Perform access control based on RAM policies - Click Advanced Settings| Alibaba Cloud Documentation Center

This topic describes how to use Resource Access Management (RAM) policies to control access from RAM users to Alibaba Cloud resources. You can create and manage multiple RAM users of an Alibaba Cloud account. To grant different permissions to the RAM users, you can attach different policies to the RAM users. This allows the RAM users to access different Alibaba Cloud resources. You can use the AccessKey pair of a RAM user to prevent the leakage of the AccessKey pair of the Alibaba Cloud account. You can also grant the least permissions to each RAM user to reduce security risks.

Prerequisites

A RAM user or group is created. For more information, see Create a RAM user and Create a RAM user group.

Background information

Permission policies consist of system policies and custom policies.

System policies: the default permission policies that are provided by Alibaba Cloud. The following system policies are commonly used in Apsara File Storage NAS. You can attach the policies to the RAM users based on your business requirements.
- AliyunNASFullAccess: authorizes a RAM user to manage NAS file systems
- AliyunNASReadOnlyAccess: authorizes a RAM user to view NAS file systems
Custom policies: the permission policies that are customized. The custom policies allow you to perform more fine-grained and flexible access control. For more information about how to create custom policies, see Create a custom policy.

Attach a custom policy to a RAM user

By default, a RAM user or group has no permissions. You must grant permissions to the RAM user or group before the RAM user or group can be used to perform operations in the console or call API operations.

Create a custom policy based on the scenarios in the following sections. For more information about how to create a custom policy, see Create a custom policy.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user in the User Logon Name/Display Name column and click Add Permissions in the Actions column.
In the Add Permissions panel, the Principal field is automatically filled.
In the Select Policy section, click the policy name that you want to attach to the RAM user in the Authorization Policy Name column.

Note In the Selected section, you can click the cross sign (×) next to the policy name to remove the policy.
Click OK.
Click Complete.

Note For more information about how to grant permissions to a RAM user or group, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Example 1: Grant the permissions on a file system to the RAM user

The following sample code shows how to authorize the RAM user to modify a file system:

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:DescribeFileSystems",
            "nas:ModifyFileSystem"
        ],
        "Resource": "acs:nas:*:*:filesystem/07d0b4****"
    }],
    "Version": "1"
}

The following sample code shows how to authorize the RAM user to view all the file systems:

{
    "Statement": [{
        "Effect": "Allow",
        "Action": "nas:DescribeFileSystems",
        "Resource": "*"
    }],
    "Version": "1"
}

The following sample code shows how to grant the RAM user full access to a file system:

{
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:*"
            ],
            "Resource": [
                "acs:nas:*:*:filesystem/07d0b4****"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "nas:CreateMountTarget",
            "Resource": [
                "acs:vpc:*:*:vswitch/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "cms:Describe*",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Example 2: Grant the permissions on the mount targets of a file system to the RAM user

The following sample code shows how to grant the RAM user full access to the mount targets of a file system:

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateMountTarget",
            "nas:DescribeMountTargets",
            "nas:ModifyMountTarget",
            "nas:DeleteMountTarget"
        ],
        "Resource": [
            "acs:nas:*:*:filesystem/07d0b4****",
            "acs:vpc:*:*:vswitch/*"
        ]
    }],
    "Version": "1"
}

Example 3: Grant the permissions on the permission groups of a file system to the RAM user

The following sample code shows how to grant the RAM user full access to the permission groups of a file system:

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateAccessGroup",
            "nas:DescribeAccessGroups",
            "nas:ModifyAccessGroup",
            "nas:DeleteAccessGroup",
            "nas:CreateAccessRule",
            "nas:DescribeAccessRules",
            "nas:ModifyAccessRule",
            "nas:DeleteAccessRule"
        ],
        "Resource": "acs:nas:*:*:accessgroup/*"
    }],
    "Version": "1"
}

Example 4: Grant the permissions to view the metrics of a file system to the RAM user

The following sample code shows how to authorize the RAM user to view the metrics of a file system:

{
    "Statement": [{
        "Effect": "Allow",
        "Action": "cms:Describe*",
        "Resource": "*"
    }],
    "Version": "1"
}

Authentication list

You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you select Script for Configuration Mode, you must set the parameters in the PolicyDocument section based on the JSON template. The following table lists the values of the Action and Resource parameters in different API operations. The format of the Resource parameter is the same as that of an Alibaba Cloud Resource Name (ARN). For more information, see Policy elements.


