Custom policies can be created to supplement the predefined policies provided by TMS. For the actions supported by custom policies, see Permissions.
You can create a custom policy in either of the following ways:
For details, see Creating a Custom Policy. Examples of common TMS custom policies are as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"tms:predefineTags:list"
]
}
]
}
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the TMS FullAccess to a user but want to prevent them from deleting predefined tags. You can create a custom policy for denying predefined tag deletion, and attach this policy together with the TMS FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on these tags excepting deleting them. Example policy denying predefined tag deletion:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"tms:predefineTags:delete"
]
}
]
}
A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).
Example policy containing multiple actions:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"tms:predefineTags:create",
"tms:predefineTags:delete"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMyBuckets",
"obs:bucket:ListBucket"
]
}
]
}