访问控制(RAM)是阿里云提供的管理用户身份与资源访问权限的服务。使用RAM可以让您避免与其他用户共享阿里云账号密钥,并可按需为用户授予最小权限。RAM中使用权限策略描述授权的具体内容。
本文为您介绍系统运维管理(oos)为RAM权限策略定义的操作(Action)、资源(Resource)和条件(Condition)。系统运维管理(oos)的RAM代码(RamCode)为[{"popCode":"oos","ramCodes":["oos"]}],支持的授权粒度为RESOURCE。
权限策略通用结构
权限策略支持JSON格式,其通用结构如下:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}
- Effect:权限策略效果。取值:Allow(允许)、Deny(拒绝)。
- Action:授予允许或拒绝权限的具体操作。具体信息,请参见操作(Action)。
- Resource:受操作影响的具体对象,您可以使用资源ARN来描述指定资源。具体信息,请参见资源(Resource)。
- Condition:指授权生效的条件。可选字段。具体信息,请参见条件(Condition)。
- Condition_operator:条件运算符,不同类型的条件对应不同的条件运算符。具体信息,请参见权限策略基本元素。
- Condition_key:条件关键字。
- Condition_value:条件关键字对应的值。
操作(Action)
下表是系统运维管理(oos)定义的操作,这些操作可以在RAM权限策略语句的Action
元素中使用,用来授予执行该操作的权限。下面对表中的具体项提供说明:- 操作:是指具体的权限点。
- API:是指操作对应的API接口。
- 访问级别:是指每个操作的访问级别,取值为写入(Write)、读取(Read)或列出(List)。
- 资源类型:是指操作中支持授权的资源类型。具体说明如下:
- 对于必选的资源类型,用背景高亮的方式表示。
- 对于不支持资源级授权的操作,用
全部资源
表示。
- 条件关键字:是指云产品自身定义的条件关键字。该列不体现适用于任何操作的通用条件关键字。
- 关联操作:是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限,操作才能成功。
操作 | API | 访问级别 | 资源类型 | 条件关键字 | 关联操作 |
---|---|---|---|---|---|
oos:ListExecutions | ListExecutions | list | Execution acs:oos:{#regionId}:{#accountId}:execution/*Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:ListTemplateVersions | ListTemplateVersions | list | Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | 无 | 无 |
oos:ListApplicationGroups | ListApplicationGroups | list | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/* | 无 | 无 |
oos:UpdateApplicationGroup | UpdateApplicationGroup | update | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:DeleteApplicationGroup | DeleteApplicationGroup | Write | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:DeleteStateConfigurations | DeleteStateConfigurations | delete | stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId} | 无 | 无 |
oos:ListResourceExecutionStatus | ListResourceExecutionStatus | get | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:TriggerExecution | TriggerExecution | update | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | 无 | 无 |
oos:ListStateConfigurations | ListStateConfigurations | get | StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/*StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId} | 无 | 无 |
oos:ListParameters | ListParameters | list | Parameter acs:oos:{#regionId}:{#accountId}:parameter/* | 无 | 无 |
oos:SetServiceSettings | SetServiceSettings | update | ServiceSetting acs:oos:{#regionId}:{#accountId}:ServiceSetting | 无 | 无 |
oos:ListTagValues | ListTagValues | get | 全部资源 * | 无 | 无 |
oos:DescribeApplicationGroupBill | DescribeApplicationGroupBill | get | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#ApplicationName}/applicationgroup/{#ApplicationGroupName} | 无 | 无 |
oos:DeletePatchBaseline | DeletePatchBaseline | delete | PatchBaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#Name} | 无 | 无 |
oos:GetApplication | GetApplication | get | Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName} | 无 | 无 |
oos:ListTemplates | ListTemplates | get | Template acs:oos:{#regionId}:{#accountId}:template/*Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:CreateApplication | CreateApplication | create | Application acs:oos:{#regionId}:{#accountId}:application/* | 无 | 无 |
oos:UpdateStateConfiguration | UpdateStateConfiguration | update | stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId} | 无 | 无 |
oos:NotifyExecution | NotifyExecution | update | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:CreateSecretParameter | CreateSecretParameter | create | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:GenerateExecutionPolicy | GenerateExecutionPolicy | get | Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | 无 | 无 |
oos:CancelExecution | CancelExecution | update | Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:UpdateApplication | UpdateApplication | Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName} | 无 | 无 | |
oos:CreatePatchBaseline | CreatePatchBaseline | create | patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName} | 无 | 无 |
oos:GetPatchBaseline | GetPatchBaseline | get | patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName} | 无 | 无 |
oos:ContinueDeployApplicationGroup | ContinueDeployApplicationGroup | update | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:ListPatchBaselines | ListPatchBaselines | list | PatchBaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName} | 无 | 无 |
oos:UpdateParameter | UpdateParameter | update | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:CreateApplicationGroup | CreateApplicationGroup | Write | ApplicationGroup acs:oos:{#regionId}:{#accountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:DeleteTemplates | DeleteTemplates | delete | Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | 无 | 无 |
