You can use custom policies to meet a variety of requirements for access control. The Resource Access Management (RAM) console allows you to configure custom policies in visualized or script mode. This topic describes the basic terms, scenarios, procedure, syntax, and examples of custom policies.

Scenario

System policies are coarse-grained. You can use custom policies to implement fine-grained access control.

Procedure

You can create a custom policy on the Create Custom Policy page in the RAM console. For more information, see Create a custom policy.

Visualized mode

Select Visualized and click Add Statement. You can specify the permission effect, service, actions, resources, and conditions for a custom policy in a visualized manner.

Visualized mode

Syntax

Before you configure a RAM policy, you must understand the basic elements and syntax of RAM policies. For more information, see Policy elements and Policy structure and syntax.

The following code shows the AliyunLiveReadOnlyAccess system policy of ApsaraVideo Live:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "Live:Describe*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

This system policy contains the following parameters:

  • Version

    Version defines the version of the policy. In this example, the Version parameter is set to 1.

  • Statement

    One policy can contain multiple statements. Each statement contains the following elements: Action, Effect, Resource, and Condition. The system checks the statements of each request. Matched statements can have Effect configurations of Allow and Deny. Matched statements where Effect is set to Deny take precedence. If all matched statements have Effect configurations of Allow, the request passes the authentication. If one matched statement has the Effect configuration of Deny or no statements are matched, the request is denied.

  • Action

    Actions in ApsaraVideo Live correspond to API operations. The Action value is in the Live:API operation format. For example, Live:Describe* in this example indicates a playback operation. Multiple Action values are separated by commas (,). You can specify multiple Action values to obtain a permission group.

    For all available operations, see Overview of the ApsaraVideo Live API.

  • Resource

    Resource specifies one or more ApsaraVideo Live resources that authorized users can access. Asterisks (*) can be used as wildcards. Resource values are in the acs:live:{region}:* format. You can specify multiple resources in the Resource value. The region field is unavailable. Set it to an asterisk (*). ApsaraVideo Live does not divide permissions for resources. We recommend that you set Resource to an asterisk (*).

  • Condition

    Optional. Condition specifies the access control conditions of the policy.

    The following table describes the supported conditions.

    Condition Action Valid value
    acs:SourceIp Specifies an IP address or a classless inter-domain routing (CIDR) block. IP addresses. Asterisks (*) can be used.
    acs:SecureTransport Specifies whether HTTPS is used for access. true or false
    acs:MFAPresent Specifies whether multi-factor authentication (MFA) is used during user logon. true or false
    acs:CurrentTime Specifies the valid time when the request is received. Values in the ISO 8601 standard. Example: 2012-11-11T23:59:59Z.

The following example shows a policy that allows requesters only from IP address 42.160.1.0 to call the specified playback actions:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "Live:Describe*",
            "Resource": "*",
            "Effect": "Allow"
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "42.160.1.0"
                  }
              }
        }
    ]
}

Examples

ApsaraVideo Live provides API operations for all actions. For more information, see Overview of the ApsaraVideo Live API. The following examples show policies for Object Storage Service (OSS) and ApsaraVideo Live.

  • Policy for OSS

    This policy includes the following permissions:

    • The complete permissions to manage the specified buckets.
    • The permission to view the list of buckets.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:*"
          ],
          "Resource": [
            "acs:oss:*:*:$Bucket",
            "acs:oss:*:*:$Bucket/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Policy for ApsaraVideo Live

    This policy includes the following permissions:

    • The complete permissions on the specified live domains.
    • The permission to query live domains.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "live:*",
          "Resource": [
            "acs:cdn:*:$Uid:domain/$DomainName"
          ],
          "Effect": "Allow"
        },
        {
          "Action": "live:Describe*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
Note
  • If new API operations are available, the Action values must be updated.
  • The policies for all services use the following variables. Replace the variables with the names of your resources.

Variables

  • Uid

    $Uid: the ID of the Alibaba Cloud account. You can view it on the Security Settings page of the Account Management console.

  • Bucket

    $Bucket: the endpoint of the OSS bucket.

  • Live

    $DomainName: the name of the live domain.