You can control access for Resource Access Management (RAM) users at the component level. There are four types of component-level access control:
Prerequisites
-
You have an Alibaba Cloud account. If you do not have one, create an account.
-
You have created a RAM user. If you have not, see Create a RAM user.
NoteFor more information about configuring a RAM user, see Configure permissions.
Grant permissions for all components
-
Log on to the RAM console.
-
In the navigation pane on the left, under the Identity Management menu, click Users.
-
Select the RAM user who requires access to the mPaaS console and click Add Permissions.
-
On the Add Permissions page, search for and select the
AliyunMPAASFullAccesspolicy. Click OK. The RAM user can then access all applications created by the root account and use all components in the mPaaS console.
Grant permissions for all components but specify allowed applications
-
Log on to the RAM console.
-
In the navigation pane on the left, under the Permission Management menu, click Access Policies.
-
Click Create Policy.
-
Set Configuration Mode to Script.
-
Edit the policy content. You can use the following script as an example. In the script, replace the sample App ID with the App ID of the target application. To specify multiple applications, separate the App IDs with commas (,).
{ "Version": "1", "Statement": [ { "Action": [ "mpaas:GetOnexMethod" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "mpaas:*" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "mpaas:AppId": [ "ONEXCBAD96A290957", "..." ] } } } ] } -
Click Next: Edit Basic Information. Enter a policy name and description, and then click OK.
-
In the navigation pane on the left, under the Identity Management menu, click Users.
-
Select the RAM user who requires access to the mPaaS console and click Add Permissions.
-
On the Add Permissions page, search for and select the custom policy that you created. Click OK.
NoteThe visualization configuration mode is not supported for mPaaS.
Grant permissions for a specific component, including permissions to create workspaces, create applications, and delete applications
-
Log on to the RAM console.
-
In the navigation pane on the left, under the Permission Management menu, click Access Policies.
-
Click Create Policy.
-
Set Configuration Mode to Script.
-
Edit the policy content. You can use the following script as an example.
{ "Version":"1", "Statement":[ { "Action": [ "mpaas:GetOnexMethod" ], "Resource": "*", "Effect": "Allow" }, { "Action":[ "mpaas:*" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "mpaas:ComponentId":[ "mAppCenter", "mds" ], "mpaas:AppId":[ "ONEXCBAD96A290957", "13FF079171113", "..." ] } } } ] }NoteIn
mpaas:ComponentId,mAppCenteris a required value. The other values specify the components for which you want to grant permissions. The following table lists the mappings between the values ofmpaas:ComponentIdand the corresponding components.mpaas:ComponentId
Corresponding component
mas
Mobile Analysis
mcdp
Intelligent Delivery
mds
Real-time Release
mgs
Mobile Gateway
mps
Message Push
mss
Data Synchronization
msa
Application Security Hardening
mrtc
Audio/Video Calling
-
Click Next: Edit Basic Information. Enter a policy name and description, and then click OK.
-
In the navigation pane on the left, under the Identity Management menu, click Users.
-
Select the RAM user who requires access to the mPaaS console and click Add Permissions.
-
On the Add Permissions page, search for and select the custom policy that you created. Click OK. You have now added a resource isolation policy for the RAM user.
Because RAM permissions use mpaas:AppId to filter applications, a RAM user who has permission to create new applications cannot view these applications until the applications are assigned to the user.
Grant permissions for a specific component, excluding permissions to create workspaces, create applications, and delete applications
If the permission policy excludes workspace and application management permissions, you must manually assign workspaces and applications to the RAM user.
-
Log on to the RAM console.
-
In the navigation pane on the left, under the Permission Management menu, click Access Policies.
-
Click Create Policy.
-
Set Configuration Mode to Script.
-
Edit the policy content. You can use the following script as an example.
{ "Version": "1", "Statement": [ { "Action": [ "mpaas:GetOnexMethod" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "mpaas:*" ], "Resource": [ "acs:mpaas:*:*:component/workspace/test/app/ONEXPRE40DB571051148", "acs:mpaas:*:*:component/workspace/default/app/ONEXPRE40DB571051148" ], "Effect": "Allow", "Condition": { "StringEquals": { "mpaas:ComponentId": [ "mAppCenter", "mds" ] } } } ] }Note-
In the
FilterWorkspaceaction, the format of the `Resource` parameter isacs:mpaas:*:*:component/workspace/${workspaceId}.${workspaceId}represents the ID of the workspace to assign to the RAM user. -
In the
mpaas:*action, the format of the `Resource` parameter isacs:mpaas:*:*:component/workspace/${workspaceId}/app/${appId}.${workspaceId}represents the ID of the workspace to assign to the RAM user.${appId}represents the ID of the application to assign to the RAM user. To apply the permission to all applications, replace${appId}with an asterisk (*).
-
-
Click Next: Edit Basic Information. Enter a policy name and description, and then click OK.
-
In the navigation pane on the left, under the Identity Management menu, click Users.
-
Select the RAM user who requires access to the mPaaS console and click Add Permissions.
-
On the Add Permissions page, search for and select the custom policy that you created. Click OK. You have now added a resource isolation policy for the RAM user.