All Products
Search
Document Center

Resource Access Management:Create custom policies

Last Updated:Feb 23, 2024

You can create custom policies to manage permissions in a fine-grained manner.

Methods to create a custom policy

  • Create a custom policy on the Visual editor tab

    When you create a custom policy on the Visual Editor Beta tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. Then, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.

  • Create a custom policy on the JSON tab.

    When you create a custom policy on the JSON tab, you must compile a policy document based on the syntax and structure of Resource Access Management (RAM) policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.

  • Create a custom policy by importing a policy template or system policy

    • Import a policy template: RAM provides policy templates that are created based on years of business practices and are suitable for common scenarios. For example, RAM provides policy templates that are applicable to system administrators, financial personnel, and network administrators. You need to only import an appropriate policy template and modify the template based on your business requirements. This way, you can create a custom policy in a convenient manner.

    • Import a system policy: You can import a system policy and modify the policy based on your business requirements. This way, you can create a custom policy in a convenient and efficient manner.

Create a custom policy on the Visual editor tab

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the Visual editor tab.

  5. Configure the policy and click Next to edit policy information.

    1. In the Effect section, select Allow or Deny.

    2. In the Service section, select an Alibaba Cloud service.

      Note

      The Alibaba Cloud services that you can select are displayed in the Service section.

    3. In the Action section, select All action(s) or Select action(s).

      The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.

    4. In the Resource section, select All resource(s) or Specified resource(s).

      The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.

      Note

      The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.

    5. In the Condition section, click Add condition to configure a condition.

      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.

    6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.

  6. Specify the Name and Description fields.

  7. Check and optimize the content of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • (Optional) Advanced optimization

      You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Create a custom policy on the JSON tab

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the following policy content in the code editor and click Next to edit policy information.

    For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

  6. Specify the Name and Description fields.

  7. Check and optimize the content of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • (Optional) Advanced optimization

      You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Create a custom policy by importing a policy template or system policy

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click Import Policy.

  5. In the Import Policy dialog box, select Policy Template or System Policy from the drop-down list in the upper-right corner. Then, import a policy template or system policy.

    1. Select a policy template or system policy.

    2. For specific policy templates, you must configure parameters based on your business requirements.

    3. Specify whether the policy document of the selected policy template overwrites the original policy document.

      By default, the policy document of the selected system policy overwrites the original policy document. You can also select Do NOT overwrite but append new statements. to append the selected policy template to the end of the original policy document.

    4. Click Import.

  6. On the Visual editor tab or the JSON tab, view and modify the imported policy document and click Next to edit policy information.

    By default, the imported policy template is displayed on the Visual editor tab. This way, you can view and modify the template in a visualized manner. You can also modify the system policy on the JSON tab.

  7. Specify the Name and Description fields.

  8. Check and optimize the content of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • (Optional) Advanced optimization

      You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  9. Click OK.