All Products
Search

This Product

    Compute Nest:Custom policies for Compute Nest

    Document Center

    Compute Nest:Custom policies for Compute Nest

    Last Updated:Jun 06, 2025

    If the Resource Management Service (RAM) system policies cannot meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource security.

    What is a custom policy?

    Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

    • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

    • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

    • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

    References

    Authorization information

    Before you create a custom policy, you must understand the permission management requirements of your business and the authorization information about Compute Nest. For more information, see RAM authorization for service providers and RAM authorization for customers.

    Sample custom policies

    • Example 1: Forbid a RAM user from performing delete operations on the service provider side.

      To enhance system security and prevent service and data loss caused by accidental operations, you can use this policy to forbid a RAM user from performing delete operations on the service provider side. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "computenestsupplier:DeleteService",
        "computenestsupplier:DeleteServiceInstances",
        "computenestsupplier:DeleteArtifact",
        "computenestsupplier:DeleteAcrImageRepositories",
        "computenestsupplier:DeleteAcrImageTags",
        "computenestsupplier:DeleteDataset",
        "computenestsupplier:DeleteDatasetAsset",
        "computenestsupplier:DeleteServiceTestCase",
        "computenestsupplier:DeleteVirtualInternetService",
        "computenestsupplier:DeleteVirtualInternetEndpoint",
        "computenestsupplier:DeleteVirtualInternetSupplierDomain"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {}
    }
  ]
}

    • Example 2: Allow a RAM user to only view service instance information on the customer side.

      To ensure the stability and security of service instances, you can use this policy to allow a RAM user to only view service instance information on the customer side. The RAM user cannot perform operations such as modifying and deleting service instances. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "computenest:GetServiceInstance",
        "computenest:GetServiceInstanceSubscriptionEstimateCost",
        "computenest:ListServiceInstanceActionTrailEvents",
        "computenest:ListServiceInstanceBill",
        "computenest:ListServiceInstanceResources",
        "computenest:ListServiceInstanceUpgradeHistory",
        "computenest:ValidateServiceInstanceName",
        "computenest:ListServiceInstanceDatasetAutoExportConfigs",
        "computenest:ListServiceInstanceLogs",
        "computenest:ListServiceInstances"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {}
    }
  ]
}