oos:TagResources | TagResources | update | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:ListApplications | ListApplications | list | Application acs:oos:{#regionId}:{#accountId}:application/* | 无 | 无 |
oos:GetParameter | GetParameter | get | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:GetApplicationGroup | GetApplicationGroup | get | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:DescribeRegions | DescribeRegions | get | 全部资源 * | 无 | 无 |
oos:ListExecutionLogs | ListExecutionLogs | get | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:ListExecutionRiskyTasks | ListExecutionRiskyTasks | get | template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:DeployApplicationGroup | DeployApplicationGroup | update | ApplicationGroup acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} | 无 | 无 |
oos:ListTagResources | ListTagResources | get | Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}Template acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId}Parameter acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName}SecretParameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName}OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}PatchBaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName}Execution acs:oos:{#regionId}:{#accountId}:execution/*Template acs:oos:{#regionId}:{#accountId}:template/*OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/*SecretParameter acs:oos:{#regionId}:{#accountId}:secretparameter/*PatchBaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/*StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/*Parameter acs:oos:{#regionId}:{#accountId}:parameter/* | oos:tag | 无 |
oos:DeleteApplication | DeleteApplication | delete | Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName} | 无 | 无 |
oos:ListOpsItems | ListOpsItems | list | OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/* | 无 | 无 |
oos:ChangeResourceGroup | ChangeResourceGroup | update | Template acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId}Parameter acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName}SecretParameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName}OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}PatchBaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName}Execution acs:oos:{#regionId}:{#accountId}:execution/{#ExecutionId} | 无 | 无 |
oos:ValidateTemplateContent | ValidateTemplateContent | get | 全部资源 * | 无 | 无 |
oos:StartExecution | StartExecution | update | Execution acs:oos:{#regionId}:{#accountId}:execution/* | oos:tag oos:IsOOSAssumeRole | 无 |
oos:UpdateOpsItem | UpdateOpsItem | update | OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId} | 无 | 无 |
oos:ListParameterVersions | ListParameterVersions | list | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:UpdateInstancePackageState | UpdateInstancePackageState | update | Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:ListTaskExecutions | ListTaskExecutions | get | Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:DeleteParameter | DeleteParameter | delete | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:ListInstancePackageStates | ListInstancePackageStates | list | Template acs:oos:{#regionId}:{#accountId}:template/{#templateNames} | oos:tag | 无 |
oos:GetServiceSettings | GetServiceSettings | get | ServiceSetting acs:oos:{#regionId}:{#accountId}:ServiceSetting | 无 | 无 |
oos:DeleteSecretParameter | DeleteSecretParameter | delete | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:ListSecretParameterVersions | ListSecretParameterVersions | list | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:UpdateExecution | UpdateExecution | update | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | 无 | 无 |
oos:GetOpsItem | GetOpsItem | get | OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId} | 无 | 无 |
oos:UpdateSecretParameter | UpdateSecretParameter | update | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:GetParametersByPath | GetParametersByPath | get | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:UntagResources | UntagResources | update | execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:DeleteExecutions | DeleteExecutions | delete | Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:UpdateTemplate | UpdateTemplate | update | template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:CreateOpsItem | CreateOpsItem | create | OpsItem acs:oos:{#regionId}:{#accountId}:opsitem/* | 无 | 无 |
oos:GetInventorySchema | GetInventorySchema | get | 全部资源 * | 无 | 无 |
