When system policies cannot meet authorization requirements, administrators can create custom policies and grant them to user groups for fine-grained access control. Custom policies serve as extensions and supplements to system policies.
Currently, IAM supports the following two methods for creating custom policies:
l Visual Editor: Create custom policies through the visualization view without needing to understand JSON syntax. Simply navigate the visualization view's toolbar to select policy components such as cloud services, actions, resources, and conditions, and the policy will be automatically generated.
l JSON View: Through the JSON view, you can create custom policies by selecting a policy template and then editing the policy content according to specific requirements; alternatively, you can directly write the policy content in JSON format within the editing box.
Configuring Custom Policies via the Visual Editor
Step 1: Log in to the IAM console.
Step 2: Under IAM, navigate to the left-side panel, select the IAM > Policy Management tab, and click Create Custom Policy in the upper-right corner.
Step 3: Enter a policy name.
Step 4: Select Visual View for Set policy content.
Step 5: Set the policy in the Policy content section.
1.Select allow or refuse.
2.Select Cloud services.
Description:
l Only one cloud service can be selected here. To configure a custom policy for multiple cloud services, click add permission after completing this configuration to create authorization statements for multiple services. Alternatively, use the JSON view to configure a custom policy.
l Currently, a single custom policy cannot include both global and project-specific cloud services. To configure custom policies for both global and project-specific services, please create two separate custom policies. This approach facilitates setting the minimum required authorization scope during permission assignment.
3.Select Operation, then check the product permissions as needed.
4.(Optional) Select the resource type. If you choose Specific resources, you can click Specify through the resource path to specify the resource to be authorized.
Description:
Currently, cloud services that support authorization for specific resources only include OBS and Distributed Message Service (DMS).
Table: Resource Types
Type | Description |
Specific Resource | Grant the IAM user corresponding permissions to specific resources. For example, to grant permissions for buckets with names starting with 'TestBucket', configure the bucket by specifying the resource path and add the following resource path: OBS:::bucket:TestBucket*. Specify bucket resources: [Format] OBS:::bucket:BucketName For bucket resources, IAM automatically generates the resource path prefix "obs:::bucket:". Specify the exact resource path using the bucket name, with wildcard * supported. For object resources, IAM automatically generates the resource path prefix "obs:::object"**:. The specific resource path is specified by bucket name/object name, and wildcards are supported. For example: obs:::object:my-bucket/my-object/* indicates any object in the my-object directory of the my-bucket bucket. |
All Resources | Grant the IAM user corresponding permissions to all resources. |
5.(Optional) Add conditions: Click Add conditions, select a Condition key, choose an operator, and enter the corresponding value based on the operator type.
Table: Condition Parameters
Name | Description |
Condition Key | A key in the Condition element of a statement. There are global condition keys and service-specific condition keys. Global condition keys (prefixed with g:) are available for operations of all services, whereas service-specific condition keys (prefixed with a service abbreviation, such as obs:) are available only for the corresponding service. For details, see the user guide of the respective cloud service. |
Operator | Used together with a condition key and condition value to form a complete condition statement. |
Value | Used together with a condition key and an operator that requires a keyword to form a complete condition statement. |
Table: Global Request Conditions
Global Condition Key | Type | Description |
g:CurrentTime | Time | The time when an authorization request is received. The time is in ISO 8601 format, for example: 2012-11-11T23:59:59Z. |
g:DomainName | String | Account Name |
g:MFAPresent | Bool | Whether to obtain a token through MFA authentication. |
g:MFAAge | Numerical Value | Validity period of a token obtained. This condition must be used together with g:MFAPresent. |
g:ProjectName | String | Project name |
g:ServiceName | String | Service name |
g:UserId | String | IAM user ID |
g:UserName | String | IAM user name |
Step 6: (Optional) Under Policy Configuration Method, select the JSON view to convert the policy content configured in the Visual View into JSON statements. You can modify the policy content in the JSON view.
Description:
If the modified JSON statement contains syntax errors, the policy cannot be created. You can manually review and correct the content or click Reset in the pop-up window to restore the JSON file to its unmodified state.
Step 7: (Optional) To create multiple custom policies, click Add Permission, or click the plus (+) icon on the far right of an existing policy to clone its permissions.
Step 8: Enter a policy description (optional).
Step 9: Click Confirm to complete the creation of the custom policy.
Step 10: Assign the newly created custom policy to a user group, granting the permissions defined in the policy to all users within the group.
Description:
The process of granting a custom policy to a user group is the same as assigning a system policy. For details, see "User Groups and Permissions".
Configuring a Custom Policy in JSON View
Step 1: Log in to the IAM console.
Step 2: Under IAM, select the IAM > Policy Management tab from the left navigation pane, then click Create Custom Policy in the upper-right corner.
Step 3: Enter a policy name.
Step 4: Under Set policy content, select JSON View.
Step 5: (Optional) In the Policy content section, click Copy from existing strategy (e.g., select EVS FullAccess as a template).
Description:
Here, you can select policies for multiple services simultaneously. However, these policies must have the same scope of effect—meaning they must all be either global services or project-specific services. If you need to configure custom policies for both global and project-specific services at the same time, please create two separate custom policies to facilitate setting the minimum authorization scope during permission assignment.
Step 6: Click Confirm.
Step 7: Modify the policy statement in the template:
l Effect: Specify Allow or Deny.
l Action: Enter the API permission items (e.g., "evs:volumes:create") from the Permissions list of each service (as shown) to implement fine-grained authorization.
Description:
The version number (Version) of a custom policy is fixed as 1.1 and cannot be modified.
Step 8: (Optional) Enter a policy description.
Step 9: After clicking Confirm, the system will automatically validate the syntax. If the page redirects to the policy list, the custom policy has been successfully created. If a Policy Syntax Error prompt appears, please revise the content according to syntax specifications.
Step 10: Assign the newly created custom policy to a user group to grant the permissions defined in the policy to all users within that group.
Description:
Assigning custom policies to user groups follows the same procedure as assigning system policies. For details, refer to Creating User Groups and Assigning Permissions.