ALIYUN::CloudSSO::UserProvision

ALIYUN::CloudSSO::UserProvision类型用于创建RAM用户同步。

语法

{
  "Type": "ALIYUN::CloudSSO::UserProvision",
  "Properties": {
    "Description": String,
    "DirectoryId": String,
    "PrincipalId": String,
    "TargetType": String,
    "DuplicationStrategy": String,
    "DeletionStrategy": String,
    "PrincipalType": String,
    "TargetId": String
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

DeletionStrategy

String

删除策略。

删除RAM用户同步时,对已同步的RAM用户的处理策略。取值:

  • Delete:删除。删除RAM用户同步时,会删除从云SSO已经同步到RAM中的RAM用户。

  • Keep:保留。删除RAM用户同步时,会保留从云SSO已经同步到RAM中的RAM用户。

DirectoryId

String

目录ID。

DuplicationStrategy

String

冲突策略。

当云SSO用户同步到RAM时,如果RAM中存在同名用户时的处理策略。取值:

  • KeepBoth:两者都保留。当云SSO用户被同步到RAM时,如果RAM已经存在同名用户,则对云SSO用户的用户名添加后缀_sso后尝试创建该用户名的RAM用户。

  • TakeOver:替换。当云SSO用户被同步到RAM时,如果RAM已经存在同名用户,则直接将已经存在的RAM用户替换为云SSO同步用户。

PrincipalId

String

RAM用户同步的身份ID。

取值:

  • PrincipalType取值为Group时,该值为云SSO用户组ID(g-********)。

  • PrincipalType取值为User时,该值为云SSO用户ID(u-********)。

PrincipalType

String

RAM用户同步的身份类型。

取值:

  • User:表示该RAM用户同步的身份是云SSO用户。

  • Group:表示该RAM用户同步的身份是云SSO用户组。

TargetId

String

RAM用户同步的目标ID。

目前取值为RD账号ID。

TargetType

String

RAM用户同步的目标类型。

目前取值为RD-Account

Description

String

描述。

返回值

Fn::GetAtt

UserProvisionId:RAM用户同步的ID。

示例

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  DeletionStrategy:
    AllowedValues:
    - Delete
    - Keep
    Description:
      en: 'Delete policy. The treatment strategy for the synchronized RAM users when
        the RAM user synchronization is removed. Valid values:

        - Delete: Delete When the RAM user synchronization is removed, the RAM users
        that have been synchronized to the RAM from the cloud SSO are deleted.

        - Keep: When the RAM user synchronization is removed, the RAM users that have
        been synchronized to the RAM from the cloud SSO are retained.'
    Required: true
    Type: String
  Description:
    AssociationProperty: TextArea
    Description:
      en: The description of the user.
    Required: false
    Type: String
  DirectoryId:
    Description:
      en: The ID of the directory.
    Required: true
    Type: String
  DuplicationStrategy:
    AllowedValues:
    - KeepBoth
    - TakeOver
    Description:
      en: 'Conflict policy. When the cloud SSO user is synchronized to the RAM, the
        processing strategy if there is a user with the same name in the RAM. Valid
        values:

        - KeepBoth: Keep both of them. When the cloud SSO user is synchronized to
        RAM, if the RAM already has a user with the same name, it will try to create
        a RAM user with the user name after adding the suffix _sso to the user name
        of the cloud SSO user.

        - TakeOver: Take over. When the cloud SSO user is synchronized to the RAM,
        if the RAM already has a user with the same name, the existing RAM user is
        directly replaced by the cloud SSO synchronization user.'
    Required: true
    Type: String
  PrincipalId:
    Description:
      en: 'The ID of the principal. Valid values:

        - When the PrincipalType value is Group, the value is the cloud SSO user group
        ID (g-********).

        - When PrincipalType takes the value User, this value is the cloud SSO user
        ID (u-********).'
    Required: true
    Type: String
  PrincipalType:
    AllowedValues:
    - User
    - Group
    Description:
      en: 'The type of the principal. Valid values:

        - User: The principal is a cloud SSO user.

