You can create a custom policy for IoT Platform and attach the policy to a RAM user. This policy grants the RAM user the permissions to call a specified IoT Platform API operation.

For information about how to grant permissions to a RAM user, see Custom permissions.

The following table describes the valid values of the Action element that you must configure when you create a custom Resource Access Management (RAM) policy for IoT Platform.

Note The following table describes specific API operations that you can specify in RAM policies. The API operations must be specified in the iot:${API operation name} format. ${API operation name} specifies the name of an API operation that you want to specify. For information about the API operations provided by IoT Platform, see List of operations by function.
Operation Action in a RAM policy Resource in the RAM policy Description
CreateProduct iot:CreateProduct * Creates a product.
UpdateProduct iot:UpdateProduct * Modifies the details of a product.
QueryProduct iot:QueryProduct * Queries the details of a product.
QueryProductList iot:QueryProductList * Queries products.
DeleteProduct iot:DeleteProduct * Deletes a product.
CreateProductTags iot:CreateProductTags * Creates product tags.
UpdateProductTags iot:UpdateProductTags * Modifies the tags of a product.
DeleteProductTags iot:DeleteProductTags * Deletes product tags.
ListProductTags iot:ListProductTags * Queries product tags.
ListProductByTags iot:ListProductByTags * Queries products by tag.
RegisterDevice iot:RegisterDevice * Registers a device.
QueryDevice iot:QueryDevice * Queries the devices of a specified product.
DeleteDevice iot:DeleteDevice * Deletes a device.
QueryPageByApplyId iot:QueryPageByApplyId * Queries the details of multiple devices that are registered at the same time.
BatchGetDeviceState iot:BatchGetDeviceState * Queries the statuses of multiple devices.
BatchRegisterDeviceWithApplyId iot:BatchRegisterDeviceWithApplyId * Creates multiple devices by application ID.
BatchRegisterDevice iot:BatchRegisterDevice * Registers multiple devices. Device names are randomly generated.
QueryBatchRegisterDeviceStatus iot:QueryBatchRegisterDeviceStatus * Queries the statuses of multiple devices that are registered at the same time.
BatchCheckDeviceNames iot:BatchCheckDeviceNames * Specifies custom names for multiple devices at a time.
QueryDeviceStatistics iot:QueryDeviceStatistics * Queries device statistics.
QueryDeviceEventData iot:QueryDeviceEventData * Queries the historical events of a device.
QueryDeviceServiceData iot:QueryDeviceServiceData * Queries the service records of a device.
SetDeviceProperty iot:SetDeviceProperty * Configures properties for a device.
SetDevicesProperty iot:SetDevicesProperty * Configures properties for multiple devices.
InvokeThingService iot:InvokeThingService * Calls a service on a device.
InvokeThingsService iot:InvokeThingsService * Calls a service on multiple devices.
QueryDevicePropertyStatus iot:QueryDevicePropertyStatus * Queries the property snapshot of a device.
QueryDeviceDetail iot:QueryDeviceDetail * Queries the details of a device.
DisableThing iot:DisableThing * Disables a device.
EnableThing iot:EnableThing * Enables a device.
ResetThing iot:ResetThing * Resets a device.
GetThingTopo iot:GetThingTopo * Queries the topological relationships of a device.
RemoveThingTopo iot:RemoveThingTopo * Removes the topological relationships of a device.
NotifyAddThingTopo iot:NotifyAddThingTopo * Adds a topological relationship to IoT Platform.
QueryDevicePropertyData iot:QueryDevicePropertyData * Queries the historical properties of a device.
QueryDevicePropertiesData iot:QueryDevicePropertiesData * Queries the property data of a device.
GetGatewayBySubDevice iot:GetGatewayBySubDevice * Queries the information about a gateway device based on sub-device information.
SaveDeviceProp iot:SaveDeviceProp * Specifies tags for a device.
QueryDeviceProp iot:QueryDeviceProp * Queries the tags of a device.
DeleteDeviceProp iot:DeleteDeviceProp * Deletes the tags of a device.
