This topic describes how to allow a RAM user to log on to DataWorks only from a specific local IP address.

Prerequisites

A RAM user is created and granted the required permission. For more information, see Prepare a RAM user. The AliyunDataWorksFullAccess permission is the system default permission and cannot be modified. You must create a custom permission policy.

Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. Click Create Policy.
  4. On the Create Custom Policy page, set the Policy Name parameter to dataworksIPlimit1 and the Configuration Mode parameter to Script to configure a custom policy.
    The following information is the complete content of the custom permission. The acs:SourceIP parameter specifies the IP address that is allowed to access DataWorks. You can specify multiple IP addresses. For more information about the parameters of the custom permission, see Policy elements.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "dataworks:*"
                ],
                "Resource": [
                    "acs:dataworks:*:*:*"
                ],
                "Condition": {
                    "NotIpAddress": {
                        "acs:SourceIp": [
                            "10.0.0.0",
                            "192.168.0.0"
                        ]
                    }
                }
            }
        ]
    }
  5. Click OK.

Attach the custom policy to the RAM user

  1. In the left-side navigation pane, click Users under Identities.
  2. In the User Logon Name/Display Name column, click the username of the RAM user.
  3. Click the Permissions tab, and click Add Permissions. Then, the Principal field is automatically set.
  4. Click the Custom Policy tab.
  5. In the Authorization Policy Name column on the left, click the permission policy that you want to attach to the RAM user.
    Note In the box on the right, you can click the cross sign ( ×) next to a policy to delete the policy.
  6. Click OK.
  7. Click Complete.