DocsICP FilingConsole
官方文档
首页

Control application-level access for RAM users

更新时间:
复制 MD 格式
产品详情
我的收藏

Control which mPaaS applications a RAM user can access by granting console permissions and configuring resource isolation policies.

Prerequisites

  1. You have an Alibaba Cloud account. If you do not have one, register for an account.

  2. You have a RAM user. If you do not have one, see Create a RAM user.

    Note

    To configure permissions for a RAM user, see Configure permissions.

Procedure

  1. Grant the RAM user permissions to access the mPaaS console.

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the navigation pane on the left, under the Identity Management menu, click Users.

    3. Find the target RAM user and click Add Permissions.

    4. On the Add Permissions page, search for and select the AliyunMPAASFullAccess permission, and then click OK. The RAM user can now access the mPaaS console and all applications created by the root account. To restrict access to specific applications, continue with the remaining steps.

  2. Add a resource isolation policy for the RAM user.

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the navigation pane on the left, under the Permission Management menu, click Access Policies.

    3. Click Create Policy.

    4. For Configuration Mode, select Script Editor.

      Note

      mPaaS does not currently support policy configuration using the visual editor.

    5. Edit the policy content. Use one of the following example rules. If you use the RAM rule to access specific applications, replace the placeholder App ID with the actual App ID of the target application. To specify multiple applications, separate App IDs with commas.

      • RAM rule to access specific applications:

        {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:FilterApp"
  ],
  "Resource": "*",
  "Effect": "Deny",
  "Condition": {
      "StringNotEquals": {
           "mpaas:AppId": [
              "ONEXCBAD96A290957",
              "..."
          ]
      }
  }
},
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

      • RAM rule to access all applications:

        {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

    6. Click Next: Edit Basic Information.

    7. Enter a policy name and a description, and then click OK.

    8. In the navigation pane on the left, under the Identity Management menu, click Users.

    9. Find the target RAM user and click Add Permissions.

    10. On the Add Permissions page, search for and select the custom policy that you created, and then click OK.

Previous:About RAMNext:Control access for RAM users at the component level