QueryDeviceByTags iot:QueryDeviceByTags * Queries devices by tag.
CreateDeviceGroup iot:CreateDeviceGroup * Creates a device group.
UpdateDeviceGroup iot:UpdateDeviceGroup * Modifies the details of a device group.
DeleteDeviceGroup iot:DeleteDeviceGroup * Deletes a device group.
BatchAddDeviceGroupRelations iot:BatchAddDeviceGroupRelations * Adds devices to a device group.
BatchDeleteDeviceGroupRelations iot:BatchDeleteDeviceGroupRelations * Removes a device from a device group.
QueryDeviceGroupInfo iot:QueryDeviceGroupInfo * Queries the details of a device group.
QueryDeviceGroupList iot:QueryDeviceGroupList * Queries device groups.
SetDeviceGroupTags iot:SetDeviceGroupTags * Creates tags for a device group or updates the tags of a device group.
QueryDeviceGroupTagList iot:QueryDeviceGroupTagList * Queries the tags of a device group.
QueryDeviceGroupByDevice iot:QueryDeviceGroupByDevice * Queries the device groups to which a device belongs.
QueryDeviceListByDeviceGroup iot:QueryDeviceListByDeviceGroup * Queries devices in a device group.
QuerySuperDeviceGroup iot:QuerySuperDeviceGroup * Queries the details of a parent device group by sub-group ID.
QueryDeviceGroupByTags iot:QueryDeviceGroupByTags * Queries device groups by tag.
StartRule iot:StartRule * Enables a rule.
StopRule iot:StopRule * Disables a rule.
ListRule iot:ListRule * Queries rules.
GetRule iot:GetRule * Queries the details of a rule.
CreateRule iot:CreateRule * Creates a rule.
UpdateRule iot:UpdateRule * Modifies a rule.
DeleteRule iot:DeleteRule * Deletes a rule.
CreateRuleAction iot:CreateRuleAction * Creates a data forwarding method for a rule.
UpdateRuleAction iot:UpdateRuleAction * Modifies the data forwarding method of a rule.
DeleteRuleAction iot:DeleteRuleAction * Deletes a data forwarding method from a rule.
GetRuleAction iot:GetRuleAction * Queries the details of a data forwarding method.
ListRuleActions iot:ListRuleActions * Queries the data forwarding methods of a rule.
Pub iot:Pub * Publishes messages.
PubBroadcast iot:PubBroadcast * Publishes a message to all devices that subscribe to a topic.
RRpc iot:RRpc * Sends a request to a device and obtains a response from the device.
CreateProductTopic iot:CreateProductTopic * Creates a topic category for a product.
DeleteProductTopic iot:DeleteProductTopic * Deletes a topic category.
QueryProductTopic iot:QueryProductTopic * Queries the topic categories of a product.
UpdateProductTopic iot:UpdateProductTopic * Modifies a topic category.
CreateTopicRouteTable iot:CreateTopicRouteTable * Creates routing relationships between topics.
DeleteTopicRouteTable iot:DeleteTopicRouteTable * Deletes a routing relationship.
QueryTopicReverseRouteTable iot:QueryTopicReverseRouteTable * Queries the source topics of a destination topic.
QueryTopicRouteTable iot:QueryTopicRouteTable * Queries the destination topics of a source topic.
GetDeviceShadow iot:GetDeviceShadow * Queries the details of a device shadow.
UpdateDeviceShadow iot:UpdateDeviceShadow * Modifies a device shadow.
SetDeviceDesiredProperty iot:SetDeviceDesiredProperty * Specifies desired property values for a device.
QueryDeviceDesiredProperty iot:QueryDeviceDesiredProperty * Queries the property values of a device.
BatchUpdateDeviceNickname iot:BatchUpdateDeviceNickname * Modifies the aliases of multiple devices.
QueryDeviceFileList iot:QueryDeviceFileList * Queries the details of all files that are uploaded to IoT Platform from a device.
QueryDeviceFile iot:QueryDeviceFile * Queries the details of a file that is uploaded to IoT Platform from a device.
