RAM authorization - Cloud Enterprise Network - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, that are defined by CEN.You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate CEN is cen. You can grant permissions on CEN at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

CEN defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
cen:ActiveFlowLog	ActiveFlowLog	Write	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/{#flowlogId}	None	None
cen:AddTrafficMatchRuleToTrafficMarkingPolicy	AddTrafficMatchRuleToTrafficMarkingPolicy	Read	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:AddTraficMatchRuleToTrafficMarkingPolicy	AddTraficMatchRuleToTrafficMarkingPolicy		CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:AssociateCenBandwidthPackage	AssociateCenBandwidthPackage	Write	CenBandwidthPackage acs:cen::{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId} CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:AssociateTransitRouterAttachmentWithRouteTable	AssociateTransitRouterAttachmentWithRouteTable	Write	TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:AssociateTransitRouterMulticastDomain	AssociateTransitRouterMulticastDomain	Read	TransitRouterMulticastDomain acs:cen:{#accountId}:centransitroutermulticastdomain/{#TransitRouterMulticastDomainId}	None	None
cen:AttachCenChildInstance	AttachCenChildInstance	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId} VPC acs:vpc:*:{#accountId}:vpc/{#vpcId}	None	None
cen:CreateCen	CreateCen	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:CreateCenBandwidthPackage	CreateCenBandwidthPackage	Write	CenBandwidthPackage acs:cen::{#accountId}:cenbandwidthpackage/	None	None
cen:CreateCenChildInstanceRouteEntryToAttachment	CreateCenChildInstanceRouteEntryToAttachment	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:CreateCenChildInstanceRouteEntryToCen	CreateCenChildInstanceRouteEntryToCen	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:CreateCenInterRegionTrafficQosPolicy	CreateCenInterRegionTrafficQosPolicy	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:CreateCenInterRegionTrafficQosQueue	CreateCenInterRegionTrafficQosQueue	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:CreateCenRouteMap	CreateCenRouteMap	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:CreateFlowlog	CreateFlowlog	Write	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/* CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:CreateTrafficMarkingPolicy	CreateTrafficMarkingPolicy	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:CreateTransitRouter	CreateTransitRouter	Write	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouter acs:cen::{#accountId}:transitrouter/*	None	None
cen:CreateTransitRouterCidr	CreateTransitRouterCidr	Read	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:CreateTransitRouterMulticastDomain	CreateTransitRouterMulticastDomain	Write	TransitRouter acs:cen::{#accountId}:centransitrouter/{#centransitrouterId} TransitRouterMulticastDomain acs:cen::{#accountId}:centransitroutermulticast/*	None	None
cen:CreateTransitRouterPeerAttachment	CreateTransitRouterPeerAttachment	Write	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterPeerAttachment acs:cen::{#accountId}:centransitrouterattachment/*	None	None
cen:CreateTransitRouterPrefixListAssociation	CreateTransitRouterPrefixListAssociation	Read	TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/	None	None
cen:CreateTransitRouterRouteEntry	CreateTransitRouterRouteEntry	Write	TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/ TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId}	None	None
cen:CreateTransitRouterRouteTable	CreateTransitRouterRouteTable	Write	TransitRouter acs:cen::{#accountId}:centransitrouter/{#centransitrouterId} TransitRouterRouteTable acs:cen::{#accountId}:centransitrouterroutetable/*	None	None
cen:CreateTransitRouterVbrAttachment	CreateTransitRouterVbrAttachment	Write	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterVbrAttachment acs:cen::{#accountId}:centransitrouterattachment/*	None	None
cen:CreateTransitRouterVpcAttachment	CreateTransitRouterVpcAttachment	Write	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterVpcAttachment acs:cen::{#accountId}:centransitrouterattachment/*	None	None
cen:DeactiveFlowLog	DeactiveFlowLog	Write	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/{#flowlogId}	None	None
cen:DeleteCen	DeleteCen	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DeleteCenBandwidthPackage	DeleteCenBandwidthPackage	Write	CenBandwidthPackage acs:cen:*:{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId}	None	None
cen:DeleteCenChildInstanceRouteEntryToAttachment	DeleteCenChildInstanceRouteEntryToAttachment	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DeleteCenChildInstanceRouteEntryToCen	DeleteCenChildInstanceRouteEntryToCen	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DeleteCenInterRegionTrafficQosPolicy	DeleteCenInterRegionTrafficQosPolicy	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:DeleteCenInterRegionTrafficQosQueue	DeleteCenInterRegionTrafficQosQueue		CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:DeleteCenRouteMap	DeleteCenRouteMap	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DeleteFlowlog	DeleteFlowlog	Write	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/{#flowlogId}	None	None
