If the system policies of Container Service do not meet your business requirements, you can create custom policies to implement the principle of least privilege. Custom policies give you fine-grained control over permissions and improve resource access security.
Policy types
Resource Access Management (RAM) supports two types of policies: system policies and custom policies.
| Policy type | Who manages it | Can be modified | When to use |
|---|---|---|---|
| System policy | Alibaba Cloud | No | Broad access for common scenarios |
| Custom policy | You | Yes | Fine-grained access for specific business requirements |
How custom policies work
Attaching a policy
After creating a custom policy, attach it to a RAM user, RAM user group, or RAM role. The policy's permissions take effect only after it is attached to a principal.
Deleting a policy
If the policy is not attached to any principal, delete it directly.
If the policy is attached to a principal, detach it from the principal first, then delete it.
Version control
Custom policies support version control. You can manage custom policy versions using RAM's version management mechanism.