Authorize RAM users to access resources-阿里云帮助中心

Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the permissions of an Alibaba Cloud account. Different RAM users can be granted different permissions to allow or deny access to specific cloud resources.

Background information

By default, when you use an Alibaba Cloud account to create an ApsaraDB for ClickHouse cluster, the cluster becomes the resource that the account owns. An Alibaba Cloud account has full permissions on its resources.

RAM allows you to grant RAM users access and management permissions on ApsaraDB for ClickHouse clusters that are created within your Alibaba Cloud account.

Prerequisites

A RAM user is created. For more information about how to create a RAM user, see Create a RAM user.

Procedure

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click OK.
Click Close.

References

For information about API operations supported by ApsaraDB for ClickHouse, see List of operations by function.
For information about the basic elements of a policy, see Policy elements.