Creating Custom Policies

Last updated: 2020-05-25 11:39:51

    Introduction

    This document describes how to create a custom policy in different ways. A custom policy allows granular permission division and can flexibly meet your differentiated permission management needs.

    Prerequisites

    Log in to the CAM Console and enter the Policies page.

    Directions

    Creating by policy generator

    With a policy created by the policy generator, you can create policy syntax automatically by selecting a service and actions, and defining resources. This method is highly recommended for its simplicity and flexibility.

    1. On the policy management page, click Create Custom Policy in the top-left corner.
    2. In the selection window that pops up, click Create by Policy Generator.
    3. In the Service and Action selection page, enter the following information:
      • Service (required): select the product to be added.
      • Action (required): select the actions you want to authorize.
      • Resource (required): enter the six-piece description of the resource to be authorized. Tencent Cloud products with operation-level or service-level authorization granularity do not support six-piece resource descriptions. For such products, simply enter *. For more information on the resource description method for Tencent Cloud products with resource-level authorization granularity, please see the corresponding CAM Guide in CAM-Enabled Products. For more information on the authorization granularities of Tencent Cloud products, please see the Authorization Granularity section in CAM-Enabled Products.
      • Condition (optional): set the condition that must be met for the created authorization to take effect for the sub-account. For more information, please see Condition.
    • Multiple statements can be added in one policy.
    1. Click Add Statement > Next to enter the policy editing page.
    2. On the policy editing page, you can set the policy name, add a description, and confirm the policy content. The policy name and content are automatically generated by the console.
    • The policy name is policygen suffixed with the creation time by default, which is customizable.
      • The policy content corresponds to the service and actions selected in step 3. You can modify them as needed.
    1. Click Create Policy to complete the creation of custom policy by using the policy generator.

    Creating by policy syntax

    With a policy created by policy syntax, you can set the permission granularity in a more flexible manner, which helps meet high requirements for fine-grained division of permissions.

    1. On the policy management page, click Create Custom Policy in the top-left corner.
    2. In the selection window that pops up, click Create by Policy Syntax to go to the policy template page.
    3. You can search for templates on this page. For example, set the template type is "All Templates" and enter "a" as a keyword. The AdministratorAccess template will appear as one of the searched results. Select this template.
    4. Click Next to enter the policy editing page.
    5. On the policy editing page, confirm the policy name and content and click Create Policy to complete the creation of custom policy by policy syntax. The default policy name and content are automatically generated by the console. The policy name is policygen suffixed with the creation time by default.

    Authorizing by tag

    Authorization by tag enables you to quickly authorize resources under the same tag to a user or user group.

    1. On the policy management page, click Create Custom Policy in the top-left corner.
    2. In the selection window that pops up, click Authorize by Tag.
    3. On the authorization by tag page, select the following information and click Next to enter the check page.
      • Authorize User/User Group: check the user/user group to be authorized (choose one).
      • Tag Key: select the tag key to be authorized (required).
      • Tag Value: select the tag value to be authorized (required).
      • Resources: the management permission is granted by default.
    4. Confirm the policy name and content and click Complete to complete the creation of custom policy by using authorization by tag. The default policy name and content are automatically generated by the console. The policy name is policygen suffixed with the creation time by default.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help