Custom policies for OceanBase
If system policies cannot meet your requirements, you can create custom policies to achieve the principle of least privilege. Custom policies help implement fine-grained permission management and serve as an effective method to improve resource access security. This topic describes scenarios and examples of using custom policies in ApsaraDB for OceanBase.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Examples
Grant permissions on a specific ApsaraDB for OceanBase instance to a RAM user
Specify target resources for authorization. Create a permission policy and enable the policy to apply only to the target resources.
ApsaraDB for OceanBase provides dedicated security management policies to ensure data security and resource security. For more information, see Policy management.
Create a permission policy.
Log in to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
Click Create Policy.
Select an editing mode.
Click OK.
Specify Policy Name and Description, confirm the policy content, and click OK.
Apply a custom policy to a specified RAM user.
In the left-side navigation pane, choose Identities > Users.
Find the target user and click Add Permissions in the Actions column on the right.
Select Account for Resource Scope. In the Policy section, click Custom Policy. Search for the policy you just created and select it.
Click Complete.
Log in to the ApsaraDB for OceanBase console as the RAM user and view instances.
Select a region in the upper part.
Click the authorized instance. You can normally view and access the instance.
Authorization information
To use custom policies, you must understand the permission management requirements of the business and familiarize yourself with the authorization information of ApsaraDB for OceanBase. For more information, see RAM authorization.