Built-in Resource Access Management (RAM) system policies grant broad access that may not meet your security requirements. Custom policies let you define precise, least-privilege permissions for ApsaraDB RDS — specifying exactly which actions each RAM user, user group, or RAM role can perform on which resources.
Custom policy basics
RAM policies fall into two categories: system policies (built-in, read-only) and custom policies (created and maintained by you). Custom policies give you full control over the policy lifecycle:
Create: Define the exact actions and resources to allow or deny.
Attach: Attach the policy to a RAM user, user group, or RAM role to grant its permissions.
Update: Modify the policy document or description as your access requirements change.
Detach: Detach the policy from all principals before deleting it. You cannot delete a policy that is still attached to a principal.
Delete: Delete the policy after detaching it from all principals.
Manage versions: Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
Related operations
| Operation | Description |
|---|---|
| Create a custom policy | Define a new custom policy document |
| Modify the document and description of a custom policy | Update an existing policy's permissions or description |
| Delete a custom policy | Remove a policy that is no longer needed |
| Manage policy references | View which principals a policy is attached to |
| Manage custom policy versions | Roll back or switch between policy versions |
Scenario examples
The following topics provide complete custom policy examples for common RDS access control scenarios:
| Scenario | Description |
|---|---|
| Authorize a RAM user to manage ApsaraDB RDS instances | Grant full management permissions on RDS instances to a RAM user |
| Grant a RAM user the read-only permissions on an ApsaraDB RDS instance | Restrict a RAM user to read-only access on a specific instance |
| Use RAM policies to manage the permissions of RAM users | Apply multiple policies to control user access across RDS instances |
RAM authorization reference
To write an effective custom policy, review the full list of ApsaraDB RDS actions, resource types, and condition keys in the RAM authorization reference.