By default, your Alibaba Cloud account has full access to all EDS Enterprise resources. However, RAM users have no permissions by default. To allow a RAM user to manage EDS Enterprise resources, you must grant the necessary permissions to the user. This topic describes how to grant permissions to a RAM user.
Background
Resource Access Management (RAM) is an Alibaba Cloud service that allows you to manage user identities and resource access permissions. You can create multiple identities, such as RAM users, under a single Alibaba Cloud account and assign different permissions to individual identities or groups of identities. This allows different RAM users to have different permissions to access your resources. For more information, see What is Resource Access Management?.
By default, RAM users have no permissions. You can grant policies to RAM users based on your business requirements. Policies are categorized as system policies and custom policies. For more information, see Overview of policies. EDS Enterprise provides the following system policies:
Policy name | Description | Details |
AliyunECDFullAccess | Grants permissions to manage EDS Enterprise. | Allows a user to fully manage cloud computer resources. |
AliyunECDReadOnlyAccess | Grants read-only access to EDS Enterprise. | Allows a user to view all cloud computer resources. |
AliyunECDRamUserAccess | Grants permissions to use cloud computers from the client. | Allows a user to query, connect to, restart, start, and stop cloud computers. Note Client login by using RAM users is supported only for legacy RAM directories. If your office network uses a RAM directory, you must grant permissions to the RAM users. For simple scenarios that do not require AD integration, the new version supports convenience accounts, which do not require authorization. |
AliyunECDTagFullAccess | Grants permissions to manage cloud computer tags. | Allows a user to create, delete, and query tags for cloud computers. |
AliyunECDOfficeSiteFullAccess | Grants permissions to manage office networks. | Allows a user to create, view, modify, destroy, and migrate an office network. |
AliyunECDDesktopFullAccess | Grants permissions to manage cloud computers. | Allows a user to modify and release cloud computers, and change their billing method. |
AliyunECDUserFullAccess | Grants permissions to manage users in EDS Enterprise. | Allows a user to create, synchronize, view, lock, and delete users; assign cloud computers; reset passwords; and manage user groups and MFA devices. |
AliyunECDPolicyGroupFullAccess | Grants permissions to manage global security configurations and policies for EDS Enterprise. | Allows a user to manage security audits and policies, including creating, viewing, modifying, and deleting global policies and configuration items. |
AliyunECDTechnicalSupportFullAccess | Grants technical support permissions for EDS Enterprise. | Allows a user to manage or view user cloud computers and applications.
|
You can also create a custom policy to meet specific business requirements. For more information, see Create a custom policy.
Prerequisites
A RAM user must exist. For more information, see Create a RAM user.
Procedure
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose .
Find the desired RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, configure the parameters.
Parameter
Description
Authorized scope
Select Alibaba Cloud Account. This grants permissions at the account level. The resource group option is not yet supported for cloud computers.
Principal
The RAM user that you are authorizing is automatically selected. You can also select other RAM users.
Select policy
Select one or more policies.
Click OK.
Result
After you grant the policies, the RAM user has the specified permissions to view or manage resources.
For example, a RAM user with the AliyunECDReadOnlyAccess policy can log on to the EDS Enterprise console and view cloud computer resources. If this user then clicks Create Office Network on the Office Network page, a message appears indicating they have insufficient permissions.