This topic describes the structure and grammar used to create or update policies in
Alibaba Cloud Resource Access Management (RAM).
Policy structure
The policy structure includes the version number and a list of statements.
Each statement contains the following elements: effect, action, resource, and condition.
The condition element is optional.
Figure 1. Policy structure
Conventions used in a policy grammar
The conventions used in a policy grammar are as follows:
Characters in a policy:
The following characters are JSON tokens and are included in policies: { } [ ] " , :.
The following characters are special characters in the grammar and are not included
in policies: = < > ( ) |.
Use of characters:
If an element allows multiple values, you can use a comma (,) as the delimiter to
separate each value, and an ellipses (...) to describe the remaining values. For example,
[ <action_string>, <action_string>, ...].
Note A single value is also allowed if the element supports multiple values. Additionally,
the two expressions are equivalent, for example, "Action": [<action_string>] and "Action": <action_string>.
A question mark (?) following an element indicates that the element is optional, for
example, <condition_block?>.
A vertical bar (|) between elements indicates alternatives, for example, ("Allow" | "Deny").
Elements that must be text strings are enclosed in double quotation marks (""), for
example, <version_block> = "Version" : ("1").
Note In a statement, both the action and resource elements can have multiple values.
Each statement supports its own conditions.
Note A condition block can contain multiple conditions with different action types and
logical combinations of these conditions.
You can attach multiple policies to a RAM user. If policies that apply to a request
include an Allow statement and a Deny statement, the Deny statement trumps the Allow statement.
Element value:
If an element value is a number or Boolean, it must be enclosed by using double quotation
marks ("") such as strings.
If an element value is a string, characters such as the asterisk (*) and question mark (?) can be used for fuzzy matching.
The asterisk (*) indicates any number (including zero) of allowed characters.
Note For example, ecs:Describe* indicates all ECS actions starting with Describe.
The question mark (?) indicates one allowed character.
Policy format check
Policies are stored in RAM as JSON documents. When you create or update a policy,
RAM first checks whether the JSON format is correct.
For more information about the JSON grammar standards, see RFC 7159.
We recommend that you use tools such as JSON validators and editors to verify your
policies to meet JSON grammar standards.
Policy example
The following policy example contains two statements:
The first statement is to allow users to view (through the ecs:Describe* permission) all ECS resources in China (Hangzhou).
The second statement is to allow users to read and query (through the oss:ListObjects and oss:GetObject permissions) objects from the OSS bucket mybucket only through the network with an
IP address of 192.168.0.0/16 or 172.12.0.0/16.