DMS custom policies-Data Management-阿里云帮助中心

If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission control and improve the security of your resources. This topic describes the scenarios and examples of Data Management (DMS) custom policies.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Scenarios and examples of custom policies

The following examples demonstrate how to grant a RAM user the permissions to log on to one or more ApsaraDB RDS instances from DMS.

Grant a RAM user the permissions to log on to a specific ApsaraDB RDS instance.
Create a custom policy that contains the following content and attach the policy to the RAM user. For more information, see Create custom policies and Grant permissions to a RAM user.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dms:LoginDatabase"],
      "Resource": ["acs:rds:*:*:dbinstance/[$RDS_ID]"]
    }
  ]
}

Note

Replace [$RDS_ID] with the ID of your RDS instance.

Grant a RAM user the permissions to log on to all ApsaraDB RDS instances within your Alibaba Cloud account.
Grant the AliyunRDSFullAccess permission to the RAM user in the RAM console, or create a custom policy with the following content and attach it to the RAM user. For more information, see Grant permissions to a RAM user.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dms:LoginDatabase"],
      "Resource": ["acs:rds:*:*:*"]
    }
  ]
}
```

FAQ

Q: If a user logs on to DMS using different SSO configurations, are their data asset permissions automatically synchronized?

A: No. Data asset permissions in DMS are independent of RAM permissions and are not automatically synchronized. If you log on with a different SSO configuration, you must grant permissions again. Data owner settings must also be reconfigured. Note that a data asset can have a maximum of three data owners.

RAM authorization

To use custom policies, you must understand the permission control requirements of your business and the authorization information of DMS. For more information, see RAM authorization.

上一篇: Data Disaster Recovery (DBS) system policy reference 下一篇: Custom policies for Database Backup Service (DBS)