        - Group: The principal is a cloud SSO group.'
    Required: true
    Type: String
  TargetId:
    Description:
      en: Target ID for RAM user synchronization. Currently, it is the RD account
        ID.
    Required: true
    Type: String
  TargetType:
    AllowedValues:
    - RD-Account
    Description:
      en: Target type for RAM user synchronization. Currently, it is RD-Account.
    Required: true
    Type: String
Resources:
  UserProvision:
    Properties:
      DeletionStrategy:
        Ref: DeletionStrategy
      Description:
        Ref: Description
      DirectoryId:
        Ref: DirectoryId
      DuplicationStrategy:
        Ref: DuplicationStrategy
      PrincipalId:
        Ref: PrincipalId
      PrincipalType:
        Ref: PrincipalType
      TargetId:
        Ref: TargetId
      TargetType:
        Ref: TargetType
    Type: ALIYUN::CloudSSO::UserProvision
Outputs:
  UserProvisionId:
    Description: The ID of the user provisioning.
    Value:
      Fn::GetAtt:
      - UserProvision
      - UserProvisionId
                        

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Description": {
      "AssociationProperty": "TextArea",
      "Type": "String",
      "Description": {
        "en": "The description of the user."
      },
      "Required": false
    },
    "DirectoryId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the directory."
      },
      "Required": true
    },
    "PrincipalId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the principal. Valid values:\n- When the PrincipalType value is Group, the value is the cloud SSO user group ID (g-********).\n- When PrincipalType takes the value User, this value is the cloud SSO user ID (u-********)."
      },
      "Required": true
    },
    "TargetType": {
      "Type": "String",
      "Description": {
        "en": "Target type for RAM user synchronization. Currently, it is RD-Account."
      },
      "AllowedValues": [
        "RD-Account"
      ],
      "Required": true
    },
    "DuplicationStrategy": {
      "Type": "String",
      "Description": {
        "en": "Conflict policy. When the cloud SSO user is synchronized to the RAM, the processing strategy if there is a user with the same name in the RAM. Valid values:\n- KeepBoth: Keep both of them. When the cloud SSO user is synchronized to RAM, if the RAM already has a user with the same name, it will try to create a RAM user with the user name after adding the suffix _sso to the user name of the cloud SSO user.\n- TakeOver: Take over. When the cloud SSO user is synchronized to the RAM, if the RAM already has a user with the same name, the existing RAM user is directly replaced by the cloud SSO synchronization user."
      },
      "AllowedValues": [
        "KeepBoth",
        "TakeOver"
      ],
      "Required": true
    },
    "DeletionStrategy": {
      "Type": "String",
      "Description": {
        "en": "Delete policy. The treatment strategy for the synchronized RAM users when the RAM user synchronization is removed. Valid values:\n- Delete: Delete When the RAM user synchronization is removed, the RAM users that have been synchronized to the RAM from the cloud SSO are deleted.\n- Keep: When the RAM user synchronization is removed, the RAM users that have been synchronized to the RAM from the cloud SSO are retained."
      },
      "AllowedValues": [
        "Delete",
        "Keep"
      ],
      "Required": true
    },
    "PrincipalType": {
      "Type": "String",
      "Description": {
        "en": "The type of the principal. Valid values:\n- User: The principal is a cloud SSO user.\n- Group: The principal is a cloud SSO group."
      },
      "AllowedValues": [
        "User",
        "Group"
      ],
      "Required": true
    },
    "TargetId": {
      "Type": "String",
      "Description": {
        "en": "Target ID for RAM user synchronization. Currently, it is the RD account ID."
      },
      "Required": true
    }
  },
  "Resources": {
    "UserProvision": {
      "Type": "ALIYUN::CloudSSO::UserProvision",
      "Properties": {
        "Description": {
          "Ref": "Description"
        },
        "DirectoryId": {
          "Ref": "DirectoryId"
        },
        "PrincipalId": {
          "Ref": "PrincipalId"
        },
        "TargetType": {
          "Ref": "TargetType"
        },
        "DuplicationStrategy": {
          "Ref": "DuplicationStrategy"
        },
        "DeletionStrategy": {
          "Ref": "DeletionStrategy"
        },
        "PrincipalType": {
          "Ref": "PrincipalType"
        },
        "TargetId": {
          "Ref": "TargetId"
        }
      }
    }
  },
  "Outputs": {
    "UserProvisionId": {
      "Description": "The ID of the user provisioning.",
      "Value": {
        "Fn::GetAtt": [
          "UserProvision",
          "UserProvisionId"
        ]
      }
    }
  }
}