Understand permission policies in Vultr IAM. Policies define allow and deny rules for actions on resources and can be Vultr-managed or custom-created by you.
A permission policy is a named bundle of one or more IAM permissions that can be attached to a user, group, or role to explicitly allow or deny specific actions on Vultr resources. The individual IAM permission, which maps to a single action on a specific service, is the smallest unit of access control. A policy groups one or more of these permissions together into a reusable, assignable construct.
Every access decision in IAM, whether a user can deploy a server, view an invoice, or manage a Kubernetes cluster, traces back to a permission policy attached somewhere in the system. Policies use an allow/deny model, meaning permissions can be explicitly granted or denied. A user's effective permissions are evaluated across all policies attached to them directly or via a group, and all policies bundled within any roles assigned to them.
Each policy operates at service, resource, and action level, specifying which service is targeted (for example compute, object-storage, vke), which actions apply (for example create, update, delete, list, read) using the format {service}.{resource}.{action} with wildcard support, and can optionally be scoped to specific resources by UUID rather than applying broadly across an entire service. Policies are defined in JSON, and the Vultr Console provides a JSON preview alongside a visual builder, so you can inspect the exact definition of any policy before assigning it.