<p class="shortdesc">用户访问控制的细粒度权限策略的创建，通过创建自定义策略，可以控制到资源粒度的访问。</p> <section class="section context"><div class="tasklabel"><h2 class="doc-tairway">背景信息</h2></div> <p class="p">访问控制RAM提供了多种系统授权策略供您使用，例如：ECSFullAccess、ECSReadOnly等，但系统策略控制力度较粗，只能达到云服务访问控制的级别。自定义策略可以满足您对子用户资源访问细粒度的授权需求。</p> <ul class="ul" id="createpolicy__ul_kqn_cnt_mtb"> <li class="li"><strong class="ph b">通过可视化策略生成器创建自定义策略</strong>：借助可视化方式生成策略语法，适用于对权限细化划分有较高要求的用户。</li> <li class="li"><strong class="ph b">通过策略语法创建自定义策略</strong>：通过策略语法创建自定义策略需要编写策略语法，生成对应的策略，适用于对语法逻辑有一定了解、对权限精细划分有较高要求的用户。</li> <li class="li"><strong class="ph b">通过标签关联授权自定义策略</strong>：通过配置将具有指定标签属性的资源快速授权给用户和群组，适用于对资源分组授权的场景。</li> </ul> <div class="note important note_important"><span class="note__title">重要：</span> <p class="p">主账号下最多创建50个自定义策略，每个自定义策略最多可保留5个历史版本。</p> </div> </section> <section><div class="tasklabel"><h2 class="doc-tairway">操作步骤</h2></div><ol class="ol steps"><li class="li step stepexpand"> <span class="ph cmd">使用主账号或者具有相关权限的子账号登录<a class="xref" href="/console/ram/overview" target="_blank" rel="external noopener">访问控制RAM控制台</a>。</span> </li><li class="li step stepexpand" id="createpolicy__step_xny_fgj_flb"> <span class="ph cmd">在左侧导航栏中，单击<span class="ph uicontrol">策略管理</span>。</span> </li><li class="li step stepexpand"> <span class="ph cmd">在<span class="keyword wintitle">策略管理</span>页面，单击右上角<span class="ph uicontrol">创建自定义策略</span>。</span> </li><li class="li step stepexpand"> <span class="ph cmd">选择通过<span class="ph uicontrol">可视化策略生成器</span>、<span class="ph uicontrol">策略语法</span>或<span class="ph uicontrol">标签关联授权</span>创建自定义策略。</span> <div class="itemgroup info"> <ul class="ul" id="createpolicy__ul_d1k_4nt_mtb"> <li class="li"><strong class="ph b">通过可视化策略生成器创建</strong><p class="p">在<span class="keyword wintitle">通过可视化策略生成器创建</span>页面完成如下配置：</p><p class="p"><img class="image" id="createpolicy__image_lxy_4cs_45b" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20232402143307-1cb6942c9c64.png" width="600"></p><ol class="ol" type="a" id="createpolicy__ol_h2b_npn_p5b"> <li class="li"><strong class="ph b">策略名称</strong>：填写自定义策略的名称，不超过45字符。</li> <li class="li"><strong class="ph b">备注</strong>：填写自定义策略的相关描述。</li> <li class="li"><strong class="ph b">策略内容</strong><ol class="ol" type="i" id="createpolicy__ol_qqs_mwn_p5b"> <li class="li"><strong class="ph b">效果</strong>：选择策略效果为<span class="ph uicontrol">允许</span>或者<span class="ph uicontrol">拒绝</span>；</li> <li class="li"><strong class="ph b">操作</strong>：单击<span class="ph uicontrol">选择服务与操作</span>，选择策略作用的云服务，选择开启<strong class="ph b">全部操作</strong>或勾选指定操作。</li> <li class="li"><strong class="ph b">资源</strong>：选择<span class="ph uicontrol">全部资源</span>或<span class="ph uicontrol">指定资源</span>。<p class="p">选择<span class="ph uicontrol">指定资源</span>时，在<span class="ph uicontrol">添加资源</span>弹窗中，用户可以选择地域、资源类型，填写资源标识，生成对应语法的资源六段式表达。</p></li> <li class="li"><strong class="ph b">条件</strong>：添加对应的条件内容，详情请参见<a class="xref" href="https://www.ocftcloud.com/ssr/help/manage/ram/index.function.Authorizationmgt.Grammatical_logic" target="_blank" rel="external noopener">语法逻辑</a>。</li> </ol><div class="note note note_note" id="createpolicy__note_urr_pwn_p5b"><span class="note__title">说明：</span> 您可以单击<span class="ph uicontrol">添加</span>，设置多条权限。</div></li> </ol><div class="p">完成后，单击<span class="ph uicontrol">下一步</span>，检查<strong class="ph b">策略内容</strong>，并<strong class="ph b">关联用户/群组</strong>。<div class="note note note_note" id="createpolicy__note_tyj_5xn_p5b"><span class="note__title">说明：</span> <ul class="ul" id="createpolicy__ul_ddv_mdr_q5b"> <li class="li">策略内容中的语句通过上一步配置的标签、服务与操作等自动生成。</li> <li class="li">您可以创建策略时授权用户/群组，也可以在策略创建后再进行授权，参见<a class="xref" href="/ssr/help/manage/ram/manual.policymgt.custom.AssociatedUser" target="_blank" rel="external noopener">关联用户/群组</a>。</li> </ul> </div></div><p class="p">单击<span class="ph uicontrol">完成</span>，策略创建成功。