This topic describes how to manage different types of policies. Policies include system policies and custom policies. System policies can only be viewed and cannot be modified. You can create custom policies to meet the business needs.

Prerequisites of creating a custom policy

To create a custom policy, you must understand the basic structure and syntax of the policy language. For more information, see Policy structure and grammar.

Create a custom policy

  1. Log on to the RAM console.
  2. Choose Policies > Custom Policy > Create Authorization Policy.
    Create a custom policy
  3. Select a policy template, for example, AliyunOSSReadOnlyAccess.
    Note Edit the policy based on the template. You can modify the policy name, description, and content. You can specify fine-grained permissions in the policy script.

    Edit the policy

    An example of a policy script is provided as follows:

    
    {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "oss:Get*",
              "oss:List*"
            ],
            "Effect": "Allow",
            "Resource": "acs:oss:*:*:samplebucket/bob/*",
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": "10.0.0.0/8"
               }
            }
          }
        ]
    }
  4. Click Create Authorization Policy.

Modify a custom policy

Background information

If the permissions of a RAM user are changed (added or removed), you must modify the corresponding policy attached to the user. However, you may have the following requirements when you modify a policy:

  • You want to use the original policy after a period of time.
  • After modifying a policy, you find mistakes in the policy and need to restore a previous policy version.

To resolve these issues, a version management feature is provided.

  • You can retain multiple versions for a policy. If the maximum number of versions is reached, you need to manually delete the versions that you no longer need.
  • For a policy with multiple versions, only one version is active. The active version is the default version.

Procedure

  1. Log on to the RAM console, and choose Policies > Custom Policy.
  2. In the Authorization Policy Name column, click the target policy name.
    Note You can enter a keyword to search for a specific policy.
  3. In the left-side navigation pane, click Versions. Then, you can perform the following operations:
    • Click View to view all earlier versions of the policy.
    • Click Set to Current to set the target version to become the default version.
    • Click Delete to delete the target version.

Delete a custom policy

You can create multiple policies and maintain multiple versions for each policy. If custom policies are no longer needed, we recommend that you delete them.

Prerequisites

Before deleting a policy, you must ensure that:
  • The policy has only one version, which is the default version. If multiple versions exist, you must delete all versions except the default one.
  • The policy is not referenced, which indicates that it is not attached to a RAM user, RAM user group, or RAM role. If the policy is currently being referenced, click the policy name, click References, and then click Revoke Authorization.

Procedure

  1. Log on to the RAM console, and choose Policies > Custom Policy.
  2. In the Authorization Policy Name column, select the target policy and click Delete.
    Note You can enter a keyword to search for a specific policy.
  3. In the dialog box that appears, click OK.
    Note If the policy is referenced, select Unlink Dependent Objects.