When the built-in system policies of Resource Access Management (RAM) don't cover your access control requirements, create custom policies to apply the principle of least privilege. Custom policies give you fine-grained control over who can perform which actions on which RDS resources.
Tip: Start with RAM system policies for broad access patterns. Switch to custom policies only when system policies are too permissive or don't match your specific resource or condition requirements.
When to use custom policies
RAM provides two types of policies:
System policies — predefined policies managed by Alibaba Cloud. Use these for broad access patterns (for example, read-only access to all RDS instances).
Custom policies — policies you create, maintain, and version. Use these when system policies are too permissive or don't cover your specific resource combinations or conditions.
How custom policies work
After you create a custom policy, attach it to a RAM user, a user group, or a RAM role. The permissions take effect immediately for that principal.
To delete a custom policy that is attached to a principal, detach it from the principal first, then delete it.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
For the full set of RAM actions and resources supported by ApsaraDB RDS, see RAM authorization.
Policy management
Use the following RAM guides to create and maintain custom policies:
Examples
The following examples show how to build custom policies for common RDS access control scenarios:
Authorize a RAM user to manage ApsaraDB RDS instances — grant full management permissions on all RDS instances to a RAM user
Grant a RAM user the read-only permissions on an ApsaraDB RDS instance — restrict a RAM user to read-only access on a specific instance
Use RAM policies to manage the permissions of RAM users — manage multiple RAM users' RDS permissions