oos:GetTemplate | GetTemplate | get | template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:UpdatePatchBaseline | UpdatePatchBaseline | update | patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName} | 无 | 无 |
oos:ListInventoryEntries | ListInventoryEntries | get | 全部资源 * | 无 | 无 |
oos:ListInstancePatches | ListInstancePatches | list | 全部资源 * | 无 | 无 |
oos:GetSecretParametersByPath | GetSecretParametersByPath | get | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:ListTagKeys | ListTagKeys | get | 全部资源 * | 无 | 无 |
oos:CreateStateConfiguration | CreateStateConfiguration | create | StateConfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/* | 无 | 无 |
oos:GetSecretParameter | GetSecretParameter | get | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:GetExecutionTemplate | GetExecutionTemplate | get | Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} | oos:tag | 无 |
oos:ListSecretParameters | ListSecretParameters | list | SecretParameter acs:oos:{#regionId}:{#accountId}:secretparameter/* | 无 | 无 |
oos:DeleteTemplate | DeleteTemplate | delete | Template acs:oos:{#regionId}:{#accountId}:template/{#templateName} | oos:tag | 无 |
oos:RegisterDefaultPatchBaseline | RegisterDefaultPatchBaseline | update | patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName} | 无 | 无 |
oos:SearchInventory | SearchInventory | get | 全部资源 * | 无 | 无 |
oos:CreateParameter | CreateParameter | create | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:ListInstancePatchStates | ListInstancePatchStates | list | 全部资源 * | 无 | 无 |
oos:GetSecretParameters | GetSecretParameters | get | secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} | 无 | 无 |
oos:GetParameters | GetParameters | get | parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} | 无 | 无 |
oos:CreateTemplate | CreateTemplate | create | Template acs:oos:{#regionId}:{#accountId}:template/* | oos:tag | 无 |
资源(Resource)
下表是系统运维管理(oos)定义的资源,这些资源可以在RAM权限策略语句的Resource
元素中使用,用来授予对该资源执行具体操作的权限。 其中,资源ARN是资源在阿里云上的唯一标识。具体说明如下:{#}
为变量标识,需要您替换为实际值。例如:{#ramcode}
需要您替换为实际的云服务RAM代码。-
*
表示全部。例如:{#resourceType}
为*
时:表示全部资源。{#regionId}
为*
时:表示全部地域。{#accountId}
为*
时:表示全部阿里云账号。
资源类型 | 资源ARN |
---|---|
Execution | acs:oos:{#regionId}:{#accountId}:execution/* |
Execution | acs:oos:{#regionId}:{#accountId}:execution/{#executionId} |
Template | acs:oos:{#regionId}:{#accountId}:template/{#templateName} |
ApplicationGroup | acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/* |
ApplicationGroup | acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} |
stateconfiguration | acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId} |
execution | acs:oos:{#regionId}:{#accountId}:execution/{#executionId} |
StateConfiguration | acs:oos:{#regionId}:{#accountId}:stateconfiguration/* |
StateConfiguration | acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId} |
Parameter | acs:oos:{#regionId}:{#accountId}:parameter/* |
ServiceSetting | acs:oos:{#regionId}:{#accountId}:ServiceSetting |
tags | acs:oos:{#regionId}:{#accountId}:tags/* |
PatchBaseline | acs:oos:{#regionId}:{#accountId}:patchbaseline/{#Name} |
Application | acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName} |
Template | acs:oos:{#regionId}:{#accountId}:template/* |
Application | acs:oos:{#regionId}:{#accountId}:application/* |
OpsItem | acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId} |
template | acs:oos:{#regionId}:{#accountId}:template/{#templateName} |
secretparameter | acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName} |
patchbaseline | acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName} |
PatchBaseline | acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName} |
parameter | acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName} |
Parameter | acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName} |
SecretParameter | acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName} |
OpsItem | acs:oos:{#regionId}:{#accountId}:opsitem/* |
SecretParameter | acs:oos:{#regionId}:{#accountId}:secretparameter/* |
PatchBaseline | acs:oos:{#regionId}:{#accountId}:patchbaseline/* |
OpsItemConfiguration | acs:oos:{#regionId}:{#accountId}:opsitemconfiguration/{#ConfigurationId} |
Template | acs:oos:{#regionId}:{#accountId}:template/{#templateNames} |
OpsItemConfiguration | acs:oos:{#regionId}:{#accountId}:OpsItemConfiguration/* |
条件(Condition)
下表是系统运维管理(oos)定义的产品级条件关键字,这些条件关键字可以在RAM权限策略语句的
Condition
元素中使用,用来描述授予权限的条件。以下仅列举产品级的条件关键字,阿里云定义的通用条件关键字也同样适用系统运维管理(oos)。其中,数据类型决定了您可以使用哪些条件运算符将请求中的值与权限策略语句中的值进行比较。您必须使用与数据类型匹配的条件运算符,否则无法匹配策略语句,授权行为无效。数据类型与条件运算符的对应关系,请参见条件操作类型。
条件关键字 | 描述 | 类型 |
---|---|---|
oos:tag | OOS的标签信息,与标签键组成条件关键字oos:tag/<tag-key>。示例值:假设标签为team:dev, 则此处条件关键字和值的写法 "oos:tag/team": "dev" | String |
oos:IsOOSAssumeRole | OOS StartExecution 是否通过AssumeRole方式调用 | Boolean |