When system policies don't provide the granular control you need, create a custom policy to enforce the principle of least privilege. Custom policies let you define exactly which Security Center actions a RAM user, RAM user group, or RAM role can perform.
What is a custom policy?
Resource Access Management (RAM) policies come in two types: system policies (managed by Alibaba Cloud) and custom policies (managed by you). Custom policies give you full control over permission scope.
Key rules for custom policies:
Attach before they take effect. After creating a custom policy, attach it to a RAM user, RAM user group, or RAM role. The policy has no effect until it is attached to a principal.
Detach before deleting. To delete a policy that is attached to a principal, detach it first.
Version management is built in. Custom policies support version management through RAM, so you can update a policy and roll back if needed.
Common scenarios and sample policies
For scenario-based examples, see Best practices to manage permissions of RAM users.
Authorization information
To use a custom policy, you must understand the permission management requirements of your business and the authorization information about Security Center. For more information, see RAM authorization.