You can create a custom access control policy to limit some operations on some resources.
Custom access control policies only define permission boundaries for folders and members
in a resource directory.
Creation methods
- Create a custom access control policy on the Visual Editor Beta tab
When you create a custom access control policy on the Visual Editor Beta tab, you
need to select configuration items in the Effect, Service, Action, Resource, and Condition
sections. In addition, the system can check your configurations to ensure the validity
of the policy. On this tab, you can perform simple operations to create a custom access
control policy.
- Create a custom access control policy on the JSON tab
When you create a custom access control policy on the JSON tab, you must compile the
document of the policy based on the syntax and structure of access control policies.
On this tab, you can create a custom access control policy in a flexible manner. This
method is suitable for users who are familiar with the syntax and structure of access
control policies.
Create a custom access control policy on the Visual Editor Beta tab
- Log on to the Resource Management console.
- In the left-side navigation pane, choose .
- On the Policies tab of the page that appears, click Create Policy.
- On the Create Policy page, click the Visual Editor Beta tab.
- Configure the policy and click Next: Edit Basic Information.
- In the Effect section, select Allow or Deny.
- In the Service section, select an Alibaba Cloud service.
Note All supported Alibaba Cloud services are displayed in the Service section.
- In the Action section, select All Actions or Specified Actions.
The system displays the actions that can be configured based on the Alibaba Cloud
service that you select in the Service section. If you select Specified Actions, you must select specific actions.
- In the Resource section, select All Resources or Specified Resources.
The system displays the resources that can be configured based on the actions that
you select in the Action section. If you select
Specified Resources, you must click
Add Resource to configure the Alibaba Cloud Resource Names (ARNs) of resources. You can also select
Match All to specify all resources for each selected action.
Note The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with
Required. This ensures that the policy takes effect as expected.
- Optional:In the Condition section, click Add Condition to configure conditions.
Conditions include Alibaba Cloud common conditions and service-specific conditions.
The system displays the conditions that can be configured based on the Alibaba Cloud
service and the actions that you select. You need only to select condition keys and
configure the Operator and Value parameters for each condition key.
- Click Add Statement and repeat the preceding steps to configure multiple statements for the policy.
- Configure the Name and Note parameters.
- Check and optimize the policy document.
- Basic optimization
The system performs the following operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional: Advanced Optimize and click Perform. Then, the system performs the following operations during advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Click OK.
Create a custom access control policy on the JSON tab
- Log on to the Resource Management console.
- In the left-side navigation pane, choose .
- On the Policies tab of the page that appears, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Enter the policy document and click Next: Edit Basic Information.
- Configure the Name and Note parameters.
- Check and optimize the policy document.
- Basic optimization
The system performs the following operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional: Advanced Optimize and click Perform. Then, the system performs the following operations during advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
What to do next
After a custom access control policy is created, you must attach it to folders or
members for it to take effect. For more information, see Attach a custom access control policy.