If system policies do not meet your business requirements, you can create custom policies based on the principle of least privilege. Custom policies help you manage permissions in a fine-grained manner and improve resource access security. This topic describes how to use custom policies for CloudOps Orchestration Service (OOS).
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can directly delete a RAM policy that is not attached to a principal. If a RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Scenarios and sample custom policies
Sample policy 1: grants a RAM user the permissions to execute templates but not modify templates.
{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*", "oos:StartExecution", "oos:CancelExecution", "oos:NotifyExecution" ], "Resource": "*", "Effect": "Allow" } ] }
Sample policy 2: grants a RAM user the permissions to create and modify templates but not execute templates.
{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*", "oos:CreateTemplate", "oos:UpdateTemplate", "oos:ValidateTemplateContent" ], "Resource": "*", "Effect": "Allow" } ] }Sample policy 3: grants a RAM user the CloudOps Orchestration Service administrator permissions.
{ "Version": "1", "Statement": [ { "Action": "oos:*", "Effect": "Allow", "Resource": "*" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
RAM authorization
We recommend that you understand the permission control requirements and detailed permissions on OOS before you create a custom policy. For more information, see RAM authorization.