Custom policies for OceanBase

更新时间:
复制 MD 格式

If system policies cannot meet your requirements, you can create custom policies to achieve the principle of least privilege. Custom policies help implement fine-grained permission management and serve as an effective method to improve resource access security. This topic describes scenarios and examples of using custom policies in ApsaraDB for OceanBase.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Examples

Grant permissions on a specific ApsaraDB for OceanBase instance to a RAM user

Specify target resources for authorization. Create a permission policy and enable the policy to apply only to the target resources.

ApsaraDB for OceanBase provides dedicated security management policies to ensure data security and resource security. For more information, see Policy management.

  1. Create a permission policy.

    1. Log in to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Select an editing mode.

        Visual editing

        1. Select Allow for Effect.

        2. Select ApsaraDB for OceanBase for Service.

        3. In the Action section, select permissions related to Describe under Read actions.

        4. Note

          You can search for Describe and select all permissions found.

        5. Select target resources for Resource.

        6. Retain the settings in the Condition section.

        Script editing

        Copy the following content into the script editing window:

        Note

        To specify a target instance, enter its ARN information in the acs:oceanbase:{#regionId}:{#accountId}:* format in the Resource section.

        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "oceanbase:Describe*"
              ],
              "Resource": [
                "*"
              ]
            }
          ]
        }
    5. Click OK.

    6. Specify Policy Name and Description, confirm the policy content, and click OK.

  2. Apply a custom policy to a specified RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. Find the target user and click Add Permissions in the Actions column on the right.

    3. Select Account for Resource Scope. In the Policy section, click Custom Policy. Search for the policy you just created and select it.

    4. Click Complete.

  3. Log in to the ApsaraDB for OceanBase console as the RAM user and view instances.

    1. Select a region in the upper part.

    2. Click the authorized instance. You can normally view and access the instance.

Authorization information

To use custom policies, you must understand the permission management requirements of the business and familiarize yourself with the authorization information of ApsaraDB for OceanBase. For more information, see RAM authorization.