If system policies do not meet your requirements, you can create custom policies to achieve least privilege. Custom policies provide fine-grained permission control and are an effective way to improve resource access security. This topic describes scenarios and provides policy examples for using custom policies with Real-Time Communication.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Common custom policy scenarios and examples
Example 1: Grant a Resource Access Management (RAM) user permission to modify an application, such as the application with the ID
a123xokj7.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "rtc:ModifyApp",
"Resource": "acs:rtc:*:*:app/a123xokj7"
}
]
}Example 2: Grant a RAM user permission to delete an application, such as the application with the ID
a123xokj7.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "rtc:DeleteApp",
"Resource": "acs:rtc:*:*:app/a123xokj7"
}
]
}Example 3: Grant a RAM user permission to create a stream ingest template for an application, such as the application with the ID
a123xokj7.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "rtc:CreateAppStreamingOutTemplate",
"Resource": "acs:rtc:*:*:app/a123xokj7"
}
]
}