All Products
Search

This Product

    Resource Access Management:Control access based on time of day

    Document Center

    Resource Access Management:Control access based on time of day

    Last Updated:Mar 31, 2026

    You can enhance the security of your Alibaba Cloud resources by creating Resource Access Management (RAM) policies that allow access only during specific time periods, such as your organization's business hours. This helps prevent unauthorized access and reduces security risks.

    How it works

    You can control access by time of day by using the acs:CurrentTime global condition key in the Condition block of a RAM policy. This key represents the time at which a request is received by Alibaba Cloud.

    You can use date and time condition operators like DateLessThan, DateGreaterThan, DateEquals, and their "IfExists" variants to compare the request time against a specific date and time that you define in the policy. The time must be specified in ISO 8601 format (such as YYYY-MM-DDThh:mm:ssZ or YYYY-MM-DDThh:mm:ss+hh:mm).

    This tutorial demonstrates how to create a custom policy that allows a RAM user to perform any action on Elastic Compute Service (ECS) instances, but only if the request is made before 17:00 on August 12, 2019 (UTC+8).

    Prerequisites

    You have permissions to create and manage RAM users and policies in the RAM console.

    Procedure

    Step 1: Create the time-based policy

    First, create a custom RAM policy that includes the time-based condition.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. On the Create Policy page, click the JSON Editor tab.

    5. Copy and paste the following policy document into the editor. You can modify the date and time to match your business requirements.

    {
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
          "DateLessThan": {
              "acs:CurrentTime": "2019-08-12T17:00:00+08:00"
          }
      }
    }
  ],
  "Version": "1"
}

    This policy grants full access (ecs:*) to all ECS resources (Resource: *), but only if the request time (acs:CurrentTime) is earlier than (DateLessThan) the specified timestamp.

    1. Click OK.

    2. Enter a Name for your policy (such as Allow-ECS-Access-Before-Cutoff) and click OK.

    For more information, see Create a custom policy.

    Step 2: Create a RAM user

    Next, create a RAM user who will be subject to this time restriction.

    1. In the left-side navigation pane, choose Identities > Users.

    2. Click Create User.

    3. Enter a username and select an access mode (such as Console Access). Follow the prompts to complete user creation. For more information, see Create a RAM user.

    Step 3: Attach the policy and verify access

    Finally, attach the policy to the RAM user and test that the restriction works as expected.

    1. On the Users page, find the user you just created and click Attach Policy in the Actions column.

    2. On the Attach Policy panel, find and select the IP-based policy you created in Step 1 (such as Allow-ECS-Access-Before-Cutoff).

    3. Click OK, then click Close.

    4. Verify the policy:

      • Log on to the Alibaba Cloud Management Console as the new RAM user and attempt to access an ECS resource. If the current time is before the cutoff time specified in the policy, the request should succeed.

      • If the current time is after the cutoff time, the request should be denied with a "permission denied" error.

    For more information, see Grant permissions to a RAM user.