This topic describes how to create a custom policy. Custom policies provide more fine-grained access control than system policies.

Methods to create a custom policy

  • Create a custom policy on the Visual Editor Beta tab

    When you create a custom policy on the Visual Editor Beta tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. Then, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.

  • Create a custom policy on the JSON tab

    When you create a custom policy on the JSON tab, you must compile a policy document based on the syntax and structure of Resource Access Management (RAM) policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.

  • Create a custom policy by importing a policy template

    RAM provides policy templates that are created based on years of business practices and are suitable for common scenarios. For example, RAM provides policy templates that are applicable to system administrators, financial personnel, and network administrators. You need to only import an appropriate policy template and modify the template based on your business requirements. This way, you can create a custom policy in a convenient manner.

  • Create a custom policy by importing a system policy template

    You can import a system policy template and modify the policy template based on your business requirements. This way, you can create a custom policy in a convenient and efficient manner.

Create a custom policy on the Visual Editor Beta tab

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the Visual editor tab.
  5. Configure the policy and click Next to edit policy information.
    1. In the Effect section, select Allow or Deny.
    2. In the Service section, select an Alibaba Cloud service.
      Note The Alibaba Cloud services that you can select are displayed in the Service section.
    3. In the Action section, select All action(s) or Select action(s).
      The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.
    4. In the Resource section, select All resource(s) or Specified resource(s).
      The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.
      Note The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
    5. Optional:In the Condition section, click Add condition to configure a condition.
      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.
    6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
  6. Specify the Name and Description fields.
  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Create a custom policy on the JSON tab

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next to edit policy information.
    For more information about the syntax and structure of policies, see Policy structure and syntax.
  6. Specify the Name and Description fields.
  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Create a custom policy by importing a policy template

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click Import policy template in the upper-right corner.
  5. In the Import Policy Template dialog box, import the policy template that you want to use.
    1. Select a policy template.
      Note The policy templates that are displayed in the RAM console prevail.
    2. Optional:Configure the parameters for the selected policy template.
    3. Specify whether the policy document of the selected policy template overwrites the original policy document.
      • Overwrite: The policy document of the selected policy template overwrites the original policy document. This is the default value.
      • Append: The policy document of the selected policy template is appended to the end of the original policy document.
    4. Click Import.
  6. On the Visual editor tab or the JSON tab, view and modify the imported policy document and click Next to edit policy information.
    By default, the imported policy template is displayed on the Visual editor tab. This way, you can view and modify the template in a visualized manner. You can also modify the template on the JSON tab.
  7. Specify the Name and Description fields.
  8. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  9. Click OK.

Create a custom policy by importing a system policy template

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click Import system policy in the upper-right corner.
  5. In the Import system policy dialog box, import a system policy template.
    1. Select a system policy template.
    2. Specify whether the policy document of the selected system policy template overwrites the original policy document.
      • Overwrite: The policy document of the selected system policy template overwrites the original policy document.
      • Append: The policy document of the selected system policy template is appended to the end of the original policy document. This is the default value.
    3. Click Import.
  6. On the Visual editor tab or the JSON tab, view and modify the policy document of the imported system policy template and click Next to edit policy information.
    By default, the imported system policy template is displayed on the Visual editor tab. This way, you can view and modify the system policy template in a visualized manner. You can also modify the system policy on the JSON tab.
  7. Specify the Name and Description fields.
  8. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  9. Click OK.