API		Action	Resource	Description
File system	CreateFileSystem	nas:CreateFileSystem	acs:nas:<region>:<account-id>:filesystem/*	Creates a file system.
	DeleteFileSystem	nas:DeleteFileSystem	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Deletes a file system.
	ModifyFileSystem	nas:ModifyFileSystem	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Modifies a file system.
	DescribeFileSystems	nas:DescribeFileSystems	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Queries file systems.
Mount target	CreateMountTarget	nas:CreateMountTarget	acs:nas:<region>:<account-id>:filesystem/<filesystemid> acs:vpc:::vswitch/*	Creates a mount target.
	DeleteMountTarget	nas:DeleteMountTarget	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Deletes a mount target
	ModifyMountTarget	nas:ModifyMountTarget	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Modifies a mount target.
	DescribeMountTargets	nas:DescribeMountTargets	acs:nas:<region>:<account-id>:filesystem/<filesystemid>	Queries the mount targets of a file system.
Permission group	CreateAccessGroup	nas:CreateAccessGroup	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Creates a permission group.
	DeleteAccessGroup	nas:DeleteAccessGroup	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Deletes a permission group.
	ModifyAccessGroup	nas:ModifyAccessGroup	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Modifies a permission group.
	DescribeAccessGroups	nas:DescribeAccessGroups	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Queries the permission groups of a file system.
	CreateAccessRule	nas:CreateAccessRule	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Creates a rule.
	DeleteAccessRule	nas:DeleteAccessRule	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Deletes a rule.
	ModifyAccessRule	nas:ModifyAccessRule	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Modifies a rule.
	DescribeAccessRule	nas:DescribeAccessRule	acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>	Queries the rules of a permission group.
Snapshots for Extreme NAS file systems	ApplyAutoSnapshotPolicy	nas:ApplyAutoSnapshotPolicy	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Applies an automatic snapshot policy to one or more file systems.
	CancelAutoSnapshotPolicy	nas:CancelAutoSnapshotPolicy	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Removes automatic snapshot policies from file systems.
	CreateAutoSnapshotPolicy	nas:CreateAutoSnapshotPolicy	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Creates an automatic snapshot policy.
	DeleteAutoSnapshotPolicy	nas:DeleteAutoSnapshotPolicy	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Deletes an automatic snapshot policy.
	ModifyAutoSnapshotPolicy	nas:ModifyAutoSnapshotPolicy	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Modifies an automatic snapshot policy.
	DescribeAutoSnapshotPolicies	nas:DescribeAutoSnapshotPolicies	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Queries the details of automatic snapshot policies.
	CreateSnapshot	nas:CreateSnapshot	acs:nas:<region>:<account-id>:snapshot/*	Creates a snapshot.
	DeleteSnapshot	nas:DeleteSnapshot	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Deletes a snapshot.
	DescribeAutoSnapshotTasks	nas:DescribeAutoSnapshotTasks	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Queries the details of automatic snapshot tasks.
	DescribeSnapshots	nas:DescribeSnapshots	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Queries all snapshots of a file system.
	ResetFileSystem	nas:ResetFileSystem	acs:nas:<region>:<account-id>:snapshot/<snapshotid>	Restores a file system from a snapshot.
Lifecycle management	CreateLifecyclePolicy	nas:CreateLifecyclePolicy	acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename>	Creates a lifecycle management policy.
	ModifyLifecyclePolicy	nas:ModifyLifecyclePolicy	acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename>	Modifies a lifecycle management policy.
	DeleteLifecyclePolicy	nas:DeleteLifecyclePolicy	acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename>	Deletes a lifecycle management policy.
	DescribeLifecyclePolicies	nas:DescribeLifecyclePolicies	acs:nas:<region>:<account-id>:lifecyclepolicy/*	Queries the lifecycle management policies.