In the process of data development , some users with strict permission control require that the RAM user can only log in through a specific IP address in the company. This article describes how to use a RAM user to log on to DataWorks through a specific local IP address.

Prerequisites

First, you need to refer to Create a RAM user to complete the creation of RAM user and authorize it. The permission AliyunDataworksFullAccess is the default system permission and cannot be modified. You need to create an additional custom authorization policy.

Configure a custom permission policy

Log on to the RAM console, click Create Policy in the Policies column to enter the edit page. In this case, the policy name is dataworksIPlimit1.

Select Script for the option of configuration mode, and enter your custom policy.

The complete content of the custom policy is shown in the following figure. "acs: SourceIp" is the IP address that you allow access to DataWorks. In this example, it is 100.1.1.1/32. After entering the information, click OK to create the authorization.
{
      "Version": "1",
      "Statement":
        [{
          "Effect": "Deny",
            "Action": ["dataworks:*"],
            "Resource": ["acs:dataworks:*:*:*"],
            "Condition":
             {
                "NotIpAddress":
                 {
                    "acs:SourceIp": "100.1.1.1/32"
                  }
              }
         }]
}

Add custom permissions

On the RAM console, click Identities > Users, choose the RAM user you want to control, and click Add Permissions.

Select Custom Policy, add the custom policy you just created to the Selected, and click OK.

Verification

Log on to the DataWorks console using an IP address different from 100.1.1.1/32 and find that the login failed.