This topic describes how to use RAM Policy Editor.

Address

RAM Policy Editor

Usage

A RAM policy consists of several rules. By using RAM Policy Editor, you can add or delete rules for a policy and generate the JSON text for the policy in a graphical interface. You can copy the JSON text generated for a policy in RAM Policy Editor to the Policy Document section in the RAM console to create the RAM policy. For more information, see Create a custom policy.

To add a rule to a policy in RAM Policy Editor, you must configure the following fields for the rule: Effect, Actions, Resources, and Conditions.

  • Effect

    Specifies whether the rule allows or denies access to resources.

  • Actions

    Specifies the actions performed to access resources. In most cases, you only need to select from the following general actions provided in the drop-down list:

    • oss:*: indicates all actions are allowed or denied.
    • oss:Get*: indicates all read actions are allowed or denied.
    • oss:Put*: indicates all write actions are allowed or denied.

    For more information, visit RAM Policy Editor README.

  • Resources

    Specifies the OSS resources that the rule allows or denies to access. You can specify multiple resources in the following formats:

    • my-bucket: indicates a bucket. If you specify the resource in this format, users have permissions to perform actions on the bucket but not the objects in the bucket.
    • my-bucket/*: indicates all objects in a bucket. If you specify the resource in this format, users have permissions to perform actions on the objects in the bucket but not the bucket. For example, the ListObjects operation cannot be performed on the bucket.
    • my-bucket/dir: indicates a directory in a bucket. If you specify the resource in this format, users have permissions to perform actions on the directory but not the objects in the directory.
    • my-bucket/dir/*: indicates all objects in a directory. If you specify the resource in this format, users have permissions to perform actions on the objects in the directory but not the directory. For example, the ListObjects operation cannot be performed on the directory.
    • acs:oss:*:1234:my-bucket/dir: the complete resource path. In this example, 1234 indicates the user ID that can be viewed in the console.
  • EnablePath

    To grant users permissions to access a directory, you need also to grant them permissions to perform ListObjects on the parent directory. For example, to ensure that users can view a directory named my-bucket/users/dir/ in the OSS console or other tools, in addition to specifying resources in the my-bucket/users/dir/* format, you must also grant the users the following permissions:

    ListObjects my-bucket
    ListObjects my-bucket/users
    ListObjects my-bucket/users/dir

    If you select EnablePath, the preceding permissions are automatically granted.

  • Conditions

    Specifies the conditions that must be met to access the resources. You can specify multiple conditions in a policy.

Example

The following figure shows a policy that you can configure to grant users complete permissions on the my-bucket bucket and all objects in the bucket.