Help Center/ Global Accelerator/ User Guide/ Permissions Management/ Custom Policy
Updated on 2024-11-05 GMT+08:00
View PDF

Custom Policy

Custom policies can be created to supplement the system-defined policies of Global Accelerator.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. You do not need to have knowledge of the policy syntax.
  • JSON: Create a policy in the JSON format from scratch or based on an existing policy template.

For details, see Creating a Custom Policy. The following are examples of custom policies created for Global Accelerator.

Example Custom Policies

  • Example 1: Allowing users to update a global accelerator 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ga:accelerator:update"
            ]
        }
    ]
}
  • Example 2: Denying users to delete a global accelerator

    A deny policy must be used in conjunction with other policies to take effect. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    If you grant the system policy GA FullAccess to a user but do not want the user to have the permission to delete global accelerators, you can create a custom policy that denies the deletion of global accelerators. Then you can grant the GA FullAccess and deny policies to the user, so that the user can perform all operations on global accelerators except deleting them.

    The following is an example deny policy:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ga:accelerator:delete"
            ]
        }
    ]
}
  • Example 3: Defining actions for multiple services in a policy

    A custom policy can contain the actions of multiple services that are of the global or project-level type.

    The following is an example policy containing actions of multiple services:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ga:listener:create",
                "ga:healthcheck:create",
                "ga:endpointgroup:create",
                "ga:endpoint:create"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "eps:enterpriseProjects:enable",
                "eps:enterpriseProjects:update",
                "eps:enterpriseProjects:create"
            ]
        }
    ]
}
Parent topic: Permissions Management