cen:DeleteRouteServiceInCen	DeleteRouteServiceInCen	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DeleteTrafficMarkingPolicy	DeleteTrafficMarkingPolicy		CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:DeleteTransitRouter	DeleteTransitRouter	Write	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:DeleteTransitRouterCidr	DeleteTransitRouterCidr	Write	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:DeleteTransitRouterMulticastDomain	DeleteTransitRouterMulticastDomain	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:DeleteTransitRouterPeerAttachment	DeleteTransitRouterPeerAttachment	Write	TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:DeleteTransitRouterPrefixListAssociation	DeleteTransitRouterPrefixListAssociation	Read	TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/	None	None
cen:DeleteTransitRouterRouteEntry	DeleteTransitRouterRouteEntry	Write	TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/ TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/{#centransitrouterroutentryId} TransitRouterRouteTable acs:cen::{#accountId}:centransitrouterroutetable/* TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutentry/{#transitrouterroutetableId}	None	None
cen:DeleteTransitRouterRouteTable	DeleteTransitRouterRouteTable	Write	TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId}	None	None
cen:DeleteTransitRouterVbrAttachment	DeleteTransitRouterVbrAttachment	Write	TransitRouterVbrAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:DeleteTransitRouterVpcAttachment	DeleteTransitRouterVpcAttachment	Write	TransitRouterVpcAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:DeregisterTransitRouterMulticastGroupMembers	DeregisterTransitRouterMulticastGroupMembers	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:DeregisterTransitRouterMulticastGroupSources	DeregisterTransitRouterMulticastGroupSources	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:DescribeCenAttachedChildInstanceAttribute	DescribeCenAttachedChildInstanceAttribute	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenAttachedChildInstances	DescribeCenAttachedChildInstances	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenBandwidthPackages	DescribeCenBandwidthPackages	List	CenBandwidthPackage acs:cen::{#accountId}:cenbandwidthpackage/	None	None
cen:DescribeCenChildInstanceRouteEntries	DescribeCenChildInstanceRouteEntries	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenGeographicSpanRemainingBandwidth	DescribeCenGeographicSpanRemainingBandwidth	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenInterRegionBandwidthLimits	DescribeCenInterRegionBandwidthLimits	Read	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenPrivateZoneRoutes	DescribeCenPrivateZoneRoutes	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenRegionDomainRouteEntries	DescribeCenRegionDomainRouteEntries	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenRouteMaps	DescribeCenRouteMaps	Read	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeCenVbrHealthCheck	DescribeCenVbrHealthCheck	Read	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/* virtualborderrouter acs:vpc:*:{#accountId}:virtualborderrouter/{#virtualborderrouterId}	None	None
cen:DescribeCens	DescribeCens	List	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:DescribeFlowlogs	DescribeFlowlogs	List	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/* Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/{#FlowLogId}	None	None
cen:DescribeGrantRulesToCen	DescribeGrantRulesToCen	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DescribeGrantRulesToResource	DescribeGrantRulesToResource	Read	VPC acs:vpc:*:{#accountId}:vpc/{#VpcId}	None	None
cen:DescribePublishedRouteEntries	DescribePublishedRouteEntries	Read	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId} VPC acs:vpc:*:{#accountId}:vpc/{#vpcId}	None	None
cen:DescribeRouteConflict	DescribeRouteConflict	Read	VPC acs:vpc:*:{#accountId}:vpc/{#vpcId}	None	None
cen:DescribeRouteServicesInCen	DescribeRouteServicesInCen	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:DetachCenChildInstance	DetachCenChildInstance	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId} VPC acs:vpc:*:{#accountId}:vpc/{#vpcId}	None	None
cen:DisableCenVbrHealthCheck	DisableCenVbrHealthCheck	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId}	None	None
cen:DisableTransitRouterRouteTablePropagation	DisableTransitRouterRouteTablePropagation	Write	TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:DisassociateTransitRouterMulticastDomain	DisassociateTransitRouterMulticastDomain	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:DissociateTransitRouterAttachmentFromRouteTable	DissociateTransitRouterAttachmentFromRouteTable	Write	TransitRouterVpcAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:EnableCenVbrHealthCheck	EnableCenVbrHealthCheck	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId}	None	None
