edit-icon download-icon

Authorization policies

Last Updated: Oct 16, 2017

An authorization policy is a set of permissions that either allow or deny a user access to a certain resource. After an authorization policy is attached to a user or group, the user or users in the group is granted access to resources that were specified in the authorization policy. Authorization policies are described using the Policy Language.

This document explains the authorization policies in RAM and the corresponding operation methods.

RAM supports two types of authorization policies: system authorization policies and custom authorization policies.

System authorization policies

System authorization policies are a group of general authorization policies provided by Alibaba Cloud. They define read-only permission or full permissions for different products.

  • System authorization policies can only be used for authorization; they cannot be edited nor be modified by a user.

  • Instead, system authorization policies are automatically updated and modified by Alibaba Cloud.

To view all the system authorization policies, log on to the RAM console and click Policies. Here, you can view the list of all system authorization policies.

RAM supports the following system authorization policies:

System authorization policy name Permission description
AdministratorAccess Permission for managing all Alibaba Cloud resources
AliyunActionTrailFullAccess Permission for managing ActionTrails
AliyunActionTrailReadOnlyAccess Read-only permission for ActionTrails
AliyunBatchComputeFullAccess Permissions for managing BatchCompute
AliyunBSSFullAccess Permission for managing BSS
AliyunBSSOrderAccess Permission to view, pay, and cancel orders on BSS
AliyunBSSReadOnlyAccess Read-only permission for BSS
AliyunCDNFullAccess Permission for managing CDN
AliyunCDNReadOnlyAccess Read-only permission for CDN
AliyunCloudMonitorFullAccess Permission for managing CloudMonitor
AliyunCloudMonitorReadOnlyAccess Read-only permission for CloudMonitor
AliyunDirectMailFullAccess Permission for managing DirectMail
AliyunDirectMailReadOnlyAccess Read-only permission for DirectMail
AliyunECSFullAccess Permission for managing ECS
AliyunECSReadOnlyAccess Read-only permission for ECS
AliyunEIPFullAccess Permission for managing EIPs
AliyunEIPReadOnlyAccess Read-only permission for EIPs
AliyunEMRFullAccess Permission for managing E-MapReduce
AliyunKvstoreFullAccess Permission for managing Kvstore
AliyunKvstoreReadOnlyAccess Read-only permission for Kvstore
AliyunLogFullAccess Permission for managing Log service
AliyunLogReadOnlyAccess Read-only permission for Log service
AliyunMNSFullAccess Permission for managing MNS
AliyunMNSReadOnlyAccess Read-only permission for MNS
AliyunMTSFullAccess Permission for managing MTS
AliyunOCSFullAccess Permission for managing OCS
AliyunOCSReadOnlyAccess Read-only permission for OCS
AliyunOSSFullAccess Permission for managing OSS
AliyunOSSReadOnlyAccess Read-only permission for OSS
AliyunOTSFullAccess Permission for managing Table Store
AliyunOTSReadOnlyAccess Read-only permission for Table Store
AliyunPTSFullAccess Permission for managing PTS
AliyunRAMFullAccess Permission for managing RAM, that is, permission for managing users and permissions
AliyunRAMReadOnlyAccess Read-only permission for RAM, that is, permission for viewing users, groups, and authorization information
AliyunRDSFullAccess Permission for managing RDS
AliyunRDSReadOnlyAccess Read-only permission for RDS
AliyunSLBFullAccess Permission for managing Server Load Balancer
AliyunSLBReadOnlyAccess Read-only permission for Server Load Balancer
AliyunSTSAssumeRoleAccess Permission for calling the STS AssumeRole interface
AliyunSupportFullAccess Permission for managing the ticket system
AliyunVPCFullAccess Permission for managing VPC
AliyunVPCReadOnlyAccess Read-only permission for VPC
AliyunYundunAegisFullAccess Permission for managing Aegis
AliyunYundunAFSFullAccess Permission for managing AFS
AliyunYundunAPSFullAccess Permission for managing APS
AliyunYundunCloudsFullAccess Permission for managing Alibaba Cloud Security Network (Clouds)
AliyunYundunDDosFullAccess Permission for managing Anti-DDoS
AliyunYundunFlawSaleFullAccess Permission for managing Alibaba Cloud Security FlawSale
AliyunYundunFullAccess Permission for managing all Alibaba Cloud Security products
AliyunYundunGreenWebFullAccess Permission for managing Alibaba Cloud Security GreenWeb
AliyunYundunHighFullAccess Permission for managing Alibaba Cloud Security Anti-DDoS IPs
AliyunYundunHSMFullAccess Permission for managing Alibaba Cloud Security HSM
AliyunYundunMSSFullAccess Permission for managing Alibaba Cloud Security MSS
AliyunYundunSASFullAccess Permission for managing Alibaba Cloud Security SAS
AliyunYundunWAFFullAccess Permission for managing Alibaba Cloud Security WAF
AliyunYundunXianzhiFullAccess Permission for managing Alibaba Cloud Security Precognition
ReadOnlyAccess Read-only permission for all Alibaba Cloud resources

