All Products
Search

This Product

    Alibaba Cloud DNS:Custom policy for intranet DNS resolution (PrivateZone)

    Document Center

    Alibaba Cloud DNS:Custom policy for intranet DNS resolution (PrivateZone)

    Last Updated:Jul 08, 2025

    If the system policies cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes the scenarios and examples of using custom policies for intranet DNS resolution (PrivateZone).

    What is a custom permission policy

    In the Resource Access Management (RAM) access control system, a custom policy refers to a policy that you can create, update, and delete independently, in addition to system policies. You must manage the version updates of custom policies.

    • After you create a custom policy, you need to attach it to a RAM user, user group, or RAM role so that the permissions specified in the policy can be granted to the object.

    • You can delete a custom policy after you detach it from identities. If the policy is attached to an object, detach the policy before you delete it.

    • Custom policies support versioning. You can manage the versions of your custom policies based on the version management mechanism specified by RAM.

    Operation documents

    Common scenarios and examples

    Example 1: Manage permissions for DNS record

    Suppose you want to grant a RAM user the permission to change the status of DNS records, allowing them to pause and enable DNS records for a specified domain name, while ensuring that the user has only browse permissions for all other features.

    {
    "Version": "1",
    "Statement": [
        { 
          "Action": [
          "pvtz:SetZoneRecordStatus"
          ],
            "Resource": "*",
            "Effect": "Allow"
         },
         {
         
            "Action": [
                "pvtz:Search*",
                "pvtz:read",
                "pvtz:Describe*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "vpc:DescribeVpcs",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    Example 2: Manage permissions for domain name effective range

    Suppose you want to grant a RAM user the permission to change the effective range of a domain name, allowing them to modify the effective range for a specified domain name, while ensuring that the user has only browse permissions for all other features.

    {
    "Version": "1",
    "Statement": [
    { 
          "Action": [
          "pvtz:BindZoneVpc"
          ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "pvtz:Search*",
                "pvtz:read",
                "pvtz:Describe*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "vpc:DescribeVpcs",
            "Resource": "*",
            "Effect": "Allow"
        }
        
    ]
}

    References

    When using custom policies, you need to understand the permission control requirements of your business and the authorization information of intranet DNS resolution (PrivateZone). For more information, see RAM authorization.