This topic describes how to create a custom policy. Custom policies provide more fine-grained access control than system policies.

Methods to create a custom policy

You can create a custom policy on one of the following two tabs. The elements that you configured for a custom policy on one tab are synchronized to the other tab. Therefore, you can switch between the two tabs when you create a custom policy.

  • Visual Editor Beta: We recommend that you create a custom policy on this tab. This tab provides a GUI. You need only to select configuration items in the Effect, Service, Action, Resource, and Condition sections to create a custom policy. When you create a custom policy on this tab, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.
  • JSON: This tab provides a JSON script compiler. You must compile a custom policy statement based on the syntax and structure of RAM policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.

Before you create a custom policy, you must understand the basic elements, syntax, and structure of RAM policies. For more information, see Policy elements and Policy structure and syntax.

Create a custom policy on the Visual Editor Beta tab

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the Visual Editor Beta tab.
  5. Configure the parameters for a custom policy and click Next Step.
    1. In the Effect section, select Allow or Deny.
    2. In the Service section, select an Alibaba Cloud service.
      Note The Alibaba Cloud services that you can select are displayed in the Service section.
    3. In the Action section, select All Actions or Specified Actions.
      The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Specified Actions, you must select actions.
    4. In the Resource section, select All Resources or Specified Resources.
      The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified Resources, you must click Add Resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match All to select all resources for each action that you select.
      Note The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
    5. Optional:In the Condition section, click Add Condition to configure a condition.
      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need only to select a condition key and configure the Operator and Value parameters.
    6. Click Add Statement and repeat the preceding steps to configure multiple custom policy statements.
  6. Configure the Name and Note parameters.
  7. Check and optimize the content of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Delete unnecessary conditions.
      • Delete unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during advanced optimization:

      • Split resources or conditions that are incompatible with actions.
      • Narrow down resources.
      • Deduplicate or merge policy statements.
  8. Click OK.

Create a custom policy on the JSON tab

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next Step.
    For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
  6. Configure the Name and Note parameters.
  7. Check and optimize the content of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Delete unnecessary conditions.
      • Delete unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during advanced optimization:

      • Split resources or conditions that are incompatible with actions.
      • Narrow down resources.
      • Deduplicate or merge policy statements.
  8. Click OK.