Creating Custom Policy

Last updated: 2021-07-19 15:41:48

    Overview

    This document describes how to create a custom policy in different ways. A custom policy allows granular permission division and can flexibly meet your differentiated permission management needs.

    Directions

    Creating by policy generator

    With a policy created by the policy generator, you can create policy syntax automatically by selecting services and actions (operations) and defining resources. This method is highly recommended for its simplicity and flexibility.

    1. On the Policy page in the CAM console, click Create Custom Policy in the top-left corner.

    2. In the selection window that pops up, click Create by Policy Generator to enter the Edit Policy page.

    3. Select the service in the Visual Policy Generator, enter the following information, and edit an authorization statement. (You can also choose JSON to use the policy syntax method to edit the policy, and the authorization effect is the same as the Visual Policy Generator).

      • Effect (required): select Allow or Deny.
      • Service (required): select the service you want to authorize.
      • Action (required): select the operations you want to authorize.
      • Resource (required): select all resources or specific resources you want to authorize.
        Tencent Cloud products with operation-level or service-level authorization granularity do not support six-segment resource descriptions. For such products, simply select all resources.
        For Tencent Cloud products with resource-level authorization granularity, you can select specific resources. For more information on the resource description method, please see the corresponding CAM Guide in CAM-Enabled Products. For more information on the authorization granularities of Tencent Cloud products, please see the Authorization Granularity section in CAM-Enabled Products.
      • Condition (optional): set the conditions that must be met for the authorization to take effect. For more information, please see Condition.
      Note:

      • If you want to authorize multiple services, you can click Add Permission to add multiple authorization statements and configure authorization policies for other services.
      • Multiple statements can be added in one policy.
    4. After editing the policy authorization statement, click Next to enter the Associate with User/User Group page.

    5. On the Associate with User/User Group page, add the policy name and description, and you can associate users or user groups for quick authorization at the same time.

      Note:

      The policy name is automatically generated by the console and is policygen suffixed with the creation time by default, which is customizable.

    6. Click Done to complete the custom policy creation.

    Creating by policy syntax

    With a policy created by policy syntax, you can set the permission granularity in a more flexible manner, which helps meet high requirements for fine-grained division of permissions.

    1. On the policy management page, click Create Custom Policy in the top-left corner.
    2. In the selection window that pops up, click Create by Policy Syntax to enter the Select Policy Template page.
    3. On the Select Policy Template page, you can search for templates by keyword. For example, set the template type as "All Templates" and enter "a" as a keyword. The AdministratorAccess template will appear as one of the searched results. Select this template.
    4. Click Next to enter the Edit Policy page.
    5. On the Edit Policy page, confirm the policy name and content and click Create Policy to complete the creation of custom policy by policy syntax. The default policy name and content are automatically generated by the console. The policy name is policygen suffixed with the creation time by default.

    Authorizing by tag

    Authorization by tag means to quickly authorize resources under the same tag to a user or user group.

    1. On the policy management page, click Create Custom Policy in the top-left corner.
    2. In the creation method selection window that pops up, click Authorize by Tag to enter the Authorize by Tag page.
    3. On the Authorize by Tag page, select the following information and click Next to enter the check page.
      • Users: select one or more users to be authorized.
      • User Groups: select one or more user groups to be authorized.
      • Tags: select the tag key and tag value to be authorized (you can click Add to select multiple tag-key pairs, and you must select at least one pair).
      • The selected users and user groups will be authorized to perform corresponding operations of the services below if such services are associated with all selected tags: click Add Services and Operations to select services and operations and then click Confirm.
    4. Confirm the policy name and content and click Done to complete the custom policy creation. The default policy name and content are automatically generated by the console. The policy name is policygen suffixed with the creation time by default.