Help Center/ Document Database Service/ User Guide/ Permissions Management/ Creating a Custom Policy
Updated on 2025-09-09 GMT+08:00
View PDF
Share

Creating a Custom Policy

Scenarios

Custom policies can be created to supplement the system-defined policies of DDS. For the actions that can be added to custom policies, see DDS Actions.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following provides examples of common DDS custom policies.

Example Custom Policies

  • Example 1: Allowing users to create DDS DB instances 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dds:instance:create"
            ]
        }
    ]
}
  • Example 2: Denying DDS DB instance deletion

    A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    The following method can be used if you need to assign permissions of the DDS FullAccess policy to a user but you want to prevent the user from deleting DDS instances. Create a custom policy for denying DDS instance deletion, and attach both policies to the group which the user belongs to. Then, the user can perform all operations on DDS instances except deleting DDS instances. The following is an example of a deny policy:

    {
    "Version": "1.1",
    "Statement": [
        {
          "Effect": "Deny"
          "Action": [
                "dds:instance:deleteInstance"
            ],
          }
    ]
}
  • Example 3: Creating a custom policy containing multiple actions

    A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is an example policy containing actions of multiple services:

    {  
        "Version": "1.1",  
        "Statement": [  
                {  
                        "Action": [  
                                "dds:instance:create",  
                                "dds:instance:modify",  
                                "dds:instance:deleteInstance",  
                 "vpc:publicIps:list",  
                 "vpc:publicIps:update"  
                        ],  
                        "Effect": "Allow"  
                }  
        ]  
}
  • Example 4: Authorizing a resource policy
    A custom policy can be configured with resources, indicating the current action can have the operation permissions on which resources. Currently, the instance name can be configured. The asterisk (*) can be used as a wildcard. The following is an example of authorizing a resource policy: 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dds:instance:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "dds:instance:modify"
            ],
            "Resource": [
                "DDS:*:*:instanceName:dds-*"
            ]
        }
    ]
}
Parent topic: Permissions Management