All Products
Search
Document Center

Access control

Last Updated: May 03, 2020

This topic describes how to use Resource Access Management (RAM) to control access to Operation Orchestration Service (OOS) resources at the account level. Specifically, this topic describes how to create a RAM user or a RAM user group and grant specific permissions to the RAM user or RAM user group.

Scenarios

RAM is a resource access control service provided by Alibaba Cloud. The following describes how RAM is used to implement access control:

OOS administrator: You can create an OOS administrator group and grant the full access permission of OSS to the administrator group so that an administrator can create, modify, and execute templates.

Template developer: The template developer group requires the permission for modifying templates. You can grant a permission policy to the template developer group, which grants user group members the permission to call API operations such as CreateTemplate and UpdateTemplate.

Template execution: You can limit the permissions of some users so that these users can only execute OOS templates and cannot create or modify OOS templates.

Template authentication: You can restrict a template to be executed only by specified users or user groups.

Grant the PassRole policy to a RAM user

Make sure that an OSS-trusted RAM role has been created. For more information, see Grant RAM permissions for OOS. Though OOS has the right to use this RAM role, it does not mean that the RAM user that executes OOS has the right to use this RAM role. You must grant the PassRole permission to the RAM user so that the RAM user can use the target RAM role through OOS.

To authorize a RAM user to use all RAM roles of OOS, create the following permission policy and grant the policy to the RAM user:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "ram:PassRole",
  6. "Resource": "*",
  7. "Effect": "Allow",
  8. "Condition": {
  9. "StringEquals": {
  10. "acs:Service": "oos.aliyuncs.com"
  11. }
  12. }
  13. }
  14. ]
  15. }

For security reasons, you may need to restrict the RAM user to use only a specific RAM role, such as the default role OOSServiceRole, for operation orchestration. In this case, you can create the following permission policy and grant the policy to the RAM user:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": "ram:PassRole",
  7. "Resource": "acs:ram::{parent_uid}:role/OOSServiceRole"
  8. }
  9. ]
  10. }
  • If a RAM role, such as the default role OOSServiceRole, is fixed for a template and the input parameters do not specify the role, you do not need to grant the PassRole policy to the RAM user for executing the template. However, you must grant the PassRole policy to the RAM user for creating or modifying a template.

  • You do not need to grant the PassRole policy to the RAM user for creating or modifying a template if the RAM role is dynamically obtained through input parameters during template execution and the template does not specify the RAM role. However, you must grant the PassRole permission to the RAM user for executing the template and specifying the RAM user of the RAM role.

  • In the preceding sample code, {parent_uid} indicates the ID of your Alibaba Cloud account. To obtain your Alibaba Cloud account, click here.

Grant permissions to a RAM user

Step 1: Create a RAM user in the RAM console.

  1. Log on to the RAM console.
    In the left-side navigation pane, choose Identities > Users.
  2. Click Create User.
     oos
  3. On the page that appears, set the parameters, such as Logon Name and Display Name, and click OK.
     oos

Step 2: Create a custom permission policy in the RAM console.

  1. Log on to the RAM console.
    In the left-side navigation pane, choose Permissions > Policies.
  2. Click Create Policy.
    oos
  3. On the page that appears, set Policy Name and Note. For example, set Policy Name to OOSOperator and Note to Template execution permission.Set Configuration Mode to Script.
    1. Policy example 1: The RAM user is authorized to execute templates but not allowed to modify them.
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": ["oos:List*",
  6. "oos:Get*",
  7. "oos:StartExecution",
  8. "oos:CancelExecution",
  9. "oos:NotifyExecution"],
  10. "Resource": "*",
  11. "Effect": "Allow"
  12. }
  13. ]
  14. }

Policy example 2: The RAM user is authorized to create and modify templates but not allowed to execute them.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "oos:List*",
  7. "oos:Get*",
  8. "oos:CreateTemplate",
  9. "oos:UpdateTemplate",
  10. "oos:ValidateTemplateContent"
  11. ],
  12. "Resource": "*",
  13. "Effect": "Allow"
  14. }
  15. ]
  16. }

Policy example 2: The RAM user is granted the permissions of an OOS administrator.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "oos:*",
  6. "Effect": "Allow",
  7. "Resource": "*"
  8. },
  9. {
  10. "Action": "ram:PassRole",
  11. "Resource": "*",
  12. "Effect": "Allow",
  13. "Condition": {
  14. "StringEquals": {
  15. "acs:Service": "oos.aliyuncs.com"
  16. }
  17. }
  18. }
  19. ]
  20. }
  1. Click OK.
    oos

Step 3: Grant the RAM user relevant permissions in the RAM console.

  1. In the left-side navigation pane, choose Identities > Users.
    oos
  2. Find the created RAM user and click Add Permissions in the Actions column.In the Select Policy section of the Add Permissions dialog box, select one or more system permission policies or custom permission policies.
  3. Click OK.