Custom policies of ApsaraDB for ClickHouse

更新时间:
复制 MD 格式

When the built-in system policies for ApsaraDB for ClickHouse don't cover your access control requirements, create custom policies to enforce least privilege and enable fine-grained permission management.

Custom policies

Resource Access Management (RAM) policies fall into two categories: system policies and custom policies. Custom policies give you full control over the permissions you define and can be adjusted as your business requirements evolve.

Before you start, note the following behaviors:

  • Attach before use. A custom policy has no effect until you attach it to a RAM user, RAM user group, or RAM role. Attaching the policy grants the specified permissions to that principal.

  • Detach before deletion. You can delete a custom policy that is not attached to a principal. To delete a policy that is attached to a principal, first detach it from all principals, then delete it.

  • Version control. Custom policies support versioning through RAM's version management mechanism, so you can track and manage changes to a policy document.

RAM authorization

Before creating a custom policy, review the authorization information for ApsaraDB for ClickHouse in RAM authorization.

Scenarios and sample policies

For policy examples organized by access scenario, see Grant permissions.

What's next

Use the following resources to create, manage, and reference custom policies: