When system policies don't give you the precise access control your workload requires, create a custom policy. Custom policies let you grant exactly the permissions your team needs for Edge Node Service (ENS) resources, following the principle of least privilege.
System policies vs. custom policies
| System policy | Custom policy | |
|---|---|---|
| Managed by | Alibaba Cloud | You |
| Version management | Not applicable | Supported |
Use a custom policy when a system policy grants too many permissions or doesn't cover a specific ENS action you need to control.
How custom policy management works
Managing a custom policy involves four steps:
Create — Define the policy document with the actions and resources you want to allow or deny.
Attach — Attach the policy to a RAM user, RAM user group, or RAM role. Permissions specified in the policy are granted to the principal after you attach the policy.
Update — Modify the policy document or description at any time. You can manage custom policy versions based on the version management mechanism provided by RAM.
Delete — Remove the policy when it's no longer needed. Detach the policy from all principals before deleting it.
You must detach the policy from all principals before you can delete it.
Determine which ENS actions to include
Before writing your policy document, identify the ENS actions and resources your principals need. For the full list of ENS actions, resource types, and condition keys supported in RAM policies, see RAM authorization.
A practical starting point: find an existing system policy that is close to what you need, then copy and customize it rather than writing from scratch.
What's next
| Task | Description |
|---|---|
| Create a custom policy | Define the policy document and create the policy in RAM |
| Modify the document and description of a custom policy | Update permissions or the policy description |
| Delete a custom policy | Remove a policy you no longer need |
| Manage policy references | View which principals a policy is attached to |
| Manage custom policy versions | Roll back to a previous policy version |