edit-icon download-icon

Elements

Last Updated: Sep 15, 2017

This document introduces the basic elements in an authorization policy, and explains an example policy for your better understanding.

Elements

RAM authorization policies consist of several basic authorization elements, including Effect, Resource, Action, and Condition.

Effect

Effects can be categorized into two types: Allow and Deny.

Resource

Resources are specific authorized objects.

For example, in the authorization policy “User A is allowed to perform the GetBucket operation on the resource SampleBucket”, the resource is “SampleBucket”.

Action

Actions are operations performed on specific resources.

For example, in the authorization policy “User A is allowed to perform the GetBucket operation on the resource SampleBucket”, the action is “GetBucket”.

Condition

Condition are the circumstances under which the authorization takes effect.

For example, in the authorization policy “User A is allowed to perform the GetBucket operation on the resource SampleBucket before 2011-12-31”, the condition is “before 2011-12-31”.

Example

This example authorization policy can be explained as follows: read-only operations on the OSS bucket samplebucket are allowed on the condition that the source IP address of the requester is 42.160.1.0.

  1. {
  2. "Version": "1",
  3. "Statement":
  4. [{
  5. "Effect": "Allow",
  6. "Action": ["oss:List*", "oss:Get*"],
  7. "Resource": ["acs:oss:*:*:samplebucket", "acs:oss:*:*:samplebucket/*"],
  8. "Condition":
  9. {
  10. "IpAddress":
  11. {
  12. "acs:SourceIp": "42.160.1.0"
  13. }
  14. }
  15. }]
  16. }
Thank you! We've received your feedback.