RAM authorization-ApsaraDB for OceanBase (Deprecated)(OceanBase)-阿里云帮助中心

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by ApsaraDB for OceanBase for RAM permission policies. The RAM code (RamCode) for ApsaraDB for OceanBase is oceanbase , and the supported authorization granularity is OPERATION .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by ApsaraDB for OceanBase. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
oceanbase:ModifyTenantUserPassword	ModifyTenantUserPassword	update	All Resource ``	None	None
oceanbase:DescribeBackupSetDownloadLink	DescribeBackupSetDownloadLink	none	All Resource ``	None	None
oceanbase:DescribeProxyService	DescribeProxyService	get	All Resource ``	None	None
oceanbase:CreateSecurityIpGroup	CreateSecurityIpGroup	create	All Resource ``	None	None
oceanbase:DescribeTagValues	DescribeTagValues	get	All Resource ``	None	None
oceanbase:CreateTenant	CreateTenant	create	All Resource ``	None	None
oceanbase:DescribeInstanceTags	DescribeInstanceTags	get	All Resource ``	None	None
oceanbase:DeleteInstances	DeleteInstances	delete	Instance `acs:oceanbase:{#regionId}:{#accountId}:instance/{#instanceId}/`	None	None
oceanbase:CreateOmsMysqlDataSource	CreateOmsMysqlDataSource	create	All Resource ``	None	None
oceanbase:ModifySecurityIps	ModifySecurityIps	update	All Resource ``	None	None
oceanbase:ModifyTagName	ModifyTagName	update	All Resource ``	None	None
oceanbase:DescribeTenantTags	DescribeTenantTags	get	All Resource ``	None	None
oceanbase:DescribeAvailableSpec	DescribeAvailableSpec	none	All Resource ``	None	None
oceanbase:DescribeTenantSecurityIpGroups	DescribeTenantSecurityIpGroups	get	All Resource ``	None	None
oceanbase:DescribeOasTopSQLList	DescribeOasTopSQLList	get	All Resource ``	None	None
oceanbase:DescribeSqlAuditStat	DescribeSqlAuditStat	none	All Resource ``	None	None
oceanbase:ModifyParameters	ModifyParameters	update	All Resource ``	None	None
oceanbase:DescribeTenantSecurityConfigs	DescribeTenantSecurityConfigs		All Resource ``	None	None
oceanbase:DescribeInstanceSummary	DescribeInstanceSummary	get	All Resource ``	None	None
oceanbase:DescribeRecommendIndex	DescribeRecommendIndex	get	All Resource ``	None	None
oceanbase:ModifyTagValueName	ModifyTagValueName	update	All Resource ``	None	None
oceanbase:ModifyTenantUserDescription	ModifyTenantUserDescription	update	All Resource ``	None	None
oceanbase:DescribeSQLDetails	DescribeSQLDetails	get	All Resource ``	None	None
oceanbase:DescribeParametersHistory	DescribeParametersHistory	get	All Resource ``	None	None
oceanbase:DescribeRestorableTenants	DescribeRestorableTenants	get	All Resource ``	None	None
oceanbase:ModifyInstanceSSL	ModifyInstanceSSL	update	All Resource ``	None	None
oceanbase:DeleteProject	DeleteProject	delete	All Resource ``	None	None
oceanbase:DescribeOasSQLHistoryList	DescribeOasSQLHistoryList	get	All Resource ``	None	None
oceanbase:DescribeProcessStatsComposition	DescribeProcessStatsComposition	get	*Instance `acs:oceanbase:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
oceanbase:ModifyInstanceSpec	ModifyInstanceSpec	update	All Resource ``	None	None
oceanbase:DescribeInstanceCreatableZone	DescribeInstanceCreatableZone	get	All Resource ``	None	None
oceanbase:CreateTenantReadOnlyConnection	CreateTenantReadOnlyConnection	create	All Resource ``	None	None
oceanbase:ModifyTenantTags	ModifyTenantTags	update	All Resource ``	None	None
