DocsICP FilingConsole
官方文档
首页

Access control with the EDS permission module

更新时间:
复制 MD 格式
产品详情
我的收藏

For customers with complex organizational structures and a large number of cloud computers, it is often necessary to create sub-administrators to assist the main administrator with management tasks. However, following the principle of least privilege, a best practice in information security, you should not grant full feature and data permissions to every sub-administrator. This topic describes how to use the permission management module of Elastic Desktop Service (EDS) to implement feature-level and data-level permission isolation for sub-administrators.

Use cases

When you log on to the Elastic Desktop Service (EDS) console with your Alibaba Cloud account, you have full permissions to access all features and manage all resources. For large organizations with complex structures and numerous cloud computers, relying on a single administrator can create an excessive workload and may violate internal permission isolation policies. To address this, you can create one or more sub-administrators to share management tasks. This approach typically involves the following requirements:

  • Feature-level permission isolation: For example, sub-administrator A can only create and manage users, but not cloud computers, while sub-administrator B can only view all data.

  • Data-level permission isolation: For example, sub-administrator C can only manage cloud computers for the R&D department, while sub-administrator D can only manage cloud computers for the design department.

Solution

The permission management module of Elastic Desktop Service (EDS) is designed to meet these requirements.

The module addresses these challenges from the following dimensions:

  • Personnel dimension: You can create sub-administrators. A sub-administrator's assigned role defines their feature permissions, while the resource groups they are authorized to manage define their data permissions.

  • Feature dimension: You can use built-in roles or create custom roles. A role is a collection of permissions that defines which console modules a user can access and what actions they can perform. This implements feature-level permission isolation. The built-in roles include:

    • Super Administrator: Has full permissions to use all features and manage all cloud resources. Only the Super Administrator can create and manage other administrators.

    • System Administrator: Has permissions to manage cloud resources, authorize resource access, monitor system status, and perform O&M tasks. Does not have permission to create or manage users.

    • Security Audit Administrator: Has read-only permission and cannot perform any operations.

    • Security Administrator: Has permissions to create and manage users and monitor security data processing status, but cannot manage cloud resources.

  • Data dimension: You can create resource groups. A resource group is a collection of cloud computer resources used to implement permission isolation.

Therefore, the permission management module allows you to easily address the use cases described above.

Requirement

Solution

  • Sub-administrator A can only create and manage users, but not cloud computers.

  • Sub-administrator B can only view all data and cannot perform other operations.

  1. Create a custom role (for example, Custom Role 1) that grants only user management-related permissions.

  2. Create sub-administrator A and assign Custom Role 1 to them. Create sub-administrator B and assign this user the built-in Security Audit Administrator role.

  • Sub-administrator C can only manage cloud computers of the R&D department.

  • Sub-administrator D can only manage cloud computers of the design department.

  1. Create Resource Group 1 and add the R&D department's cloud computers to it. Create Resource Group 2 and add the design department's cloud computers to it.

  2. Create sub-administrator C and authorize this user to manage Resource Group 1. Create sub-administrator D and authorize this user to manage Resource Group 2.

Create a role

You can use built-in roles or create custom roles as needed. You can then assign roles to sub-administrators to implement feature-level permission isolation.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Security & Audits > Administrator Permissions. On the Administrator Permissions page, click the Role tab.

  3. On the Role tab, click Create Role, configure the following parameters, and then click OK.

    • Name: Enter a name for the role.

    • Parent Role: Select a parent role from the built-in roles.

      When you select a parent role, the system loads its permissions into the Configure Permission section for you to customize.

    • (Optional) Description: Enter a description for the role to distinguish it from others.

Create a resource group

You can create resource groups and add cloud computers to them as needed. You can then authorize sub-administrators to access specific resource groups to implement data-level permission isolation.

  1. In the left-side navigation pane, choose Resources > Resource Groups.

  2. On the Resource Group page, click Create Resource Group and enter a Name in the dialog box that appears.

    Note

    Name requirements: The name can be up to 30 characters long. It must start with an uppercase or lowercase letter or a Chinese character, and cannot start with http:// or https://. Supported characters include Chinese characters, English letters, digits, colons (:), underscores (_), periods (.), and hyphens (-).

  3. In the Configure Resources and Authorize dialog box, click Go Now.

  4. On the Resource Management tab, click Transfer In, select the cloud computers that you want to add to the resource group, and then click OK.

Next steps

The created resource group is displayed on the Resource Group page.

  • To add or remove authorized sub-administrators for a resource group, find the target resource group, click Actions in the Manage Authorization column, and then click Authorize Administrator. Configure the settings in the Authorize Administrator panel.

    Note

    If the sub-administrator you want to authorize is not listed, click Create Administrator.

  • To add or remove resources in a resource group, find the target resource group and click Actions in the Resource Management column.

Create and authorize a sub-administrator

When creating a sub-administrator, you assign a role for feature-level permission isolation and grant permissions based on resource types and resource groups for data-level permission isolation.

  1. In the left-side navigation pane, choose Security & Audits > Administrator Permissions.

  2. On the Administrator Permissions page, click Create Administrator, configure the following parameters, and then click Create.

    • Associate with RAM User: Sub-administrators require a RAM user to log on to the console and perform management tasks. You can perform one of the following operations:

      • Select an existing RAM user under the current Alibaba Cloud account: Select Existing RAM Users and choose a user from the drop-down list.

      • Create a new RAM user: Select Create RAM User and click Confirm.

        Note

        The system sends the RAM user's username and initial password to the email address or mobile number you provide.

    • Nickname: Enter the display name for the sub-administrator.

    • Role: Select a built-in or a custom role for the sub-administrator. This determines the user's feature permissions.

    • Email: Enter the email address of the sub-administrator to receive notifications, such as RAM user logon credentials.

    • (Optional) Phone: Enter the mobile number of the sub-administrator to receive notifications, such as RAM user logon credentials.

  3. On the Administrator Permissions page, find the sub-administrator that you created, and click Actions in the Manage Authorization column.

  4. In the Manage Authorization panel, set the authorization scope for the sub-administrator and click OK. You can grant permissions by resource type and resource group. The sub-administrator's final authorization scope is the union of permissions granted by both methods.

    1. Resource Type: You can select Cloud Computer or User.

      Important

      If you select a resource type, the sub-administrator gains full management permissions for all existing and future resources of that type. For example, if you select Cloud Computer, the sub-administrator can manage all existing and future cloud computers under the current Alibaba Cloud account.

    2. Resource Group: In the Available Resource Group area, select the desired resource groups and click the icon to move them to the Authorized Resource Group area.

Important

EDS Enterprise and Cloud Phone share the same tiered access control module. Permissions granted in one product's console apply to the corresponding features in both products.

Previous:Manage cloud computers with resource-level policiesNext:Manage WUYING terminals