**Scenario: **If the main account or account administrator does not give the user the expense center permission, the user will not be able to access the expense center. In some scenarios, the master account or account administrator may need to grant the user permissions for the full range of products and services, but exclude the permissions of the expense center. For example, after granting the policy AdministratorAccess (including administrative privileges for all IAM-enabled products and services) or ReadOnlyAccess (including read-only privileges for all IAM-enabled products and services), the user will also have administrative privileges or read-only privileges for the expense center. If you want to deny the user access to all modules of the expense center, you also need to create a custom policy and authorize the user.
How to operate:

• Step 1: Create a new custom policy

The policy name can be customized on demand, and the policy content can be copied with the following JSON code, which describes the permission to deny access to all services of the expense center:

{ 
  "Statement": [ 
    { 
      "Effect": "Deny", 
      "Action": [ 
        "bill:*", 
				"bill_volcano_engine:*", 
				"billing:*", 
				"volc_contract_process:*" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    } 
  ] 
}

• Step 2: Grant the user the policy
  After the authorization is completed, the user will no longer be able to access all the expense center modules.