Create a custom policy

Creation methods

• Using the visual editor

  RAM provides a WYSIWYG visual editor. You can generate a custom policy by selecting an effect, service, action, resource, and condition. A built-in intelligent validation feature helps ensure that your policy is valid and effective. This method is straightforward.

• Using the script editor

  RAM provides a JSON script editor. You must write the custom policy according to the policy syntax and structure. This method offers greater flexibility and is a good choice if you are familiar with policy syntax.

• By importing a policy

  • Import a policy template: RAM provides policy templates for common scenarios, such as for system administrators, finance staff, and network administrators. You can import a suitable policy template and make minor modifications to quickly create a custom policy.

  • Import a system policy: You can import a system policy and modify it to fit your business needs. This is a convenient and fast way to create a custom policy from a standardized template.

Using the visual editor

1. Log on to the RAM console as a RAM administrator.

2. In the left-side navigation pane, choose Permissions > Policies.

3. On the Policies page, click Create Policy.

4. On the Create Policy page, click the Visual Editor tab.

   The visual editor displays a statement form that includes the following fields: Effect (Required, can be set to Allow or Deny, default: Allow), Service (Required), Action (Required), Resource (Required), and Condition (Optional). You must select a service before you can configure Action, Resource, and Condition. At the bottom of the page, you can click Add Statement to add more statements.

5. Configure the policy.

   To learn more about the basic elements of a policy, see Basic elements of a policy.

   1. In the Effect section, select Allow or Deny.

   2. In the Service section, select a service.

      Note

      The console displays the services that support the visual editor.

   3. In the Action section, select All action(s) or Select action(s).

      The system automatically lists the available actions based on the service that you selected in the previous step. If you select Select action(s), you must then select the specific actions.

   4. In the Resources section, select All Resources or Specified resource(s).

      The system automatically lists the available resource types based on the actions that you selected. If you select Specified resource(s), you must click Add Resource to specify the ARNs. You can use the Match All feature to quickly select all resources for a configuration item.

      Note

      The UI marks the ARNs for associated actions as Required. Specify these ARNs to ensure that the policy works correctly.

   5. In the Condition section, click Add Condition to configure conditions.

      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system automatically lists the available conditions based on the service and actions that you configured. Simply select a condition key and configure its value.

   6. Click Add Statement and repeat the preceding steps to configure multiple statements.

6. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

   The advanced policy optimization feature performs the following tasks:

   • Splits resources or conditions for incompatible actions.

   • Narrows the scope of resources.

   • Removes duplicate statements or merges statements.

7. On the Create Policy page, click OK.

8. In the Create Policy dialog box, enter a policy name and Description, and then click OK.

Using the script editor

1. Log on to the RAM console as a RAM administrator.

2. In the left-side navigation pane, choose Permissions > Policies.

3. On the Policies page, click Create Policy.

4. On the Create Policy page, click the JSON Editor tab.

   The page displays a JSON editor. The default policy template includes a Version element (set to "1") and a Statement array. Each statement includes Effect (defaults to "Allow"), Action, Resource, and Condition elements. You must populate the Action and Resource elements.

5. Enter the policy content.

   To learn more about the policy syntax and structure, see Policy syntax and structure.

6. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

   The advanced policy optimization feature performs the following tasks:

   • Splits resources or conditions for incompatible actions.

   • Narrows the scope of resources.

   • Removes duplicate statements or merges statements.

7. On the Create Policy page, click OK.

8. In the Create Policy dialog box, enter a policy name and Description, and then click OK.

By importing a policy

1. Log on to the RAM console as a RAM administrator.

2. In the left-side navigation pane, choose Permissions > Policies.

3. On the Policies page, click Create Policy.

4. On the Create Policy page, click Import Policy.

5. In the upper-right corner of the Import Policy dialog box, select Policy Template or System Policy from the drop-down list.

   1. Select a policy template or a system policy.

   2. For some policy templates, you must configure parameters based on your business requirements.

   3. Select an overwrite rule for the imported policy.

      By default, the imported policy content fully overwrites the existing content. You can also select Do not overwrite, append new statements to the end.

   4. Click Import.

6. In the visual editor or script editor, view and modify the imported policy content.

7. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

   The advanced policy optimization feature performs the following tasks:

   • Splits resources or conditions for incompatible actions.

   • Narrows the scope of resources.

   • Removes duplicate statements or merges statements.

8. On the Create Policy page, click OK.

9. In the Create Policy dialog box, enter a policy name and Description, and then click OK.