Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple RAM users within an Alibaba Cloud account. This topic describes how to use RAM policies to control access from RAM users to Alibaba Cloud resources. For example, you can authorize a RAM user to access only one Apsara File Storage NAS file system.

Warning When you grant permissions to RAM users, we recommend that you grant the least permissions to each RAM user. If you grant more permissions than necessary, security risks may occur.

Procedure

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Select the permission policies that you want to grant to the RAM user.
    Permission policies consist of system policies and custom policies.
    • System policies: the default permission policies that are provided by Alibaba Cloud. The following system policies are commonly used in Apsara File Storage NAS:
      • AliyunNASFullAccess (not recommended): grants a RAM user full access to a NAS file system. Granting this permission to a RAM user is highly risky and is not recommended.
      • AliyunNASReadOnlyAccess: grants a RAM user the read-only permission on a NAS file system.
    • Custom policies: the permission policies that are customized. Custom policies allow you to manage permissions in a more fine-grained and flexible manner.

      You can create custom policies by writing scripts based on your business requirements. The following examples are used for reference. For more information, see Create a custom policy.

  3. Grant permissions to the RAM user.

    Attach the permission policies selected in Step 2. For more information, see Grant permissions to a RAM user.

Example 1: Grant a RAM user the permissions on a file system

  • The following sample code shows how to grant a RAM user full access to the file system whose ID is 07d****294.
    Note You cannot grant a RAM user the permissions to view a single file system. If you want to grant a RAM user full access to a single file system, grant the RAM user the permissions to view all file systems. Then, grant the RAM user the permissions to delete and modify a single file system.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:*"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d****294"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "nas:CreateMountTarget",
                "Resource": [
                    "acs:vpc:*:*:vswitch/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "cms:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "nas:DescribeFileSystems",
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  • The following sample code shows how to grant a RAM user the permissions to modify the file system whose ID is 07d****294.
    {
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:DescribeFileSystems",
                "nas:ModifyFileSystem"
            ],
            "Resource": "acs:nas:*:*:filesystem/07d****294"
        }],
        "Version": "1"
    }
  • The following sample code shows how to grant the RAM user the permissions to view all the file systems:
    {
        "Statement": [{
            "Effect": "Allow",
            "Action": "nas:DescribeFileSystems",
            "Resource": "*"
        }],
        "Version": "1"
    }

Example 2: Grant a RAM user the permissions on the mount targets of a file system

The following sample code shows how to grant a RAM user full access to the mount targets of the file system whose ID is 07d****294.
{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateMountTarget",
            "nas:DescribeMountTargets",
            "nas:ModifyMountTarget",
            "nas:DeleteMountTarget"
        ],
        "Resource": [
            "acs:nas:*:*:filesystem/07d****294",
            "acs:vpc:*:*:vswitch/*"
        ]
    }],
    "Version": "1"
}

Example 3: Grant a RAM user the permissions on the permission groups of a file system

The following sample code shows how to grant a RAM user full access to the permission groups of a file system:
{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateAccessGroup",
            "nas:DescribeAccessGroups",
            "nas:ModifyAccessGroup",
            "nas:DeleteAccessGroup",
            "nas:CreateAccessRule",
            "nas:DescribeAccessRules",
            "nas:ModifyAccessRule",
            "nas:DeleteAccessRule"
        ],
        "Resource": "acs:nas:*:*:accessgroup/*"
    }],
    "Version": "1"
}

Example 4: Grant a RAM user the permissions to view the monitoring metrics of a file system

The following sample code shows how to grant a RAM user the permissions to view the monitoring metrics of a file system:
{
    "Statement": [{
        "Effect": "Allow",
        "Action": "cms:Describe*",
        "Resource": "*"
    }],
    "Version": "1"
}

Example 5: Grant a RAM user the permissions to manage the recycle bin of a file system

  • The following sample code shows how to grant a RAM user full access to the recycle bin of the file system whose ID is 07d****294.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:EnableRecycleBin",
                    "nas:DisableAndCleanRecycleBin ",
                    "nas:UpdateRecycleBinAttribute",
                    "nas:GetRecycleBinAttribute",
                    "nas:CreateRecycleBinRestoreJob",
                    "nas:CreateRecycleBinDeleteJob",
                    "nas:CancelRecycleBinJob",
                    "nas:ListRecycleBinJobs",
                    "nas:ListRecycledDirectoriesAndFiles",
                    "nas:ListRecentlyRecycledDirectories"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d****294"
                ]
            }
        ],
        "Version": "1"
    }
  • The following sample code shows how to grant a RAM user the permissions to restore files temporarily stored in the recycle bin of the file system whose ID is 07d****294.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:GetRecycleBinAttribute",
                    "nas:CreateRecycleBinRestoreJob",
                    "nas:CancelRecycleBinJob",
                    "nas:ListRecycleBinJobs",
                    "nas:ListRecycledDirectoriesAndFiles",
                    "nas:ListRecentlyRecycledDirectories"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d****294"
                ]
            }
        ],
        "Version": "1"
    }
  • The following sample code shows how to grant a RAM user the permissions to permanently delete files from the recycle bin of the file system whose ID is 07d****294.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:GetRecycleBinAttribute",
                    "nas:CreateRecycleBinDeleteJob",
                    "nas:CancelRecycleBinJob",
                    "nas:ListRecycleBinJobs",
                    "nas:ListRecycledDirectoriesAndFiles",
                    "nas:ListRecentlyRecycledDirectories"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d****294"
                ]
            }
        ],
        "Version": "1"
    }
  • The following sample code shows how to grant a RAM user the permissions to modify the configurations for the recycle bin of the file system whose ID is 07d****294.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:EnableRecycleBin",
                    "nas:UpdateRecycleBinAttribute",
                    "nas:DisableAndCleanRecycleBin",
                    "nas:GetRecycleBinAttribute"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d****294"
                ]
            }
        ],
        "Version": "1"
    }