oceanbase:ModifyTenantSecurityIpGroup	ModifyTenantSecurityIpGroup	update	All Resource ``	None	None
oceanbase:DescribeMetricsData	DescribeMetricsData	get	All Resource ``	None	None
oceanbase:DescribeTenants	DescribeTenants	get	All Resource ``	None	None
oceanbase:DescribeTenantEncryption	DescribeTenantEncryption	get	All Resource ``	None	None
oceanbase:StopProjectModifyRecords	StopProjectModifyRecords	update	All Resource ``	None	None
oceanbase:DeleteTagValue	DeleteTagValue	delete	All Resource ``	None	None
oceanbase:DescribeAvailableMemResource	DescribeAvailableMemResource	get	All Resource ``	None	None
oceanbase:ModifyDatabaseUserRoles	ModifyDatabaseUserRoles	update	All Resource ``	None	None
oceanbase:ModifyInstanceTags	ModifyInstanceTags	update	All Resource ``	None	None
oceanbase:CreateTag	CreateTag	create	All Resource ``	None	None
oceanbase:DescribeSlowSQLList	DescribeSlowSQLList	get	All Resource ``	None	None
oceanbase:DescribeSecurityIpGroups	DescribeSecurityIpGroups	get	All Resource ``	None	None
oceanbase:DescribeTopSQLList	DescribeTopSQLList	list	All Resource ``	None	None
oceanbase:ModifyTenantEncryption	ModifyTenantEncryption	update	All Resource ``	None	None
oceanbase:DeleteTenantSecurityIpGroup	DeleteTenantSecurityIpGroup	delete	All Resource ``	None	None
oceanbase:CreateDatabase	CreateDatabase	create	All Resource ``	None	None
oceanbase:ModifyInstanceNodeNum	ModifyInstanceNodeNum	update	All Resource ``	None	None
oceanbase:DeleteDatabases	DeleteDatabases	delete	All Resource ``	None	None
oceanbase:DescribeTenantUsers	DescribeTenantUsers	get	All Resource ``	None	None
oceanbase:StopProjectsByLabel	StopProjectsByLabel	update	All Resource ``	None	None
oceanbase:CancelProjectModifyRecord	CancelProjectModifyRecord	update	All Resource ``	None	None
oceanbase:DescribeNodeMetrics	DescribeNodeMetrics	get	All Resource ``	None	None
oceanbase:CreateTenantSecurityIpGroup	CreateTenantSecurityIpGroup	create	All Resource ``	None	None
oceanbase:DescribeParameters	DescribeParameters	get	All Resource ``	None	None
oceanbase:DescribeSampleSqlRawTexts	DescribeSampleSqlRawTexts	none	All Resource ``	None	None
oceanbase:DescribeInstanceSSL	DescribeInstanceSSL	none	All Resource ``	None	None
oceanbase:DescribeInstanceTenantModes	DescribeInstanceTenantModes	get	All Resource ``	None	None
oceanbase:DeleteTenantUsers	DeleteTenantUsers	delete	All Resource ``	None	None
oceanbase:DeleteTenants	DeleteTenants	delete	All Resource ``	None	None
oceanbase:DescribeSQLTuningAdvices	DescribeSQLTuningAdvices	get	All Resource ``	None	None
oceanbase:ModifyDatabaseDescription	ModifyDatabaseDescription	update	All Resource ``	None	None
oceanbase:DescribeDataBackupSet	DescribeDataBackupSet	none	All Resource ``	None	None
oceanbase:ModifyTenantResource	ModifyTenantResource	update	All Resource ``	None	None
oceanbase:DeleteTag	DeleteTag	delete	All Resource ``	None	None
oceanbase:DescribeSessionList	DescribeSessionList	none	All Resource ``	None	None
oceanbase:DescribeTenantUserRoles	DescribeTenantUserRoles	get	All Resource ``	None	None
oceanbase:ListProjectModifyRecords	ListProjectModifyRecords	list	All Resource ``	None	None
oceanbase:DescribeProjectSteps	DescribeProjectSteps	get	All Resource ``	None	None
oceanbase:DescribeOasSQLDetails	DescribeOasSQLDetails	none	All Resource ``	None	None
oceanbase:DescribeSlowSQLHistoryList	DescribeSlowSQLHistoryList	get	All Resource ``	None	None
oceanbase:DescribeInstanceAvailableZones	DescribeInstanceAvailableZones	none	All Resource ``	None	None
