This topic describes how to create a custom policy and grant the policy to a RAM user account. Custom policies can better satisfy your specific requirements and help better manage access to your Apsara File Storage NAS resources.


  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, select Policies, click Create Policy, and follow the instructions to create a policy. The following takes the NASReadOnlyAccess policy as an example. This policy allows read-only access to all Aspara File Storage NAS resources. For more information about the script syntax, see Policy structure and grammar.
        "Statement": [
                "Effect": "Allow",
                "Action": "nas:Describe*",
                "Resource": "*"
        "Version": "1"

    The following table lists the API operations that you can call to manage Apsara File Storage NAS file systems.

    Operation Description
    DescribeFileSystems Lists all file systems.
    DescribeMountTargets Lists all mount targets of a file system.
    DescribeAccessGroup Lists all permission groups.
    DescribeAccessRule Lists all rules added to a permission group.
    CreateMountTarget Adds a mount target for a file system.
    CreateAccessGroup Creates a permission group.
    CreateAccessRule Adds a rule to a permission group.
    DeleteFileSystem Deletes a file system.
    DeleteMountTarget Deletes a mount target.
    DeleteAccessGroup Deletes a permission group.
    DeleteAccessRule Deletes a rule that is added to a permission group.
    ModifyMountTargetStatus Enables or disables a mount target.
    ModifyMountTargetAccessGroup Modifies the permission group of a mount target.
    ModifyAccessGroup Modifies a permission group.
    ModifyAccessRule Modifies a rule added to a permission group.
    The following table shows the accessible Apsara File Storage NAS resources.
    Resource Description
    * All Apsara File Storage NAS resources
  3. After the policy is created, go to the Users page.
  4. Select a RAM user account to be authorized, click Add Permissions, select the required NAS permission, and grant the permission to the RAM user account.
    Authorize a RAM user account