Updated on 2024-03-28 GMT+08:00

Managing Organization Policies

Organization policies define cloud resource permissions of all member accounts within an organization. For example, you can set an organization policy that allows certain member accounts to purchase the VPC service.

Precautions

  • If no policy is attached to an organization, all accounts of the organization and its sub-organizations have all permissions by default.
  • Policies attached to an organization will take effect for all accounts of the organization and its sub-organizations.
  • Policies will allow or forbid accounts to perform specified operations on relevant cloud services.
  • To avoid affecting services, you are advised to apply policies to a testing organization before using them for other organizations.

Creating an Organization Policy

  1. Go to the Organization Policies page.
  2. Click the By Policy tab.
  3. Click Create Policy.

  4. On the Create Policy page, set policy information.

    For details about the JSON syntax, see Policies.

    • Creating a Policy
      1. Enter the basic information such as the policy name and description.
      2. Set Effect.
        • The options for permission effect include:
          1. Deny: The specified operations are rejected and other operations are allowed.
          2. Allow: The specified operations are allowed and other operations are rejected.
        • Implementation of organization policies:
          1. By default, new member accounts associated with your master account have all the permissions required for all cloud services. To control the access of a member account to specific cloud services, you can attach policies to the organization to which the member account belongs. A deny policy refuses the specified operations and permits all the other operations, while an allow policy refuses all operations and permits only the specified operations.
          2. If a member account is associated with multiple deny policies, all these policies take effect. However, if a member account is associated with multiple allow policies, only the first allow policy authenticated by the system takes effect according to the implementation logic of allow policies. Therefore, to ensure that all allow permissions take effect for a member account, configure all these allow permissions in the same policy and attach the policy to the organization to which the member account belongs.
      3. Set Service and Action.
      4. Click OK.
    • Copying an Existing Policy
      1. Enter the basic information such as the policy name and description.
      2. Click Copy Existing Policy.

        The Copy Existing Policy dialog box is displayed.

      3. Select the policy you will copy.
      4. Click OK. The actions of the selected policy are displayed in the Policy Content text box.
      5. Change the actions for the new policy.
      6. Click Check Syntax.

        If the syntax of the new policy is correct, the message "Policy content validated successfully." is displayed.

      7. Click OK.

Adding a Policy to an Organization

  1. Go to the Organization Policies page.
  2. Click the By Organization tab.
  3. In the Organization tree on the left, select the organization to which a policy will be added.

    All policies of this organization, including the newly added and inherited policies, are displayed on the right of the page.

  4. Click Add Policy.
  5. Select the policies to be added.
  6. Click OK.

    • You can click before the policy name to view the content of the selected policy.
    • You can click Cancel Policy in the Operation column to disassociate the policy from the organization.

Follow-up Operations

Modifying an Organization Policy

  1. Go to the Organization Policies page.
  2. Click the By Policy tab.
  3. Locate a policy to be modified, and click Edit in the Operation column.
  4. Modify Policy Name, Description, and Policy Content.
  5. Click OK.

Deleting an Organization Policy

  1. Go to the Organization Policies page.
  2. Click the By Policy tab.
  3. Locate the policy to be deleted, and click Delete in the Operation column.
  4. Click Yes.