DocsICP FilingConsole
官方文档
首页

Create a custom control policy

更新时间:
复制 MD 格式
产品详情
我的收藏

You can create a custom control policy to restrict specific actions on certain resources and define permission boundaries for folders and members in your Resource Directory.

Creation methods

  • Use the visual editor

    The visual editor provides a WYSIWYG interface where you select an effect, cloud service, actions, resources, and conditions to generate a policy. Built-in validation checks the policy syntax and effectiveness.

  • Use the script editor

    The JSON editor lets you write a control policy using the control policy language and structure. This method offers more flexibility for users familiar with policy syntax.

Use the visual editor

  1. Log on to the Resource Management console with a management account.

  2. In the left-side navigation pane, choose Resource Directory > Control Policy.

  3. Click Create Policy.

  4. On the Create Policy page, click the Visual editor tab.

  5. Configure the control policy.

    1. In the Effect section, select Allow or Reject.

    2. In the Service section, select a cloud service.

      Note

      The console displays cloud services that support the visual editor.

    3. In the Actions section, select All Actions or Select action(s).

      The console lists available actions for the selected cloud service. If you select Select action(s), specify the actions you need.

    4. In the Resources section, select All Resources or Specified resource(s).

      The console lists available resource types for the selected actions. If you select Specified resource(s), click Add Resource to specify resource ARNs. Use Match all to select all resources for a configuration item.

      Note

      Resources essential for an action are marked Required. We strongly recommend that you specify the ARNs for these resources.

    5. Optional: In the Condition section, click Add Condition to configure a condition.

      Conditions include general Alibaba Cloud conditions and service-specific conditions. The console lists available conditions based on your selected cloud service and actions. Select a condition key and specify its value.

    6. Click Add statement to repeat the previous steps and add more statements to the policy.

  6. Optional: At the top of the page, click Optimize, and then click Perform to optimize the policy.

    This optimization:

    • Splits incompatible resources or conditions from actions.

    • Narrows the scope of resources.

    • Removes duplicate statements or merges statements.

  7. At the bottom of the page, click OK. Enter a Name and Description for the control policy, and then click OK.

Use the script editor

  1. Log on to the Resource Management console with a management account.

  2. In the left-side navigation pane, choose Resource Directory > Control Policy.

  3. Click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the control policy content.

    Use the syntax described in Control policy language.

  6. Optional: At the top of the page, click Optimize, and then click Perform to optimize the policy.

    This optimization:

    • Splits incompatible resources or conditions from actions.

    • Narrows the scope of resources.

    • Removes duplicate statements or merges statements.

  7. At the bottom of the page, click OK. Enter a Name and Description for the control policy, and then click OK.

What to do next

A custom control policy takes effect only after you attach it to a folder or member. Attach a custom control policy.

Related topics

Previous:Manage custom control policiesNext:Modify a custom control policy