Creating a Custom Policy
Custom policies can be created and then attached to a user group as a supplement to system-defined policies to implement more refined access control.
The fine-grained access control function has been enabled.
- Choose Policies from the navigation pane, and click Create Custom Policy.
- Enter a policy name.
- Select a scope in which the policy will take effect. For more information, see Permissions Policies.
- Global services: Select this option if the services to which the policy is related are available for all regions once deployed. Then the policy must be attached to a user group in the Global project.
- Project-level services: Select this option if the services to which the policy is related are deployed in specific regions. Then the policy must be attached to a user group in region-specific projects.
For example, when creating a custom policy (for example, with the action evs:volumes:create) for EVS, specify the scope as project-level services.NOTE:
A custom policy can contain actions of multiple services that are all globally available or all deployed only in specific projects. To define permissions required for accessing both globally available and project-specific services, create two custom policies and specify the scope respectively as global services and project-level services.
- (Optional) Enter a description about the policy.
- In the Policy Information area, click Select Template, and select a template, such as VPC Admin.
- Click OK.
- Modify the statements in the template.
- Effect: Enter Allow or Deny.
- Action: Enter the actions provided in the API actions table (see Figure 1) of the EVS service, for example, evs:volumes:create.
- The version of a custom policy must be set to 1.1.
- For details about the API actions supported by each service, see Permissions Policies.
- Click Validate. If a message is displayed indicating validation failure, modify the policy content according to the syntax rules.
- Click OK.
- Attach the policy to a user group. Users in the group then obtain the permissions defined in the policy.
The method for attaching a custom policy to a user group is the same as that for attaching a system-defined policy. For details, see Creating a User Group and Assigning Permissions.