All Products
Search

This Product

    Hologres:Grant permissions to a RAM user

    Document Center

    Hologres:Grant permissions to a RAM user

    Last Updated:Feb 20, 2024

    This topic describes how to use your Alibaba Cloud account to authorize a RAM user to connect to and use Hologres.

    Prerequisites

    Grant Hologres permissions to a RAM user

    After you grant relevant Hologres permissions to a RAM user in the Resource Access Management (RAM) console by using your Alibaba Cloud account, you can log on to the Hologres console and view, purchase, or delete instances as the RAM user. To grant permissions to a RAM user, you can log on to the RAM console, find the RAM user, and then attach policies to the RAM user. If you need to grant the RAM user all permissions to view instance information in the Hologres console, you can attach the AliyunHologresFullAccess and AliyunRAMReadOnlyAccess policies to the RAM user.

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

    4. Grant permissions to the RAM user.

      In the Add Permissions panel, configure the parameters that are described in the following table.

      Note

      You cannot log on to and use HoloWeb by using a specified resource group.

      添加权限

      Parameter

      Description

      Authorized Scope

      Valid values:

      • Alibaba Cloud Account: The permissions granted to the RAM user take effect within the current Alibaba Cloud account.

      • Specific Resource Group: The permissions granted to the RAM user take effect in a specific resource group.

      Note

      If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

      Principal

      The RAM user to which you want to grant permissions.

      Select Policy

      Valid values:

      • System Policy

      • Custom Policy

      Note

      • You can create custom policies based on your business requirements.

      • You can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.

      You can select System Policy or Custom Policy based on the following descriptions:

      • System Policy

        The following table describes the system policies that you can use to grant permissions on Hologres. If you attach one of the system policies to the RAM user, the RAM user is granted all the permissions defined in the system policy.

        Policy

        Description

        AliyunHologresFullAccess

        Grants full access permissions on Hologres.

        Note

        This policy does not include the permissions to use Hologres instances. If you want to use a Hologres instance, you must create a user in the Hologres instance as the superuser and log on to and use the Hologres instance as the created user. For more information, see FAQ about RAM user permissions on instances.

        Take note of the following items about the permissions of a RAM user to which this policy is attached:

        • The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance list, instance details, and metrics.

        • The RAM user is authorized to perform operations that involve billing. For example, you can purchase instances, upgrade or downgrade instance specifications, renew instances, stop instances, or delete instances as the RAM user.

        • The RAM user is authorized to log on to and use the HoloWeb console.

        • The RAM user is authorized to perform all operations on instances after you purchase the instances as the RAM user. In this case, both the RAM user and the Alibaba Cloud account are superusers of the instances.

        • By default, the RAM user is not authorized to perform operations on the instances that are created by using the Alibaba Cloud account. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant the development permissions on a Hologres instance to RAM users.

        • The RAM user is not authorized to query all user permissions on the User Management page in the HoloWeb console. You can attach the AliyunRAMReadOnlyAccess policy to the RAM user. This way, the RAM user is granted the ListUser permission and can query all user permissions on the User Management page.

        AliyunBSSOrderAccess

        Grants permissions to view, pay for, and cancel orders in the Billing Management console.

        If you attach this policy to a RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.

        AliyunRAMReadOnlyAccess

        Grants read-only permissions on RAM.

        If you attach this policy to a RAM user, the RAM user can view the information about all the RAM users and RAM roles of the Alibaba Cloud account to which the RAM user belongs on the User Management page in the HoloWeb console.

        AliyunHologresReadOnlyAccess

        Grants read-only permissions on Hologres.

        Take note of the following items about the permissions of a RAM user to which this policy is attached:

        • The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance details and metrics.

        • The RAM user is authorized to log on to and use the HoloWeb console.

        • The RAM user is not authorized to perform operations that involve billing. For example, you cannot purchase instances, or upgrade or downgrade instance specifications as the RAM user.

        • The RAM user is not authorized to perform operations on instances. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions on the instances to the RAM user.

        • The list of all RAM users in the Alibaba Cloud account is not displayed in the Hologres console or HoloWeb console if you log on to the console as the RAM user. To view the list of all RAM users, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user.

        Note

        • If you purchase an instance as a RAM user, both the RAM user and the Alibaba Cloud account are superusers by default.

        • If you use an Alibaba Cloud account to purchase an instance, you can use the instance by using the Alibaba Cloud account by default. You can use the instance as a RAM user only after you use the Alibaba Cloud account to grant related permissions to the RAM user.

      • Custom Policy

        You can click Create Policy to create a custom policy based on your business requirements.

        Important

        When you configure policies for a RAM user, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user to ensure that the RAM user can access the Hologres console.

        新建

        On the Create Policy page, click the JSON tab. Then, configure the custom policy in the code editor.

        For example, you can enter the following policy configurations:

        Important

        Delete the comments from the following sample code before you run the code. Otherwise, the code cannot be run. 

