edit-icon download-icon

Create a custom policy (optional)

Last Updated: Apr 11, 2018

This document describes how to create a custom policy for finer-grained authorization demands.


In RAM, an authorization policy contains read or control permissions (can be Allow or Deny) to specified resources. Attaching a policy to a RAM user grants the user the pre-defined access permissions. RAM provides two kinds of policies:

  • System authorization policies (system policies), created by Alibaba Cloud, defines coarse-grained access control capabilities. You can grant read-only permission or all permissions to specific cloud products.

  • Custom authorization policies (custom policies), created by users, defines finer-grained authorization.

    For example, you can grant the user B read-only permission for all of the objects in oss://sample_bucket/b/, and prevent access by IP addresses from outside your company network (your company network IP address can be acquired by searching “My IP” using the search engine).

Log on to the RAM console and click Policies. Two policy options, System Policy and Custom Policy, are available on the Policy Management page.


Before creating custom authorization policies, you must understand the basic structure and syntax of the authorization policy language. For more details, see Authorization Policy Language Description.


The following procedure describes the creation of a custom policy to meet the authorization demands in the preceding example in the Background section.

  1. Log on to the RAM console.

  2. From the left-side navigation pane, click Policies.

  3. On the Policy Management page, click New Authorization Policy.

    Authorization Policy Overview

  4. Select an authorization policy among the templates provided, which including a blank template, system templates and custom templates such as AliyunOSSReadOnlyAccess.

  5. Edit your policy based on the template, as shown in the following figure:

    edit policy

    Custom policy example:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Effect": "Allow",
    6. "Action": [
    7. "oss:Get*",
    8. "oss:List*"
    9. ],
    10. "Resource": [
    11. "acs:oss:*:*:samplebucket/bob/*"
    12. ],
    13. "Condition": {
    14. "IpAddress": {
    15. "acs:SourceIp": ""
    16. }
    17. }
    18. }
    19. ]
    20. }
  6. Once finish all the settings, click New Authorization Policy to complete creating the custom authorization policy.


If you attach the created custom authorization policy to the user B, B will have read-only permission for all of the objects in oss://samplebucket/bob/ when they access the objects from your company network (in this example,

For detailed procedure, see Attach policies to a RAM user.

Thank you! We've received your feedback.