This document describes how to create a custom policy in different ways. A custom policy allows granular permission division and can flexibly meet your differentiated permission management needs.
Directions
Creating by policy generator
With a policy created by the policy generator, you can create policy syntax automatically by selecting services and actions (operations) and defining resources. This method is highly recommended for its simplicity and flexibility.
1. On the Policy page in the CAM console, click Create Custom Policy in the top-left corner.
2. In the selection window that pops up, click Create by Policy Generator to enter the Edit Policy page.
3. Select the service in the Visual Policy Generator, enter the following information, and edit an authorization statement. (You can also choose JSON to use the policy syntax method to edit the policy, and the authorization effect is the same as the Visual Policy Generator).
Effect (required): select Allow or Deny.
Service (required): select the service you want to authorize.
Action (required): select the operations you want to authorize.
Resource (required): select all resources or specific resources you want to authorize.
Tencent Cloud products with operation-level or service-level authorization granularity do not support six-segment resource descriptions. For such products, simply select all resources.
For Tencent Cloud products with resource-level authorization granularity, you can select specific resources. For more information on the resource description method, please see the corresponding CAM Guide in CAM-Enabled Products. For more information on the authorization granularities of Tencent Cloud products, please see the Authorization Granularity section in CAM-Enabled Products.
Condition (optional): set the conditions that must be met for the authorization to take effect. For more information, please see Condition.
Note:
If you want to authorize multiple services, you can click Add Permission to add multiple authorization statements and configure authorization policies for other services.
Multiple statements can be added in one policy.
4. After editing the policy authorization statement, click Next to enter the Associate with User/User Group page.
5. On the Associate with User/User Group page, add the policy name and description, and you can associate users or user groups for quick authorization at the same time.
Note:
The policy name is automatically generated by the console and is policygen suffixed with the creation time by default, which is customizable.
6. Click Done to complete the custom policy creation.