Custom authorization policies

If the coarse-grained system authorization policies do not meet your needs, you can create custom authorization policies.

For example, if you want to control the operation permissions for a certain ECS instance or require resource operator request to come from specified IP addresses, you must use a custom authorization policy to meet these fine-grained requirements.

Create a custom authorization policy

If you have finer-grained authorization requirements, you can create custom authorization policies for access control.

For example, you can only grant the user Bob the read-only permission for all objects in oss://sample_bucket/bob/, and only allow accesses from the IP addresses within your company network (your company network IP address can be acquired by searching “My IP” using the search engine).

When creating custom authorization policies, you must understand the basic structure and syntax of the authorization policy language. For more details, see Authorization Policy Language Description.

Procedure

  1. Log on to the RAM console.

  2. From the left-side navigation pane, click Policies.

  3. On the upper-right corner, click New Authorization Policy.

  4. Select an authorization policy template, for example, AliyunOSSReadOnlyAccess.

    Select Policy Template

  5. Edit the policy based on the template and click New Authorization Policy.

    Edit Custom Policy

    In the preceding figure, the selected part is the added fine-grained authorization content. The name, remarks, and content of the custom authorization policy have been modified.

    Custom policy example:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": [
    6. "oss:Get*",
    7. "oss:List*"
    8. ],
    9. "Effect": "Allow",
    10. "Resource": "acs:oss:*:*:samplebucket/bob/*",
    11. "Condition": {
    12. "IpAddress": {
    13. "acs:SourceIp": "127.0.27.1"
    14. }
    15. }
    16. }
    17. ]
    18. }

If you attach this custom authorization policy to the user Bob, Bob will have the read-only permission for all objects in oss://samplebucket/bob/ under the condition that he accesses the objects from your company network (for example, 127.0.27.1).

Modify a custom authorization policy

When a user’s permissions change (that is, new permissions are added or existing permissions are revoked), you must modify the user’s authorization policy. When modifying an authorization policy, you may encounter two problems:

  • The old authorization policy is still available after a period of time.

  • After modification, the modified policy is incorrect and a rollback needs to be performed.

To address such problems, Alibaba Cloud provides the version management feature for authorization policies. Version management enables you to retain multiple versions for one authorization policy.

  • If the number of versions exceeds the limit, you must delete the unwanted versions.

  • When an authorization policy contains multiple versions, only one version is active, which is known as the “default version”.

Procedure

  1. Log on to the RAM console.

  2. From the left-side navigation pane, click Policies.

  3. Click Custom Policy to enter the sub-page.

  4. Click Modify next to the policy you want to modify.

    Policy Version Management

Delete a custom authorization policy

You can create multiple custom authorization policies and maintain multiple versions for each policy. You can also delete custom authorization policies that are no longer needed.

However, if an authorization policy contains multiple versions, that authorization policy cannot be deleted. Instead, you must delete all versions except the default one. When only the default version left, the authorization policy can then be deleted.

Procedure

  1. Log on to the RAM console.

  2. From the left-side navigation pane, click Policies.

  3. Click Custom Policy to enter the sub-page.

  4. Click Delete next to the authorization policy that you want to delete.

Thank you! We've received your feedback.