Authentication list of custom policies

You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you set Configuration Mode to Script, you must set the parameters in the Policy Document section based on the JSON template. For more information about the values of the Action and Resource parameters, see the following authentication list. For more information, see Policy elements.
API Action Resource Description
File System CreateFileSystem nas:CreateFileSystem acs:nas:<region>:<account-id>:filesystem/* Creates a file system.
DeleteFileSystem nas:DeleteFileSystem acs:nas:<region>:<account-id>:filesystem/<filesystemid> Deletes a file system.
ModifyFileSystem nas:ModifyFileSystem acs:nas:<region>:<account-id>:filesystem/<filesystemid> Modifies a file system.
DescribeFileSystems nas:DescribeFileSystems acs:nas:<region>:<account-id>:filesystem/<filesystemid> Queries file systems.
Mount target CreateMountTarget nas:CreateMountTarget
  • acs:nas:<region>:<account-id>:filesystem/<filesystemid>
  • acs:vpc:*:*:vswitch/*
Creates a mount target.
DeleteMountTarget nas:DeleteMountTarget acs:nas:<region>:<account-id>:filesystem/<filesystemid> Deletes a mount target.
ModifyMountTarget nas:ModifyMountTarget acs:nas:<region>:<account-id>:filesystem/<filesystemid> Modifies a mount target.
DescribeMountTargets nas:DescribeMountTargets acs:nas:<region>:<account-id>:filesystem/<filesystemid> Queries the mount targets of a file system.
Permission group CreateAccessGroup nas:CreateAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Creates a permission group.
DeleteAccessGroup nas:DeleteAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Deletes a permission group.
ModifyAccessGroup nas:ModifyAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Modifies a permission group.
DescribeAccessGroups nas:DescribeAccessGroups acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Queries the permission groups of a file system.
CreateAccessRule nas:CreateAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Creates a rule for a permission group.
DeleteAccessRule nas:DeleteAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Deletes a rule from a permission group.
ModifyAccessRule nas:ModifyAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Modifies a rule of a permission group.
DescribeAccessRule nas:DescribeAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Queries the rules of a permission group.
Snapshots for Extreme NAS file systems ApplyAutoSnapshotPolicy nas:ApplyAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Applies an automatic snapshot policy to one or more file systems.
CancelAutoSnapshotPolicy nas:CancelAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Removes automatic snapshot policies from one or more file systems.
CreateAutoSnapshotPolicy nas:CreateAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Creates an automatic snapshot policy.
DeleteAutoSnapshotPolicy nas:DeleteAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Deletes an automatic snapshot policy.
ModifyAutoSnapshotPolicy nas:ModifyAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Modifies an automatic snapshot policy.
DescribeAutoSnapshotPolicies nas:DescribeAutoSnapshotPolicies acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries the details of automatic snapshot policies.
CreateSnapshot nas:CreateSnapshot acs:nas:<region>:<account-id>:snapshot/* Creates a snapshot.
DeleteSnapshot nas:DeleteSnapshot acs:nas:<region>:<account-id>:snapshot/<snapshotid> Deletes a specified snapshot.
DescribeAutoSnapshotTasks nas:DescribeAutoSnapshotTasks acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries the details of automatic snapshot tasks.
DescribeSnapshots nas:DescribeSnapshots acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries all the snapshots of a file system.
ResetFileSystem nas:ResetFileSystem acs:nas:<region>:<account-id>:snapshot/<snapshotid> Rolls back a file system from a snapshot.
Lifecycle management CreateLifecyclePolicy nas:CreateLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Creates a lifecycle management policy.
ModifyLifecyclePolicy nas:ModifyLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Modifies a lifecycle management policy.
DeleteLifecyclePolicy nas:DeleteLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Deletes a lifecycle management policy.
DescribeLifecyclePolicies nas:DescribeLifecyclePolicies acs:nas:<region>:<account-id>:lifecyclepolicy/* Queries the lifecycle management policies.

FAQ