RAM uses policies to describe authorization content. Basic policy elements include effect, resource, action, and condition.

Effect

Effects can be categorized into two types: Allow and Deny.

Resource

Resources are specific authorized objects.

For example, in the policy "User A is allowed to perform the GetBucket operation on the SampleBucket resource", the resource is "SampleBucket".

Action

Actions are operations performed on specific resources.

For example, in the policy "User A is allowed to perform the GetBucket operation on the SampleBucket resource", the action is "GetBucket".

Condition

Conditions are the circumstances under which the authorization takes effect.

For example, in the policy "User A is allowed to perform the GetBucket operation on the SampleBucket resource before 2011-12-31", the condition is "before 2011-12-31".

Example

The following is a policy example, which means that read-only operations on the OSS bucket samplebucket are allowed on the condition that the source IP address of the requester is 42.160.1.0.


{
      "Version": "1",
      "Statement":
        [{
          "Effect": "Allow",
            "Action": ["oss:List*", "oss:Get*"],
            "Resource": ["acs:oss:*:*:samplebucket", "acs:oss:*:*:samplebucket/*"],
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "42.160.1.0"
                  }
              }
         }]
}