Updated on 2022-04-28 GMT+08:00

Creating a Custom Policy

Custom policies can be created as a supplement to the system policies of APM. For the actions that can be added to custom policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following two ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details about how to create a custom policy, see Creating a Custom Policy. The following section contains examples of common APM custom policies.

Example Custom Policies

  • Example 1: Allowing a user to install the ICAgent
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "apm:icmgr:create"
                ]
            }
        ]
    }
  • Example 2: Denying collection component uninstallation

    A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    To grant a user the APM FullAccess system policy but forbid the user to uninstall collection components, create a custom policy that denies the uninstallation of collection components and grant both the APM FullAccess and deny policies to the user. Because the Deny action takes precedence, the user can perform all operations except uninstalling collection components. The following is an example deny policy:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "apm:icmgr:delete"
                ]
            }
        ]
    }
  • Example 3: Defining permissions for multiple services in a policy

    A custom policy can contain actions of multiple services that are all of the project-level type. The following is an example policy containing actions of multiple services:

    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Effect": "Allow",
                            "Action": [
                                    "aom:*:list",
                                    "aom:*:get",
                                    "apm:*:list",
                                    "apm:*:get"
                            ]
                    },
                    {
                             "Effect": "Allow",
                             "Action": [
                                     "cce:cluster:get",
                                     "cce:cluster:list",
                                     "cce:node:get",
                                     "cce:node:list"
                            ]
                    }
            ]
    }