SOFAStack uses Resource Access Management (RAM) for permission management. You can use RAM to avoid sharing your Alibaba Cloud account AccessKeys, which consist of an AccessKey ID and an AccessKey secret. This lets you assign the least privilege to users. This topic describes the access policies for SOFAStack in RAM.
In RAM, an access policy is a collection of permissions described using policy syntax and structure. A policy can precisely define the authorized resources, actions, and conditions.
SOFAStack does not yet support fine-grained access policies at the resource level. Policies for specific resource dimensions will be available in the future.
For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
System policies
SOFAStack provides the following default system policies.
The content of system policies is updated as product features evolve. For the latest information, refer to the actual page in the console.
AliyunSOFAFullAccess: Grants administrative permissions for SOFAStack. A RAM user with this permission can perform all operations on all SOFAStack resources.
The policy is as follows:
{ "Version":"1", "Statement":[ { "Action":"sofa:*", "Effect":"Allow", "Resource":"*" } ], }AliyunSOFAReadOnlyAccess: Grants read-only permissions for SOFAStack. A RAM user with this permission can only read all SOFAStack resources using the console or by calling management APIs.
The policy is as follows:
{ "Version":"1", "Statement":[ { "Action":[ "sofa:Get*", "sofa:List*", "sofa:Query*", "sofa:Find*", "sofa:Exist*", "sofa:Count*" ], "Resource":"*", "Effect":"Allow" } ] }- AliyunSOFAMiddlewareObserverAccess: Grants observer permissions for middleware. A RAM user with this permission can only view SOFAStack middleware products, such as microservice configurations, scheduling tasks, and message subjects. This role does not grant permissions to perform configuration operations, deletions, or other modifications. For more information about the policy, see AliyunSOFAMiddlewareObserverAccess.
- AliyunSOFAMiddlewareDeveloperAccess: Grants developer permissions for middleware. A RAM user with this permission can perform operations on SOFAStack middleware products, such as modifying traffic-limiting configurations and triggering tasks. This role does not grant permissions for high-risk operations, such as deleting configurations. For more information about the policy, see AliyunSOFAMiddlewareDeveloperAccess.
- AliyunSOFAMiddlewareAdministratorAccess: Grants administrative permissions for middleware. A RAM user with this permission has all permissions for SOFAStack middleware products, such as adding and deleting configurations. For more information about the policy, see AliyunSOFAMiddlewareAdministratorAccess.
System role
When you activate SOFAStack, the system role AliyunSofaCafeCasDefaultRole is added by default. The default access policy for this role, AliyunSofaCafeCasRolePolicy, defines the permissions required by SOFAStack to access basic Alibaba Cloud resources, such as ECS, VPC, SLB, OSS, and RAM. These permissions are granted with your consent when you activate SOFAStack. For more information about the policy, see AliyunSofaCafeCasRolePolicy.