Alibaba Cloud offers you a variety of system policies. The policies only provide coarse-grained access control, for example, all permissions or the read-only permission of a specific cloud product.
If you have finer-grained authorization requirements, for example, you want user bob to only read objects from the
oss://samplebucket/bob/ directory through an office network, you can create custom policies for access control. (You can search for "My IP address" in a search engine to obtain the IP address of your office network.)
You understand the basic structure and syntax of a policy. For more information, see Policy language syntax.
RAM supports authorization at a finest granularity of API. That is, you can grant each operation permission in a policy by calling a specific API. Make sure that you understand the authorization granularity and methods supported by RAM. For more information, see Cloud services supporting RAM.
- Log on to the RAM Console.
- Choose Note In the Policies pane, choose System Policy or Custom Policy from the Policy Type drop-down list to view the existing policies. You can only view system policies but can modify custom policies as needed.
- Click Create Policy.
- In the displayed dialog box, enter Policy Name. You can also choose to enter Note.
- Select Visualized or Script for Configuration Mode.
- If you select Visualized, click Add Statement. In the displayed dialog box, set the permission effect, action, and resource.
- If you select Script, edit the script. For details, see Policy language syntax.
What to do next
Grant user bob the created policy. Then, bob has the read-only permission for the objects in the
oss://samplebucket/bob/ directory only when user bob access RAM through an office network (for example, with an IP address of 126.96.36.199).
Authorize a RAM user with a policy. For details, see Authorize RAM users.