- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Show all
Copied.
Creating Custom Policies
You can create custom policies to supplement the system-defined policies of Organizations. For the actions that can be added to custom policies, see Policies and Supported Actions.
To create a custom policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. There is no need to know much about policy syntax.
- JSON: Edit policies from scratch or based on an existing policy in JSON format.
For details, see Creating a Custom Policy. The following lists examples of common Organizations custom policies.
Example Custom Policies
- Example 1: Grant permission to invite member accounts to join an organization or to remove member accounts from an organization.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:accounts:invite", "organizations:accounts:remove" ] } ] }
- Example 2: Grant permission to deny the deletion of OUs or removal of member accounts.
To apply a policy with only Deny statements, it must be used together with other policies. If you do not assign the permission to perform an action, the action is denied by default. If the permissions granted to an IAM user contain both Allow and Deny, the Deny statements take precedence over the Allow statements.
Assume that you want to grant the permissions of the OrganizationsFullAccess policy to a user but want to prevent them from deleting OUs or removing member accounts. You can create a custom policy for denying the deletion, and attach this policy together with the OrganizationsFullAccess policy to the user. As an explicit Deny in any policy overrides any kind of Allow, the user can perform all operations on a given organization except deleting its OUs or removing member accounts. The following is an example of a deny policy:{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "organizations:ous:delete", "organizations:accounts:remove" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot