Managing IAM Policies

IAM IAM

  • API Reference
    • Common request header and common response header
    • Data type
    • Error code
    • Feature Update Records
    • General Description
    • Introduction
    • Service domain
    • STS-Related Interfaces
  • API Reference_IAM
    • Common request header and common response header
    • Data type
    • Error code
    • General Description
    • Group management API
    • Introduction
    • Policy management API
    • Role Management Interfaces
    • Service domain
    • User management API
  • FAQs
    • Common Questions Overview
    • FAQs related to IAM users
    • FAQs related to product permissions
  • Function Release Records
  • Operation guide
    • Account Security Audit
    • Enterprise Account Integration
      • Federated Login Overview
      • IAM Role-based SSO
      • IAM User-based SSO
    • Group Management
    • Message Center
    • Permission Policies
      • ACL
      • Authorization
      • Managing IAM Policies
      • Permission Policy Overview
      • Policy Authentication Evaluation Logic
      • Strategy type
      • Tag-Based Authorization and Authentication
    • Role Management
      • Common scenarios
      • Create role
      • FAQs
      • Managing Roles
      • Overview
      • Related concepts
      • Using Roles
    • Settings
    • User
      • IAM User Operations
      • Two-Factor Authentication
      • User management
    • User Anomaly Behavior Analysis (Public Beta)
      • Risk Behavior Management
  • Operation records
    • Cloud Trail (Public Beta)
  • Product Announcement
    • Baidu Intelligent Cloud Enables Login Protection MFA Multi-Factor Authentication Notification for All Users
  • Product Description
    • Application scenarios
    • Concepts
    • Currently Supported Product Lines
    • Product functions
    • Product overview
    • System Restrictions
    • Enterprise Organization vs Identity and Access Management
  • Product pricing
    • Product pricing
  • Quick Start
    • Create groups and grant permissions
    • Creating IAM User Administrators
  • SDK
    • Go-SDK
      • Error handling
      • Group management API
      • Initialize SDK
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
    • Java-SDK
      • Error code
      • Group management API
      • Initialization
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
    • Python-SDK
      • Error code
      • Group management API
      • Initialization
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
  • Testing Knowledge Base SDK
  • Typical Practices
    • Baidu Intelligent Cloud Partner Guide to Creating IAM Users
    • User Management and Permission Assignment
All documents
menu
No results found, please re-enter

IAM IAM

  • API Reference
    • Common request header and common response header
    • Data type
    • Error code
    • Feature Update Records
    • General Description
    • Introduction
    • Service domain
    • STS-Related Interfaces
  • API Reference_IAM
    • Common request header and common response header
    • Data type
    • Error code
    • General Description
    • Group management API
    • Introduction
    • Policy management API
    • Role Management Interfaces
    • Service domain
    • User management API
  • FAQs
    • Common Questions Overview
    • FAQs related to IAM users
    • FAQs related to product permissions
  • Function Release Records
  • Operation guide
    • Account Security Audit
    • Enterprise Account Integration
      • Federated Login Overview
      • IAM Role-based SSO
      • IAM User-based SSO
    • Group Management
    • Message Center
    • Permission Policies
      • ACL
      • Authorization
      • Managing IAM Policies
      • Permission Policy Overview
      • Policy Authentication Evaluation Logic
      • Strategy type
      • Tag-Based Authorization and Authentication
    • Role Management
      • Common scenarios
      • Create role
      • FAQs
      • Managing Roles
      • Overview
      • Related concepts
      • Using Roles
    • Settings
    • User
      • IAM User Operations
      • Two-Factor Authentication
      • User management
    • User Anomaly Behavior Analysis (Public Beta)
      • Risk Behavior Management
  • Operation records
    • Cloud Trail (Public Beta)
  • Product Announcement
    • Baidu Intelligent Cloud Enables Login Protection MFA Multi-Factor Authentication Notification for All Users
  • Product Description
    • Application scenarios
    • Concepts
    • Currently Supported Product Lines
    • Product functions
    • Product overview
    • System Restrictions
    • Enterprise Organization vs Identity and Access Management
  • Product pricing
    • Product pricing
  • Quick Start
    • Create groups and grant permissions
    • Creating IAM User Administrators
  • SDK
    • Go-SDK
      • Error handling
      • Group management API
      • Initialize SDK
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
    • Java-SDK
      • Error code
      • Group management API
      • Initialization
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
    • Python-SDK
      • Error code
      • Group management API
      • Initialization
      • Install the SDK Package
      • Overview
      • Policy management API
      • Role Management Interfaces
      • User management API
      • Version Change Records
  • Testing Knowledge Base SDK
  • Typical Practices
    • Baidu Intelligent Cloud Partner Guide to Creating IAM Users
    • User Management and Permission Assignment
  • Document center
  • arrow
  • IAMIAM
  • arrow
  • Operation guide
  • arrow
  • Permission Policies
  • arrow
  • Managing IAM Policies
Table of contents on this page
  • View system policies
  • Manage custom policy
  • Create custom policy
  • Edit custom policy
  • Delete custom policy

