If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource security. This topic describes how to configure custom policies for AnalyticDB for PostgreSQL and provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Scenarios of custom policies and sample custom policies
Prohibit a RAM user from disabling SSL encryption
This policy is supported only for AnalyticDB for PostgreSQL V6.0 in elastic storage mode and AnalyticDB for PostgreSQL in Serverless mode.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "gpdb:ModifyDBInstanceSSL", "Resource": "*", "Condition": { "StringEquals": { "gpdb:SSLEnabled": [ "Disable" ] } } } ] }Prohibit a RAM user from creating an AnalyticDB for PostgreSQL instance without disk encryption enabled
This policy is supported only for AnalyticDB for PostgreSQL V6.0 in elastic storage mode and AnalyticDB for PostgreSQL V7.0 in elastic storage mode.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "gpdb:CreateDBInstance", "Resource": "*", "Condition": { "StringNotEquals": { "gpdb:EncryptionType": [ "CloudDisk" ] } } } ] }
Authorization information
To use custom policies, you must understand the access control requirements of your business and the authorization information about AnalyticDB for PostgreSQL. For more information, see RAM authorization.