Help Center/ Edge Security/ User Guide/ Permissions Management/ EdgeSec Custom Policies
Updated on 2025-12-17 GMT+08:00
View PDF
Share

EdgeSec Custom Policies

Custom policies can be created to supplement the system-defined policies of EdgeSec. For the actions that can be added to custom policies, see EdgeSec Permissions and Supported Actions.

You can create custom policies in either of the following ways:
  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following section contains examples of common EdgeSec custom policies.

Example EdgeSec Custom Policies

  • Example 1: Allowing users to query the domain list protected against DDoS attacks 
    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "egdesec:ddosDomainNames:list"
                                                       ]
                }
        ]
}
  • Example 2: Denying the user request of deleting web tamper protection rules

    A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    If you grant the EdgeSec FullAccess system policy to a user but do not want the user to have the permission (edgesec:EdgeSecAntiTamper:delete) to delete web tamper protection rules defined in EdgeSec FullAccess, you can create a custom policy with the same action and set Effect to Deny. Then, the EdgeSec FullAccess and deny policies are granted to the user. According to the deny policy, the user can perform all operations on EdgeSec except deleting the web tamper protection rule. The following is an example policy for denying web tamper protection rule deletion.

    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Deny",
                        "Action": [
                                "edgesec:EdgeSecAntiTamper:delete"                                
                        ]
                },
        ]
}
  • Multi-action policies

    A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing multiple actions:

    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "edgesec:EdgeSecCustom:get",
                                "edgesec:EdgeSecGeoIp:get"
                        ]
                },
               {
                        "Effect": "Allow",
                        "Action": [
                                "hss:hosts:switchVersion",
                                "hss:hosts:manualDetect",
                                "hss:manualDetectStatus:get"
                        ]
                }
        ]
}
Parent Topic: Permissions Management