oceanbase:SwitchoverInstance	SwitchoverInstance	update	All Resource ``	None	None
oceanbase:DescribeInstanceTopology	DescribeInstanceTopology	get	All Resource ``	None	None
oceanbase:DeleteSecurityIpGroup	DeleteSecurityIpGroup	delete	All Resource ``	None	None
oceanbase:DescribeInstanceSecurityConfigs	DescribeInstanceSecurityConfigs	get	All Resource ``	None	None
oceanbase:StartProjectsByLabel	StartProjectsByLabel	update	All Resource ``	None	None
oceanbase:CreateInstance	CreateInstance	create	Instance `acs:oceanbase:{#regionId}:{#accountId}:instance/`	None	None
oceanbase:ModifyTenantUserRoles	ModifyTenantUserRoles	update	All Resource ``	None	None
oceanbase:ModifyInstanceName	ModifyInstanceName	update	Instance `acs:oceanbase:{#regionId}:{#accountId}:instance/{#InstanceId}/`	None	None
oceanbase:RemoveStandbyInstance	RemoveStandbyInstance	update	All Resource ``	None	None
oceanbase:CreateTagValue	CreateTagValue	create	All Resource ``	None	None
oceanbase:ListProjectFullVerifyResult	ListProjectFullVerifyResult	list	All Resource ``	None	None
oceanbase:DescribeDatabases	DescribeDatabases	get	All Resource ``	None	None
oceanbase:CreateRdsPostgreSQLDataSource	CreateRdsPostgreSQLDataSource	create	All Resource ``	None	None
oceanbase:DeleteDataSource	DeleteDataSource	delete	All Resource ``	None	None
oceanbase:DescribeInstances	DescribeInstances	list	All Resource ``	None	None
oceanbase:ReleaseWorkerInstance	ReleaseWorkerInstance	delete	All Resource ``	None	None
oceanbase:CreateBackupSetDownloadLink	CreateBackupSetDownloadLink	create	All Resource ``	None	None
oceanbase:CreateTenantUser	CreateTenantUser	create	All Resource ``	None	None
oceanbase:DescribeOasSlowSQLList	DescribeOasSlowSQLList	get	All Resource ``	None	None
oceanbase:DescribeAnomalySQLList	DescribeAnomalySQLList	list	All Resource ``	None	None
oceanbase:DescribeOutlineBinding	DescribeOutlineBinding	get	All Resource ``	None	None
oceanbase:ReleaseProject	ReleaseProject	delete	All Resource ``	None	None
oceanbase:GetUploadOssUrl	GetUploadOssUrl	get	All Resource ``	None	None
oceanbase:RetryProjectModifyRecords	RetryProjectModifyRecords	update	All Resource ``	None	None
oceanbase:DescribeSQLPlans	DescribeSQLPlans	get	All Resource ``	None	None
oceanbase:DescribeOasSQLPlans	DescribeOasSQLPlans	get	All Resource ``	None	None
oceanbase:DescribeTenant	DescribeTenant	get	All Resource ``	None	None
oceanbase:ModifyTenantUserStatus	ModifyTenantUserStatus	update	All Resource ``	None	None
oceanbase:DescribeProjectStepMetric	DescribeProjectStepMetric	get	All Resource ``	None	None
oceanbase:DescribeOasAnomalySQLList	DescribeOasAnomalySQLList	get	All Resource ``	None	None
oceanbase:ModifyTenantPrimaryZone	ModifyTenantPrimaryZone	update	All Resource ``	None	None
oceanbase:DescribeSQLSamples	DescribeSQLSamples	get	All Resource ``	None	None
oceanbase:DescribeInstance	DescribeInstance	get	*Instance `acs:oceanbase:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
oceanbase:DescribeTenantMetrics	DescribeTenantMetrics	get	All Resource ``	None	None

Resource

The following table lists the resources defined by ApsaraDB for OceanBase. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Instance	acs:oceanbase:{#regionId}:{#accountId}:instance/{#instanceId}/* acs:oceanbase:{#regionId}:{#accountId}:instance/{#InstanceId} acs:oceanbase:{#regionId}:{#accountId}:instance/*

Condition

ApsaraDB for OceanBase does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: