You can create custom policies to manage permissions in a fine-grained manner.
Background information
You can define permissions to allow or deny operations on resources in specific conditions. Permissions are defined in Resource Access Management (RAM) policies. You can define custom permissions by creating custom policies.
For more information, see Create a custom policy. This topic describes how to create a custom policy by editing a script on the JSON tab of the RAM console.
Procedure
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following policy content in the code editor and click Next to edit policy information.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Configure the policy in the JSON format. The following elements are required:
Action: the actions that you want to authorize. IoT Platform actions start with iot:. For more information about actions and examples, see the "Define actions" section of this topic.
Effect: the authorization type. Valid values: Allow and Deny.
Resource: the resources that you want to authorize RAM users to access.
If you want to authorize a RAM user to access all resources of your IoT Platform, set this parameter to
*.Condition: the condition. IoT does not support Condition definitions.
For more information, see Policy elements.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Define actions
To define actions for a policy, you must specify API operations in the Action element. When you create a policy to grant permissions on IoT Platform, specify IoT Platform actions in the Action element. Each IoT Platform action must start with iot:. Multiple actions must be separated by commas (,). You can set the value of the Action element to an asterisk (*), which indicates a wildcard. For information about the API operations of IoT Platform, see Mapping of IoT Platform operations and RAM policies.
The following examples show how to define actions.
Specify a single API operation to define an action.
"Action": "iot:CreateProduct"Specify multiple API operations to define actions.
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ]Specify all read-only API operations to define actions, including the actions that are performed when the rules engine forwards the data of a product.
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }Specify all read/write API operations to define actions, including the actions that are performed when the rules engine forwards data of a product.
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
After a policy is created, you can attach the policy to RAM users. Then, the RAM users can perform the operations that are defined in the policy. For more information about how to create and authorize RAM users, see Access IoT Platform as a RAM user.