        {
    "Statement": [
        {  // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations.
            "Effect": "Allow",
            "Action": "hologram:*",// The permissions to perform all operations.
            "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions. <The asterisk (*) cannot be replaced with an instance ID.>
        },
        {   // Grant a RAM user the permissions to purchase or renew instances.
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permission to delete instances.
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The RAM user must be granted this permission before it can be used to delete instances. Otherwise, when the RAM user deletes an instance, a success message is returned but the instance is not deleted.>
        },
        {   // Grant a RAM user the permission to purchase instances. The RAM user must be granted this permission before it can be used to purchase instances.
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<Test failed.>
        },
        {   // Grant a RAM user the permission to view instance details.
            "Effect": "Allow",
            "Action": "hologram:GetInstance",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*" //<The asterisk (*) can be replaced with an instance ID.>
        },
        { // Grant a RAM user the permission to view the instance list.
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) cannot be replaced with an instance ID.>
        },
        {  // Grant a RAM user the permission to suspend instances.
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to resume instances.
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to view the metrics of instances.
            "Effect": "Allow",
            "Action": "hologram:GetInstanceMetrics",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) can be replaced with an instance ID.>
        },
        {  // Grant a RAM user the permission to change the network types of instances.
            "Effect": "Allow",
            "Action": "hologram:UpdateInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        }.
        {  // Grant a RAM user the permission to access HoloWeb.
            "Effect": "Allow",
            "Action": "hologram:HoloWebAccess",
            "Resource": "*"
        }      
    ],
    "Version": "1"
}

        The following table describes the parameters in the syntax.

        Parameter

        Description

        <region>

        The region in which the Hologres instance resides. Example: beijing.

        <Alibaba Cloud account ID>

        The ID of your Alibaba Cloud account.

        *

        The IDs of all Hologres instances within your Alibaba Cloud account. You can also replace the asterisk (*) with the ID of a specific Hologres instance.

        Sample statement: 

        acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx
        Important

        The asterisk (*) in instance/* in the following configurations cannot be replaced with a specific instance ID:

        {
    "Statement": [
        {  // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations.
            "Effect": "Allow",
            "Action": "hologram:*",// The permissions to perform all operations.
            "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions.
        },
        {   // Grant a RAM user the permissions to purchase or renew instances.
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permission to delete instances.
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permission to purchase instances. This permission must be granted if you want to purchase instances by using the RAM user.
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        { // Grant a RAM user the permission to view the instance list.
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to suspend instances.
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to resume instances.
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to view the metrics of instances.
            "Effect": "Allow",
            "Action": "cms:DescribeMetricList", "cms:QueryMetricList"
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permission to change the network types of instances.
            "Effect": "Allow",
            "Action": "hologram:UpdateInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        }
    ],
    "Version": "1"
}

      Click Next to edit policy information. In the dialog box that appears, configure the Name and Description parameters.

    5. Click OK.

    6. Click Complete.

    Grant the development permissions on a Hologres instance to a RAM user

    Before you can perform data analytics operations on a Hologres instance as a RAM user, you must use your Alibaba Cloud account to grant the development permissions on the Hologres instance to the RAM user. You can log on to the Hologres console, go to the HoloWeb console, add a user on the User Management page, and then grant permissions to the user. This section describes how to use the simple permission model (SPM) to grant the development permissions on a Hologres instance to a RAM user.

    Note

    You can execute SQL statements to grant permissions to a RAM user by using different permission models. For more information, see the following topics:

    1. Log on to the Alibaba Cloud official website.

    2. Go to the Hologres console. Click the name of the instance that you want to manage. The instance details page appears.

    3. In the left-side navigation pane of the instance details page, click Users.

    4. On the User Management page, click Add New User.

    5. In the Add New User dialog box, configure the parameters that are described in the following table.

      Parameter

      Description

      Select Organization Members

      The RAM user that you want to add to the instance.

      User types

      • The role to be assigned to the RAM user. Valid values: Examples of the Super Administrator (SuperUser): A superuser has all permissions on the instance.

      • Ordinary User: By default, a regular user has no permissions on the instance.

        A regular user can log on to a Hologres instance and perform allowed data analytics operations only after the regular user is granted the required development permissions.

    6. Optional. If the RAM user is assigned the regular user role, perform the following steps to grant the required permissions to the RAM user:

      1. In the left-side pane of the instance details page, click Databases.

      2. On the Database Authorization page, find the database that you want to manage and click Authorize User in the Operation column.

        Note

        If no database is created in the Hologres instance, click Create Database in the upper-right corner to create a database.

      3. On the Database Authorization page, find the database that you want to manage and click Authorize User in the Operation column.

      4. In the Grant Permissions dialog box, configure the parameters that are described in the following table.

        Grant Permissions dialog box

        Parameter

        Description

        User Account

        The RAM user to which you want to grant permissions.

        User Group

        • Admin: Users in this group are the owners of the current database and are authorized to manage the database and users in the four user groups.

        • Developer: Users in this group are authorized to read and write data in the current database, and create, delete, or modify objects in the database by executing DDL statements.

        • Writer: Users in this group are authorized to read and write data in the current database.

        • Viewer: Users in this group are authorized to read data in the current database.

    7. Click OK.

    What to do next

    After you grant the RAM user the required permissions, you can connect to the Hologres instance that you want to manage and perform data analytics operations on the instance as the RAM user. You can use HoloWeb to perform data analytics operations in the Hologres console. For more information, see Connect to HoloWeb.