DocsICP FilingConsole
官方文档
首页

Configure RAM user provisioning

更新时间:
复制 MD 格式
我的收藏

You can create a Resource Access Management (RAM) user provisioning for a member in your resource directory to create a RAM user that has the same username as a CloudSSO user that you use. This way, the CloudSSO user can access the resources of the member as the RAM user.

Background information

This topic provides an example on how to create a RAM user provisioning to allow a CloudSSO user to access the MaxCompute resources that belong to a RD account in a resource directory as a RAM user. In this example, you need to create the RAM user user1@xxx.onaliyun.com that has the same username as the CloudSSO user user1 within the member Sandbox_Account, attach the AliyunMaxComputeFullAccess policy to the RAM user to manage MaxCompute resources, and then use the CloudSSO user user1 to access the MaxCompute resources that belong to the member Sandbox_Account as the RAM user.

Step 1: Create a RAM user provisioning

Create a RAM user provisioning by using the management account of a resource directory in the CloudSSO console.

  1. Log on to the CloudSSO console.

  2. In the left-side navigation pane, click Multi-account Permission Configuration.

  3. On the Multi-account Permission Configuration page, find the target RD account and click RAM User Provisioning Configuration.

    In this example, the member Sandbox_Account is selected.

  4. In the RAM User Provisioning Configuration panel, select the target CloudSSO user or user group, and then click Next Step.

    In this example, the CloudSSO user user1 is selected. If you select a CloudSSO user group, all CloudSSO users in the group are synchronized.

  5. Set the following basic information and click Next Step.

    1. Enter a description for the RAM user provisioning.

    2. In the Handling Mode section, select Single Handling or Batch Handling.

      • Single Handling: Configure the conflict and deletion policies for each RD account individually.

      • Batch Handling: Apply the same conflict and deletion policies to all selected RD accounts at once.

    3. Configure the Conflict Policy and Deletion Policy.

      • Conflict Policy: Defines what happens if a RAM user with the same name already exists in the target RD account.

        • Replace: The newly created RAM user overwrites the existing one. This action does not change the permissions, basic information, or ID of the existing RAM user. It only affects the logon method. The provisioned RAM user can log on only through CloudSSO, not with a username and password.

        • Retain Both: The system renames the newly created RAM user and retains both the new and existing RAM users.

      • Deletion Policy: Defines what happens to provisioned RAM users when you delete the RAM user provisioning configuration.

        • Retain: When you delete the RAM user provisioning configuration, CloudSSO retains the provisioned RAM users.

        • Delete: When you delete the RAM user provisioning configuration, CloudSSO also deletes the provisioned RAM users.

  6. Click Submit.

  7. Click Done.

After the configuration is complete, the RAM user that has the same username as your CloudSSO user is created within the selected member in the resource directory. In this example, the RAM user user1@xxx.onaliyun.com is created within the member Sandbox_Account. The RAM user has the same username as the CloudSSO user user1.

Step 2: Grant permissions to the RAM user

You can access the member Sandbox_Account and attach the AliyunMaxComputeFullAccess policy to the RAM user user1@xxx.onaliyun.com to manage MaxCompute resources.

  1. Access the member Sandbox_Account

  2. Grant permissions to the RAM user user1@xxx.onaliyun.com.

    In this example, the AliyunMaxComputeFullAccess policy is attached to the RAM user user1@xxx.onaliyun.com. The policy grants management permissions on MaxCompute resources. For more information, see Grant permissions to a RAM user.

Note

For your convenience, we recommend that you specify a CloudSSO user as the permission administrator to grant permissions to the RAM users that are provisioned within a member in a resource directory. For example, you can create an access configuration that contains the AliyunRAMFullAccess policy in CloudSSO. Then, select multiple members that you want to manage and the permission administrator to provision the access configuration. This way, the permission administrator can grant permissions to the RAM users that are provisioned within the members. For more information, see Create an access configuration and Assign access permissions on the accounts in a resource directory.

Step 3: Use the CloudSSO user to access Alibaba Cloud resources

The CloudSSO user user1 can access the MaxCompute resources that belong to the member Sandbox_Account as the RAM user user1@xxx.onaliyun.com.

  1. Log on to the CloudSSO user portal as user1.

    For more information, see Step 1: Obtain the URL of the CloudSSO user portal and Step 2: Log on to the user portal.

    On the CloudSSO user logon page, enter the Username (for example, user1) and Password, and then click Log on.

  2. Access MaxCompute resources that belong to the member Sandbox_Account as the RAM user user1@xxx.onaliyun.com.

    For more information, see the RAM user-based logon part in Step 3: Access the resources of an account in your resource directory.

    In the CloudSSO user portal, click the RAM user logon tab. Find the target cloud account in the list and click Log on in the Actions column.

Previous:RAM user provisioning overviewNext:View the details of a RAM user provisioning