Policies and examples - Express Connect - Alibaba Cloud Documentation Center

This topic describes the Resource Access Management (RAM) policies for Express Connect and provides sample policies.

Background information

Policies include system policies and custom policies. Before you manage the Express Connect permissions of a RAM user, take note of the following system policies.


Policy name	Description	Scenario
AliyunExpressConnectFullAccess	Permissions to manage Express Connect.	RAM users can log on to the Express Connect console and perform all operations in the console. RAM users can call all API operations of Express Connect.
AliyunExpressConnectReadOnlyAccess	Read-only permissions on Express Connect.	RAM users can log on to the Express Connect console and view all pages in the console. However, RAM users cannot perform add, create, or delete operations. RAM users can call the query API operations of Express Connect.

If the system policies cannot meet your business requirements, you can create custom policies. For more information, see Create a custom policy.

Types of Express Connect resources that can be accessed by an authorized RAM user

The following table lists the types of Express Connect resources that can be accessed by an authorized RAM user and the corresponding Aliyun Resource Name (ARN) formats. $regionid/accoutid/pconnid specifies the resource ID and * specifies all corresponding resources.


Resource type	ARN format
Express Connect circuit	`acs:vpc:$regionid:$accountid:physicalconnection/$pconnid`
	`acs:vpc:$regionid:$accountid:physicalconnection/*`
	`acs:vpc::$accountid:physicalconnection/`
Virtual border router (VBR)	`acs:vpc:$regionid:$accountid:virtualborderrouter/$vbrid`
	`acs:vpc:$regionid:$accountid:virtualborderrouter/*`
	`acs:vpc::$accountid:virtualborderrouter/`
Router interface	`acs:vpc:$regionid:$accountid:routerinterface/$riid`
	`acs:vpc:$regionid:$accountid:routerinterface/*`
	`acs:vpc::$accountid:routerinterface/`

Sample custom policies

Example 1: Authorize a RAM user to manage all Express Connect circuits.

Assume that the ID of your Alibaba Cloud account is 132193271328**** and you want to authorize a RAM user to manage all Express Connect circuits that belong to your account.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*PhysicalConnection*"
            ],
            "Resource": [
                "acs:vpc:*:132193271328****:physicalconnection/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 2: Authorize a RAM user to manage VBRs that are deployed in a specified region.

Assume that you want to authorize a RAM user to manage VBRs that are deployed in the China (Qingdao) region. More specifically, the RAM user is authorized to create or delete VBRs that are deployed in the China (Qingdao) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Vbr*",

            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:virtualborderrouter/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 3: Authorize a RAM user to manage router interfaces that are in a specified region.

Assume that you want to authorize a RAM user to manage router interfaces that are in the China (Qingdao) region. More specifically, the RAM user is authorized to create or delete router interfaces that are in the China (Qingdao) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*RouterInterface*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:routerinterface/ri-xxxx"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}