cen:EnableTransitRouterRouteTablePropagation	EnableTransitRouterRouteTablePropagation	Write	TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ListCenInterRegionTrafficQosPolicies	ListCenInterRegionTrafficQosPolicies	List	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:ListGrantVSwitchEnis	ListGrantVSwitchEnis	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:ListGrantVSwitchesToCen	ListGrantVSwitchesToCen	List	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:ListTagResources	ListTagResources	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:ListTrafficMarkingPolicies	ListTrafficMarkingPolicies		CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:ListTransitRouterAvailableResource	ListTransitRouterAvailableResource	List	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:ListTransitRouterCidrAllocation	ListTransitRouterCidrAllocation	Read	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:ListTransitRouterMulticastDomainAssociations	ListTransitRouterMulticastDomainAssociations	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:ListTransitRouterMulticastDomainVSwitches	ListTransitRouterMulticastDomainVSwitches	Read	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:ListTransitRouterMulticastDomains	ListTransitRouterMulticastDomains	Read	TransitRouterMulticastDomain acs:cen::{#accountId}:centransitroutermulticast/ TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:ListTransitRouterMulticastGroups	ListTransitRouterMulticastGroups	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:ListTransitRouterPeerAttachments	ListTransitRouterPeerAttachments	List	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterPeerAttachment acs:cen::{#accountId}:centransitrouterattachment/* TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ListTransitRouterPrefixListAssociation	ListTransitRouterPrefixListAssociation	Read	TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId}	None	None
cen:ListTransitRouterRouteEntries	ListTransitRouterRouteEntries	List	TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/{#centransitrouterroutentryId} TransitRouterRouteTable acs:cen::{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId} TransitRouterRouteEntry acs:cen::{#accountId}:centransitrouterroutentry/	None	None
cen:ListTransitRouterRouteTableAssociations	ListTransitRouterRouteTableAssociations	List	TransitRouterPeerAttachment acs:cen::{#accountId}:centransitrouterattachment/ TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ListTransitRouterRouteTablePropagations	ListTransitRouterRouteTablePropagations	List	TransitRouterPeerAttachment acs:cen::{#accountid}:centransitrouterattachment/	None	None
cen:ListTransitRouterRouteTables	ListTransitRouterRouteTables	List	TransitRouter acs:cen:{#regionId}:{#accountId}:centransitrouter/* TransitRouterRouteTable acs:cen::{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId} TransitRouterRouteTable acs:cen::{#accountId}:centransitrouterroutetable/* TransitRouter acs:cen:{#regionId}:{#accountId}:transitrouter/{#centransitrouterId}	None	None
cen:ListTransitRouterVbrAttachments	ListTransitRouterVbrAttachments	List	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterVbrAttachment acs:cen::{#accountId}:centransitrouterattachment/* TransitRouterVbrAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ListTransitRouterVpcAttachments	ListTransitRouterVpcAttachments	List	CenInstance acs:cen::{#accountId}:ceninstance/ CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouterVpcAttachment acs:cen::{#accountId}:centransitrouterattachment/* TransitRouterVpcAttachment acs:cen:{#regionId}:{#accountId}:transitroutervpcattachment/acs:cen::{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ListTransitRouters	ListTransitRouters	List	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} TransitRouter acs:cen::{#accountId}:centransitrouter/* TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:ModifyCenAttribute	ModifyCenAttribute	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:ModifyCenBandwidthPackageAttribute	ModifyCenBandwidthPackageAttribute	Write	CenBandwidthPackage acs:cen:*:{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId}	None	None
cen:ModifyCenBandwidthPackageSpec	ModifyCenBandwidthPackageSpec	Write	CenBandwidthPackage acs:cen:*:{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId}	None	None
cen:ModifyCenRouteMap	ModifyCenRouteMap	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:ModifyFlowLogAttribute	ModifyFlowLogAttribute	Write	Flowlog acs:cbn:{#regionId}:{#accountId}:flowlog/{#flowlogId}	None	None
cen:ModifyTransitRouterCidr	ModifyTransitRouterCidr	Read	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:ModifyTransitRouterMulticastDomain	ModifyTransitRouterMulticastDomain	Write	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#TransitRouterMulticastDomainId}	None	None
