This topic describes how to allow a RAM user to log on to DataWorks only from a specific local IP address.

Prerequisites

A RAM user is created and granted the required permissions. For more information, see Prepare a RAM user. AliyunDataWorksFullAccess is a system policy and cannot be modified. You must create a custom policy.

Create a custom policy

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Configure the custom policy in the code editor.
    The following code provides an example of the document of the custom policy. In the policy, set the acs:SourceIP parameter to the IP address that you want to use to access DataWorks. You can specify multiple IP addresses. For more information about the parameters in the policy, see Policy elements.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "dataworks:*"
                ],
                "Resource": [
                    "acs:dataworks:*:*:*"
                ],
                "Condition": {
                    "NotIpAddress": {
                        "acs:SourceIp": [
                            "10.0.0.0",
                            "192.168.0.0"
                        ]
                    }
                }
            }
        ]
    }
  6. Enter the policy document and click Next to edit policy information.
    For more information about the syntax and structure of policies, see Policy structure and syntax.
  7. Specify the Name and Description fields.
  8. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  9. Click OK.

Attach the custom policy to the RAM user

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  3. In the Add Permissions panel, click Custom Policy in the Select Policy section. In the Authorization Policy Name column, click the policy that you want to attach to the RAM user.
    Note
    • The system automatically sets the Principal parameter to the created RAM user.
    • To remove a policy, you can click the × icon for the policy in the Selected section on the right side of the page.
  4. Click OK.
  5. Click Complete.