You can create a custom access control policy to limit some operations on some resources. Custom access control policies only define permission boundaries for folders and members in a resource directory.

Creation methods

  • Create a custom access control policy on the Visual Editor Beta tab

    When you create a custom access control policy on the Visual Editor Beta tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. In addition, the system can check your configurations to ensure the validity of the policy. On this tab, you can perform simple operations to create a custom access control policy.

  • Create a custom access control policy on the JSON tab

    When you create a custom access control policy on the JSON tab, you must compile the document of the policy based on the syntax and structure of access control policies. On this tab, you can create a custom access control policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of access control policies.

Create a custom access control policy on the Visual Editor Beta tab

  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Resource Directory > Control Policy.
  3. On the Policies tab of the page that appears, click Create Policy.
  4. On the Create Policy page, click the Visual Editor Beta tab.
  5. Configure the policy and click Next: Edit Basic Information.
    1. In the Effect section, select Allow or Deny.
    2. In the Service section, select an Alibaba Cloud service.
      Note All supported Alibaba Cloud services are displayed in the Service section.
    3. In the Action section, select All Actions or Specified Actions.
      The system displays the actions that can be configured based on the Alibaba Cloud service that you select in the Service section. If you select Specified Actions, you must select specific actions.
    4. In the Resource section, select All Resources or Specified Resources.
      The system displays the resources that can be configured based on the actions that you select in the Action section. If you select Specified Resources, you must click Add Resource to configure the Alibaba Cloud Resource Names (ARNs) of resources. You can also select Match All to specify all resources for each selected action.
      Note The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the policy takes effect as expected.
    5. Optional:In the Condition section, click Add Condition to configure conditions.
      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need only to select condition keys and configure the Operator and Value parameters for each condition key.
    6. Click Add Statement and repeat the preceding steps to configure multiple statements for the policy.
  6. Configure the Name and Note parameters.
  7. Check and optimize the policy document.
    • Basic optimization

      The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. Then, the system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Create a custom access control policy on the JSON tab

  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Resource Directory > Control Policy.
  3. On the Policies tab of the page that appears, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next: Edit Basic Information.
    For more information about the syntax and structure of access control policies, see Languages of access control policies.
  6. Configure the Name and Note parameters.
  7. Check and optimize the policy document.
    • Basic optimization

      The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. Then, the system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.

What to do next

After a custom access control policy is created, you must attach it to folders or members for it to take effect. For more information, see Attach a custom access control policy.