</p></li> <li class="li"><strong class="ph b">通过策略语法创建</strong><ol class="ol" type="a" id="createpolicy__ol_wmw_kjv_mtb"> <li class="li">在<span class="keyword wintitle">通过策略语法创建</span>页面完成如下配置：<img class="image" id="createpolicy__image_ev1_mgj_flb" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20232402143307-158c1af598e1.png" width="750"><table class="table frame-all" id="createpolicy__table_yyp_f4t_mtb"><caption></caption><colgroup><col style="width:29.585798816568047%"><col style="width:70.41420118343196%"></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="createpolicy__table_yyp_f4t_mtb__entry__1"> <p class="p">配置项</p> </th> <th class="entry" id="createpolicy__table_yyp_f4t_mtb__entry__2"> <p class="p">说明</p> </th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__1 "> <p class="p">模板</p> </td> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__2 "> <p class="p">选择授权策略模板。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__1 "> <p class="p">策略名称</p> </td> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__2 "> <p class="p">填写自定义策略的名称，不超过45字符。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__1 "> <p class="p">备注</p> </td> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__2 "> <p class="p">填写自定义策略的相关描述，不超过100个字符。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__1 "> <p class="p">策略内容</p> </td> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__2 "> <p class="p">按照提示选择模板，输入策略内容。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__1 "> <p class="p">关联用户/关联群组</p> </td> <td class="entry" headers="createpolicy__table_yyp_f4t_mtb__entry__2 "> <p class="p">选择策略授权的用户/群组。</p> <div class="p"> <div class="note note note_note" id="createpolicy__note_lpk_n4t_mtb"><span class="note__title">说明：</span> 您可以创建策略时授权用户/群组，也可以在策略创建后再进行授权，参见<a class="xref" href="/ssr/help/manage/ram/manual.policymgt.custom.AssociatedUser" target="_blank" rel="external noopener">关联用户/群组</a>。</div> </div> </td> </tr> </tbody></table></li> <li class="li">完成后，单击<span class="ph uicontrol">提交</span>。</li> </ol></li> <li class="li"><strong class="ph b">通过标签关联授权</strong><ol class="ol" type="a" id="createpolicy__ol_yvs_cjv_mtb"> <li class="li">在<span class="keyword wintitle">通过标签关联授权</span>页面完成如下配置：<img class="image" id="createpolicy__image_iwl_43v_mtb" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20232402143307-19d11be89adc.png" width="800"><table class="table frame-all" id="createpolicy__table_hml_r3v_mtb"><caption></caption><colgroup><col style="width:27.10027100271003%"><col style="width:72.89972899728997%"></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="createpolicy__table_hml_r3v_mtb__entry__1"> <p class="p">配置项</p> </th> <th class="entry" id="createpolicy__table_hml_r3v_mtb__entry__2"> <p class="p">说明</p> </th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__1 "> <p class="p">策略名称</p> </td> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__2 "> <p class="p">填写自定义策略的名称，不超过45字符。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__1 "> <p class="p">备注</p> </td> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__2 "> <p class="p">填写关于自定义策略的相关描述。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__1 "> <p class="p">绑定标签</p> </td> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__2 "> <p class="p">搜索并选择标签键及标签值，支持绑定多个标签。绑定标签可快捷圈定一组资源，多个标签将组成并集，资源与其中任一标签关联则被包含。如需新建标签，可前往各产品控制台及标签管理页面创建。</p> </td> </tr> <tr class="row"> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__1 "> <p class="p">选择服务与操作</p> </td> <td class="entry" headers="createpolicy__table_hml_r3v_mtb__entry__2 "> <p class="p">单击<span class="ph uicontrol">添加</span>，选择需要授权的服务及操作。</p> </td> </tr> </tbody></table></li> <li class="li">单击<span class="ph uicontrol">下一步</span>，检查<strong class="ph b">策略内容</strong>，并<strong class="ph b">关联用户/群组</strong></li> <li class="li">完成后，单击<span class="ph uicontrol">完成</span>。</li> </ol></li> </ul> </div> </li></ol></section>