IAM identity and access management, together with the enterprise organization can divided the policy type into 2 categories.

Identity-based Policy
It is to append the policies that contain permission description into IAM identity, such as the policies granted to the IAM users, groups or the roles, and such type of policy can be further divided into the following 2 types:

• System policy
  The system policy presets policies for Baidu AI Cloud and is the set of user's common permission, such as the feature permission like system administrator, financial staff, and product-level read-only, Operations permissions of the resource type, etc. Generally, the granularity of the system policy permission is coarse, and cannot be edited or deleted by any user.
• Custom Policy
  The policy created by the administrator is called Custom Policy. The user can configure the operation permission of specific product service and resources. For example, a policy can be set for an instance of the Baidu AI Cloud Compute?BCC), and the policy can be associated with the IAM user, so that the IAM user can have the operation permission of an instance of BCC. Compared with the system policy, the granularity of the controllable permission of the Custom Policy is finer and more flexible.
  The Custom Policy already supports to configure multiple service permissions within a same policy and cross-region resource instance, and supports the operation permission without resource instances, such as creation/addition, page/button, etc.

Service Control Policy
The service control policy (SCP) belongs to the expansion product of IAM Organization, and it does not directly control the user's permission, but is used to control the maximum permission boundary of the additional organizational unit or the sub-account. For detailed introduction to relevant enterprise organization and SCP, please refer to Organization.