cen:MoveResourceGroup	MoveResourceGroup	Read	CenBandwidthPackage acs:cen::{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId} CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:PublishRouteEntries	PublishRouteEntries	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} virtualborderrouter acs:vpc::{#accountId}:virtualborderrouter/{#virtualborderrouterId} VPC acs:vpc:*:{#accountId}:vpc/{#vpcId}	None	None
cen:RegisterTransitRouterMulticastGroupMembers	RegisterTransitRouterMulticastGroupMembers	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:RegisterTransitRouterMulticastGroupSources	RegisterTransitRouterMulticastGroupSources	Read	TransitRouterMulticastDomain acs:cen:*:{#accountId}:centransitroutermulticast/{#centransitroutermulticastId}	None	None
cen:RemoveTrafficMatchRuleFromTrafficMarkingPolicy	RemoveTrafficMatchRuleFromTrafficMarkingPolicy	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:RemoveTraficMatchRuleFromTrafficMarkingPolicy	RemoveTraficMatchRuleFromTrafficMarkingPolicy	Write	CenInstance acs:cen::{#accountId}:ceninstance/	None	None
cen:ReplaceTransitRouterRouteTableAssociation	ReplaceTransitRouterRouteTableAssociation	Read	TransitRouterVpcAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:ResolveAndRouteServiceInCen	ResolveAndRouteServiceInCen	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:RoutePrivateZoneInCenToVpc	RoutePrivateZoneInCenToVpc	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:SetCenInterRegionBandwidthLimit	SetCenInterRegionBandwidthLimit	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:TagResources	TagResources	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:TempUpgradeCenBandwidthPackageSpec	TempUpgradeCenBandwidthPackageSpec	Write	CenBandwidthPackage acs:cen:*:{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId}	None	None
cen:UnassociateCenBandwidthPackage	UnassociateCenBandwidthPackage	Write	CenBandwidthPackage acs:cen::{#accountId}:cenbandwidthpackage/{#cenbandwidthpackageId} CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:UnroutePrivateZoneInCenToVpc	UnroutePrivateZoneInCenToVpc	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:UntagResources	UntagResources	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}	None	None
cen:UpdateCenInterRegionTrafficQosPolicyAttribute	UpdateCenInterRegionTrafficQosPolicyAttribute	Write	CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:UpdateCenInterRegionTrafficQosQueueAttribute	UpdateCenInterRegionTrafficQosQueueAttribute		CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:UpdateTrafficMarkingPolicyAttribute	UpdateTrafficMarkingPolicyAttribute		CenInstance acs:cen:*:{#accountId}:ceninstance/{#CenId}	None	None
cen:UpdateTransitRouter	UpdateTransitRouter	Write	TransitRouter acs:cen:*:{#accountId}:centransitrouter/{#centransitrouterId}	None	None
cen:UpdateTransitRouterPeerAttachmentAttribute	UpdateTransitRouterPeerAttachmentAttribute	Write	TransitRouterPeerAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:UpdateTransitRouterRouteEntry	UpdateTransitRouterRouteEntry	Write	TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutetable/{#TransitRouterRouteTableId}	None	None
cen:UpdateTransitRouterRouteTable	UpdateTransitRouterRouteTable	Write	TransitRouterRouteTable acs:cen:*:{#accountId}:centransitrouterroutetable/{#centransitrouterroutetableId}	None	None
cen:UpdateTransitRouterVbrAttachmentAttribute	UpdateTransitRouterVbrAttachmentAttribute	Write	TransitRouterVbrAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:UpdateTransitRouterVpcAttachmentAttribute	UpdateTransitRouterVpcAttachmentAttribute	Write	TransitRouterVpcAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:UpdateTransitRouterVpcAttachmentZones	UpdateTransitRouterVpcAttachmentZones	Write	TransitRouterVpcAttachment acs:cen:*:{#accountId}:centransitrouterattachment/{#centransitrouterattachmentId}	None	None
cen:WithdrawPublishedRouteEntries	WithdrawPublishedRouteEntries	Write	CenInstance acs:cen::{#accountId}:ceninstance/{#ceninstanceId} VPC acs:vpc::{#accountId}:vpc/{#vpcId}	None	None

Resource

CEN defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
Flowlog	acs:{#ramcode}:{#regionId}:{#accountId}:flowlog/{#FlowLogId}
CenBandwidthPackage	acs:{#ramcode}:*:{#accountId}:cenbandwidthpackage/{#CenBandwidthPackageId}
CenInstance	acs:{#ramcode}:*:{#accountId}:ceninstance/{#CenId}
TransitRouterVpcAttachment	acs:{#ramcode}:{#regionId}:{#accountId}:transitroutervpcattachment/{#TransitRouterAttachmentId}
TransitRouterPeerAttachment	acs:{#ramcode}:{#regionId}:{#accountId}:transitrouterpeerattachment/{#TransitRouterAttachmentId}
TransitRouterVbrAttachment	acs:{#ramcode}:{#regionId}:{#accountId}:transitroutervbrattachment/{#TransitRouterAttachmentId}
TransitRouter	acs:{#ramcode}:{#regionId}:{#accountId}:transitrouter/{#TransitRouterId}
TransitRouterRouteTable	acs:{#ramcode}:*:{#accountId}:transitrouterroutetable/{#TransitRouterRouteTableId}
TransitRouterRouteEntry	acs:{#ramcode}:*:{#accountId}:transitrouterrouteentry/{#TransitRouterRouteEntryId}
TransitRouterMulticastDomain	acs:{#ramcode}:{#regionId}:{#accountId}:transitroutermulticastdomain/{#TransitRouterMulticastDomainId}

Condition

CEN does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: