Quick start for granting permissions to RAM users - Hologres

This topic describes how an Alibaba Cloud account can grant permissions to a Resource Access Management (RAM) user so that the RAM user can connect to and use Hologres.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
An AccessKey pair is created for the RAM user. For more information, see Create an AccessKey pair.

Grant RAM permissions to a RAM user

After an Alibaba Cloud account grants the required permissions to a RAM user, the RAM user can perform operations in the Hologres console, such as viewing, purchasing, or deleting instances. Log on to the RAM console, find the target RAM user, and add permissions to the user. To grant the RAM user full permissions to view instance information in the console, assign the AliyunHologresFullAccess and AliyunRAMReadOnlyAccess policies.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to restrict a RAM user to managing only specific ECS instances.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click OK.
Click Close.

Grant developer permissions for an instance to a RAM user

Before a RAM user can perform data development in a Hologres instance, an Alibaba Cloud account must grant the user developer permissions for that instance. Log on to the Hologres console, go to HoloWeb, and add the user and grant permissions on the User Management page. The following example shows how to grant developer permissions to a RAM user in the simple permission model.

Note

Different permission models support using SQL statements to grant permissions to a RAM user. For more information, see the following topics:

Log on to the Alibaba Cloud official website using your Alibaba Cloud account.
Log on to the Hologres console. On the Instances page, click the name of the target instance to go to the product page.
In the navigation pane on the left of the product page, click Account Management.
On the Users page, click Add User.

In the Add User dialog box that appears, configure the following parameters.

新增用户

Parameter	Description
Select Organization Member	Select the RAM user to whom you want to grant permissions and add the user to the instance.
Select Member Role	Superuser: Has all permissions on operations within the instance. Normal User: Has no operation permissions on the instance by default. Grant specific operation permissions to the RAM user to allow the user to connect to and use the Hologres instance.

Optional: If the new user is a regular user (Normal), grant additional permissions as follows:

In the navigation pane on the left of the product page, click Database Management.
On the DB Authorization page, find the target database and click Authorize User in the Actions column.

Note
If no database appears in the current list, click Create Database in the upper-right corner.
Go to the permission management page of the database and click Grant Permission.

In the Grant Permission dialog box that appears, configure the following parameters.

新增授权

Parameter	Description
User	The RAM user to whom you want to grant permissions.
User Group	Admin: Can access or operate on all objects in the database and manage user groups of the database. Developer: Can use DDL statements to create, delete, or modify database objects, and read and write data in database objects. Writer: Can read and write data in database objects. Viewer: Has read-only permissions on all database objects.

Click OK to complete the operation.

What to do next

After the permissions are granted, the RAM user can connect to the Hologres instance and perform development tasks. Use HoloWeb in the Hologres console for visualization development. For more information about HoloWeb operations, see Connect to HoloWeb and run a query.