Scenario: If you want to exclude permissions for some services, you can create and bind a policy with the effect of "Denied" when you grant a larger global policy such as Identity AdministratorAccess (including administrative permissions for all IAM-enabled products and services) or ReadOnlyAccess (including read-only permissions for all IAM-enabled products and services). For example, the following policy denies access to all modules of the expense center.
Policy example:

{ 
  "Statement": [ 
    { 
      "Effect": "Deny", 
      "Action": [ 
        "bill:*", 
				"bill_volcano_engine:*", 
				"billing:*", 
				"volc_contract_process:*" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    } 
  ] 
}

Interpretation: This policy uses "Deny" to deny access to all services of the expense center.

Rejection effect instructions can be found in the Effect instructions .