation format. For example, live:Describe* specifies a playback operation. Multiple Action values are separated by commas (,). You can specify multiple Action values to obtain a permission group.

    To view all available operations, see List of operations by function.

  • Resource

    Resource specifies one or more ApsaraVideo Live resources that can be accessed by authorized users. Asterisks (*) can be used as wildcards. Resource values are in the acs:live:{region}:* format. You can specify multiple resources by using the Resource element. The region field is unavailable. Set it to an asterisk (*). ApsaraVideo Live does not divide permissions on resources. We recommend that you set Resource to an asterisk (*).

  • Condition

    Condition specifies the access control conditions of the policy. This element is optional.

    The following table describes the supported conditions.

    Condition Action Valid value
    acs:SourceIp Specifies an IP address or a CIDR block. IP addresses. Asterisks (*) can be used.
    acs:SecureTransport Specifies whether HTTPS is used for access. true or false
    acs:MFAPresent Specifies whether multi-factor authentication (MFA) is used during user logon. true or false
    acs:CurrentTime Specifies the valid time when the request is received. Values based on the ISO 8601 standard. Example: 2012-11-11T23:59:59Z.

The following example shows a policy that allows requesters from only the IP address 192.168.0.1 to call the playback operation:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "Live:Describe*",
            "Resource": "*",
            "Effect": "Allow",
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "192.168.0.1"
                  }
              }
        }
    ]
}

Examples

ApsaraVideo Live provides API operations for all actions. For more information, see List of operations by function. The following examples show policies for Object Storage Service (OSS) and ApsaraVideo Live.

  • Policy for OSS

    This policy grants the following permissions:

    • The full permissions on the specified buckets.
    • The permissions to view the list of buckets.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:*"
          ],
          "Resource": [
            "acs:oss:*:*:$Bucket",
            "acs:oss:*:*:$Bucket/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Policy for ApsaraVideo Live

    This policy grants the following permissions:

    • The full permissions on the specified ApsaraVideo Live domain names.
    • The permissions to query ApsaraVideo Live domain names.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "live:*",
          "Resource": [
            "acs:cdn:*:$Uid:domain/$DomainName"
          ],
          "Effect": "Allow"
        },
        {
          "Action": "live:Describe*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
Note
  • If new API operations are available, the Action values must be updated.
  • The policies for all services use the following variables. Replace the variables with the names of your resources.

Variables

  • Uid

    $Uid: the ID of your Alibaba Cloud account. You can check the ID on the Basic Information page of the Account Center.

  • Bucket

    $Bucket: the OSS bucket.

  • Live

    $DomainName: the ApsaraVideo Live domain name.