DeleteDeviceFile iot:DeleteDeviceFile * Deletes a file that is uploaded to IoT Platform from a device.
QueryDeviceCert iot:QueryDeviceCert * Queries the X.509 certificate of a device.
QueryCertUrlByApplyId iot:QueryCertUrlByApplyId * Queries the URL from which you can download the X.509 certificates of registered devices.
BatchAddThingTopo iot:BatchAddThingTopo * Establishes topological relationships between multiple sub-devices and a gateway device.
QueryDeviceByStatus iot:QueryDeviceByStatus * Queries devices by status.
GenerateOTAUploadURL iot:GenerateOTAUploadURL * Generates the information that is used to upload firmware files to Object Storage Service (OSS).
CreateOTAFirmware iot:CreateOTAFirmware * Creates a firmware file.
DeleteOTAFirmware iot:DeleteOTAFirmware * Deletes a firmware file.
ListOTAFirmware iot:ListOTAFirmware * Queries all firmware files.
QueryOTAFirmware iot:QueryOTAFirmware * Queries the details of a firmware file.
CreateOTAVerifyJob iot:CreateOTAVerifyJob * Creates a firmware verification batch.
CreateOTAStaticUpgradeJob iot:CreateOTAStaticUpgradeJob * Creates a static update batch.
CreateOTADynamicUpgradeJob iot:CreateOTADynamicUpgradeJob * Creates a dynamic update batch.
ListOTAJobByFirmware iot:ListOTAJobByFirmware * Queries the update tasks of a firmware file.
ListOTAJobByDevice iot:ListOTAJobByDevice * Queries all firmware update batches of a device.
QueryOTAJob iot:QueryOTAJob * Queries the details of an update batch.
CancelOTAStrategyByJob iot:CancelOTAStrategyByJob * Cancels an update policy that is associated with a dynamic update batch.
CancelOTATaskByDevice iot:CancelOTATaskByDevice * Cancels the pending device update tasks of a firmware file.
CancelOTATaskByJob iot:CancelOTATaskByJob * Cancels the device update tasks of an update batch.
ListOTATaskByJob iot:ListOTATaskByJob * Queries the update tasks of a device by update batch.
CreateSubscribeRelation iot:CreateSubscribeRelation * Creates a Message Service (MNS) or Advanced Message Queuing Protocol (AMQP) server-side subscription.
UpdateSubscribeRelation iot:UpdateSubscribeRelation * Modifies an MNS or AMQP server-side subscription.
QuerySubscribeRelation iot:QuerySubscribeRelation * Queries the details of an MNS or AMQP server-side subscription.
DeleteSubscribeRelation iot:DeleteSubscribeRelation * Deletes an MNS or AMQP server-side subscription.
CreateConsumerGroup iotCreateConsumerGroup * Creates a consumer group to create an AMQP server-side subscription.
UpdateConsumerGroup iot:UpdateConsumerGroup * Changes the name of a consumer group.
QueryConsumerGroupByGroupId iot:QueryConsumerGroupByGroupId * Queries the details of a consumer group by consumer group ID.
QueryConsumerGroupList iot:QueryConsumerGroupList * Queries all consumer groups of an account or performs a fuzzy search by consumer group name.
QueryConsumerGroupStatus iot:QueryConsumerGroupStatus * Queries the status of a consumer group when an AMQP server-side subscription is enabled. The status information includes the online client information, message consumption rate, number of accumulated messages, and the most recent message consumption time.
ResetConsumerGroupPosition iot:ResetConsumerGroupPosition * Clears the accumulated messages of a consumer group when an AMQP server-side subscription is enabled.
DeleteConsumerGroup iot:DeleteConsumerGroup * Deletes a consumer group.
CreateConsumerGroupSubscribeRelation iot:CreateConsumerGroupSubscribeRelation * Adds a consumer group to an AMQP server-side subscription.
DeleteConsumerGroupSubscribeRelation iot:DeleteConsumerGroupSubscribeRelation * Removes a consumer group from an AMQP subscription.
Configure an AMQP server-side subscription iot:sub * Establishes a connection to IoT Platform by using an AMQP server-side subscription.