Creating Custom Policies
If the default policies cannot meet the requirements on fine-grained access control, you can create custom policies and assign the policies to the user group.
- Choose .
- In the navigation pane, choose Policies.
- On the Policies page, click Create Custom Policy.
- Enter Policy Name.
- Set Scope.
- Project-level service: This policy takes effect only for projects. When granting permissions to a user group, you can select this policy for projects. The policy is not displayed for Global.
- Global-level service: This policy takes effect for Global. When granting permissions to a user group, you can select this policy for Global. The policy is not displayed for projects.
Global and projects are regions. Cloud services are deployed in different regions. For example, IAM is deployed in the global zone while EVS is deployed in other regions. Global is a regional concept. A global-level policy takes effect only in the global zone.
Example: Create a fine-grained policy ("evs:volumes:create") for Elastic Volume Service (EVS). The EVS service is a project-level service, and its Scope must be set to Project-level service. If this policy is required to take effect for multiple projects, authorization is required to each project. This policy takes effect only after a user logs in to the system and switches to the authorized region for cloud resource management.
- (Optional) Enter Description.
- In the Policy Information area, click Select Template. For example, select VPC Admin as the template.
- Click OK.
- Modify Effect and Action values in the Statement field in the template. For details, see section Policy Language.
- The Version value of a custom policy must be 1.1.
- A custom policy can contain multiple statements.
- Effect: The value can be Allow and Deny. If both Allow and Deny are found in statements, the policy evaluation starts with Deny.
- Action: Fill the Action field with the permissions in the API permissions table of the specific service, for example, vpc:vpcs:create. IAM then implements fine-grained authorization by calling the corresponding APIs in the table.
- Click OK.
If a message is displayed indicating that the syntax is incorrect, modify policy information according to the policy syntax.
The custom policy is created successfully. You can select a custom policy from the user group to implement fine-grained authorization.
- Modifying custom policies
You can modify custom policies if user permissions have changed.
On the Policies page, click Modify in the Operation column of the target policy, and modify the name, description, and policy information.
- Deleting custom policies
You can delete custom policies if they are no longer needed.
On the Policies page, click Delete in the Operation column of the target policy to delete it.
- Attaching a custom policy to a user group (The users in the group have all the permissions defined by the policy.)
- Click Modify in the Operation column of the row that contains the target user group.
- In the User Group Permissions area, click Modify in the Operation column of the row that contains the target project.
- In the Available Policies area on the Modify Policy page, select a newly created custom policy.