This topic describes how to create custom policies. Custom policies provide more fine-grained permission control than system policies. You can create custom policies to control the permissions on specific instances or operations.

Background information

Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to control their access to Alibaba Cloud resources.

Scenarios

  • Authorize a RAM user to manage specified or all ApsaraDB for Redis instances
  • Authorize a RAM user to manage specified ApsaraDB for Redis instances and perform specific operations only. For example, a RAM user is authorized only to configure whitelists.
Note In addition to the preceding scenarios, RAM also supports conditions for authorization to take effect. For example, Access Alibaba Cloud through a specified CIDR block.

If fine-grained permission management is not required, you can grant system policies to RAM users. For more information, see Authorize RAM users to manage ApsaraDB for Redis instances by using system policies.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Click the JSON tab.
    Note JSON is used in this example to introduce the configuration method. If you select Visual Editor Beta, you must follow the instructions that appear to specify permissions, actions, and resources.
  5. Configure the policy and click Next.

    The following code provides common custom permission policies. You must replace the Redis instance ID in the following code with the instance ID of your ApsaraDB for Redis instance.

    Note
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": [
                    "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance",
                    "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance"
                ],
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:ModifySecurityIps",
                "Resource": "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:ModifySecurityIps",
                "Resource": [
                    "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance",
                    "acs:kvstore:*:*:*/the ID of your ApsaraDB for Redis instance"
                ],
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  6. Set Name and Note (optional) for the policy.
  7. Click OK.

Step 2: Grant custom permission policies to RAM users

  1. Log on to the RAM console.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the specific RAM user, and click Add Permissions in the Actions column.
    Figure 1. Add Permissions
    Click Add Permissions in the Actions column.
  5. In the Create User dialog box, set the parameters.
    Figure 2. Add permissions
    Add permissions
    1. Select a type of authorization.
      Note If you select Specified Resource Group, you must select the specified resource group from the drop-down list. For more information about resource groups, see Resource Group.
    2. Select Custom Policy.
    3. Enter the name of the permission policy created in Step 1. In this example, enter redis-custom-policy.
    4. Click the name of a custom policy to add the policy to the Selected section.
  6. Click OK.
  7. Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user