Managing IAM Policies

Updated at:2025-10-27

View system policies

Sign in to the Cloud Console, hover the cursor over the profile icon, navigate to Identity and Access Management > Policy Management. The default view shows system policies, including functional policies (e.g., system administrator with full permissions, financial management) and product-specific policy collections. For details, refer to product-specific permission documentation. Users can click the View button to check the system ACL.

Manage custom policy

In the Policy Management > Custom Policy, users can define business-related custom policies for your account to achieve granular permission control. Users can also quickly build a custom policy based on tags for resources of the same type (resources with identical tags), which is often used to solve authorization issues involving large combinations of different products or services.

Create custom policy

IAM currently provides two methods to create custom policies: through a visual editor or using tags. To create via the visual editor, select services, permissions, and instances under regions to generate policies. To create via tags, filter resources based on the tags assigned to service instances to generate policies.

Prerequisites
Possesses Baidu AI Cloud system administrator permissions.

Procedure: Create by policy generator

  1. Sign in to the Cloud Console, hover over the avatar in the upper-right corner, and navigate to Identity and Access Management > Policy Management;
  2. Click Create Policy, and then select Create by Policy Generator in the pop-up window;
  3. Fill in the strategy name and description in the basic information section

  4. Configure permissions: Click Add Permissionbutton to append a permission to the current policy, then complete the fields in the pop-up window:

    • Select service: i.e., product name to be selected.
    • Policy generation method: Depending on the service type selected, it supports generating the final policy using either the policy generator or editing the policy file. Grayed-out options default to the policy generator method. The policy generator, as a visual policy generation tool, generates policies by step-by-step configuration of operations and resource instances. By editing policy files, users can edit JSON-format policy documents according to specific policy syntax to generate policies. For details, refer to Policy Syntax. Policies generated by both methods are stored in the system in ACL format.
    • Permission effect: Allow or deny, with allow typically selected. Note that deny overrides allow, so proceed with care;
    • Permission options: Service-specific permissions defined by the service type selected (multiple selections supported)

    • Select resources: Available resources under the service type selected, down to specific resource instances.

      • Select All Resources, representing any resource across all regions supported by Baidu AI Cloud, including future additions, denoted as "*" in the policy ACL description
      • Select Specific Resource, so as to filter by different regions to select specific resource instances.
    • Restrictions: Select the restrictions required to configure for the current policy. Once configured, only accesses that satisfy both these conditions and the permission policy will be permitted.
  5. Click Complete to return to the policy creation page, where users can continue adding permissions following Step 4 or click Complete to save the custom policy.

Procedure: Create by tag

  1. Sign in to the Cloud Console, hover over the avatar in the upper-right corner, and navigate to Identity and Access Management > Policy Management;
  2. Click Create Policy,and then select Create by Tag in the pop-up window;
  3. Fill in the strategy name and description in the basic information section

  4. Configure permissions:

    • Select tags: Select the tag key-value pairs required. If no tags are available, click No tags yet? Click Create Tag link to navigate to tag management page;
    • Select service: Select service types supporting tags to view product lines enabling tag-based authorization. Refer to [IAM-enabled Products](IAM/Product Description/Currently Supported Product Lines.md) for details;
    • Select operation: Permission operations for selected services are standardized as read-only, O&M, and administrative permissions;
    • Resource scope: Display the resource list of selected services. If no actual resources are matched, it represents all global resources. If the current tag is associated with actual resource instances in the future, those instances will be governed by the current custom policy.
  5. Click Complete to save the configured policy.

Edit custom policy

In certain scenarios where existing custom policies cannot satisfy the user’s demands, it is possible to create a brand-new custom policy or edit an existing one. Sign in to the Cloud Console, hover the cursor over the avatar in the upper-right corner, navigate to Identity and Access Management > Strategy Management, locate the custom strategy to edit, click Edit button to enter the strategy editing page. For strategy editing operations, users can directly refer to Create Custom Strategy.

Delete custom policy

For custom policies that are no longer required, users can locate the target policy, click Delete button, and conform to complete the policy deletion.

Important notice:
Deleting an online policy may cause the IAM users or services to lose corresponding operation permissions, thereby affecting service operations. Therefore, before deleting a policy, ensure it has been removed from all identities.

Previous
Authorization
Next
Permission Policy Overview