This topic describes how to create a custom policy. Custom policies provide more fine-grained
access control than system policies.
Methods to create a custom policy
- Create a custom policy on the Visual Editor Beta tab
When you create a custom policy on the Visual Editor Beta tab, you need to select
configuration items in the Effect, Service, Action, Resource, and Condition sections.
Then, the system checks your configurations. This ensures the validity of the custom
policy. On this tab, you can perform simple operations to create a custom policy.
- Create a custom policy on the JSON tab
When you create a custom policy on the JSON tab, you must compile a policy document
based on the syntax and structure of Resource Access Management (RAM) policies. On
this tab, you can create a custom policy in a flexible manner. This method is suitable
for users who are familiar with the syntax and structure of RAM policies.
- Create a custom policy by importing a policy template
RAM provides policy templates that are created based on years of business practices
and are suitable for common scenarios. For example, RAM provides policy templates
that are applicable to system administrators, financial personnel, and network administrators.
You need to only import an appropriate policy template and modify the template based
on your business requirements. This way, you can create a custom policy in a convenient
manner.
- Create a custom policy by importing a system policy template
You can import a system policy template and modify the policy template based on your
business requirements. This way, you can create a custom policy in a convenient and
efficient manner.
Create a custom policy on the Visual Editor Beta tab
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the Visual editor tab.
- Configure the policy and click Next to edit policy information.
- In the Effect section, select Allow or Deny.
- In the Service section, select an Alibaba Cloud service.
Note The Alibaba Cloud services that you can select are displayed in the Service section.
- In the Action section, select All action(s) or Select action(s).
The system displays the actions that can be configured based on the Alibaba Cloud
service you select in the previous step. If you select Select action(s), you must select actions.
- In the Resource section, select All resource(s) or Specified resource(s).
The system displays the resources that can be configured based on the actions you
select in the previous step. If you select
Specified resource(s), you must click
Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can
also click
Match all to select all resources for each action that you select.
Note The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with
Required. This ensures that the custom policy takes effect as expected.
- Optional:In the Condition section, click Add condition to configure a condition.
Conditions include Alibaba Cloud common conditions and service-specific conditions.
The system displays the conditions that can be configured based on the Alibaba Cloud
service and the actions that you select. You need to only select a condition key and
configure the Operator and Value parameters.
- Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following
operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Click OK.
Create a custom policy on the JSON tab
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Enter the policy document and click Next to edit policy information.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following
operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Click OK.
Create a custom policy by importing a policy template
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click Import policy template in the upper-right corner.
- In the Import Policy Template dialog box, import the policy template that you want to use.
- Select a policy template.
Note The policy templates that are displayed in the RAM console prevail.
- Optional:Configure the parameters for the selected policy template.
- Specify whether the policy document of the selected policy template overwrites the
original policy document.
- Overwrite: The policy document of the selected policy template overwrites the original
policy document. This is the default value.
- Append: The policy document of the selected policy template is appended to the end
of the original policy document.
- Click Import.
- On the Visual editor tab or the JSON tab, view and modify the imported policy document
and click Next to edit policy information.
By default, the imported policy template is displayed on the Visual editor tab. This
way, you can view and modify the template in a visualized manner. You can also modify
the template on the JSON tab.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following
operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Click OK.
Create a custom policy by importing a system policy template
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click Import system policy in the upper-right corner.
- In the Import system policy dialog box, import a system policy template.
- Select a system policy template.
- Specify whether the policy document of the selected system policy template overwrites
the original policy document.
- Overwrite: The policy document of the selected system policy template overwrites the
original policy document.
- Append: The policy document of the selected system policy template is appended to
the end of the original policy document. This is the default value.
- Click Import.
- On the Visual editor tab or the JSON tab, view and modify the policy document of the
imported system policy template and click Next to edit policy information.
By default, the imported system policy template is displayed on the Visual editor
tab. This way, you can view and modify the system policy template in a visualized
manner. You can also modify the system policy on the JSON tab.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following
operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Click OK.