```yaml

		// Check if claim name is the non-default value and role policy is set.
		if p.ClaimName != policy.PolicyName && p.RolePolicy != "" {
			// In the unlikely event that the user specifies
			// `policy.PolicyName` as the claim name explicitly and sets
			// a role policy, this check is thwarted, but we will be using
			// the role policy anyway.

				return ErrNone
			}
		}

		return ErrAccessDenied
	}
	if action == policy.DeleteObjectAction && versionID != "" {
		if !globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.Action(policy.DeleteObjectVersionAction),
			BucketName:      bucket,
			ConditionValues: getConditionValues(r, "", cred),

func (store *IAMStoreSys) GetPolicy(name string) (policy.Policy, error) {
	if name == "" {
		return policy.Policy{}, errInvalidArgument
	}

	cache := store.rlock()
	defer store.runlock()

	policies := newMappedPolicy(name).toSlice()
	var toMerge []policy.Policy
	for _, policy := range policies {
		if policy == "" {
			continue
		}
		v, ok := cache.iamPolicyDocsMap[policy]

	Compression compress.Config `json:"compress"`

	// OpenID configuration
	OpenID openid.Config `json:"openid"`

	// External policy enforcements.
	Policy struct {
		// OPA configuration.
		OPA opa.Args `json:"opa"`

		// Add new external policy enforcements here.
	} `json:"policy"`

	LDAPServerConfig xldap.LegacyConfig `json:"ldapserverconfig"`

			asRoot: false,

			policy: `{"Effect": "Allow",
				"Action": ["kms:CreateKey"] }`,

			wantStatusCode: http.StatusOK,
		},
		{
			name:   "create key as user set policy to allow want success",
			method: http.MethodPost,
			path:   kmsKeyCreatePath,
			query:  map[string]string{"key-id": "second-new-test-key"},
			asRoot: false,

			policy: `{"Effect": "Allow",

	"encoding/xml"
	"io"
	"net/http"

	xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/mux"
	"github.com/minio/pkg/v3/policy"
)

// Data types used for returning dummy access control
// policy XML, these variables shouldn't be used elsewhere
// they are only defined to be used in this file alone.
type grantee struct {
	XMLNS       string `xml:"xmlns:xsi,attr"`

  rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP

  # set policy for user
  if [ ! -z $POLICY -a $POLICY != " " ] ; then
      echo "Adding policy '$POLICY' for '$USER'"
      set +e ; # policy already attach errors out, allow it.
      ${MC} admin policy attach myminio $POLICY --user=$USER
      set -e
  else
      echo "User '$USER' has no policy attached."
  fi
}

# Try connecting to MinIO instance

### 2. Create a new admin user with CreateUser, DeleteUser and ConfigUpdate permissions

Use [`mc admin policy`](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-policy.html#command-mc.admin.policy) to create custom admin policies.

Create new canned policy file `adminManageUser.json`. This policy enables admin user to
manage other users.

```json
cat > adminManageUser.json << EOF
{
  "Version": "2012-10-17",

  return 0
}

# checkPolicyExists ($policy)
# Check if the policy exists, by using the exit code of `mc admin policy info`
checkPolicyExists() {
  POLICY=$1
  CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
  return $?
}

# createPolicy($name, $filename)
createPolicy () {
  NAME=$1
  FILENAME=$2

  # Create the name if it does not exist
  echo "Checking policy: $NAME (in /config/$FILENAME.json)"