Use tags to perform group-based service authorization

Sample scenario

You have created 10 services in the Function Compute console. You want to authorize the dev team to manage five services and the ops team to manage the other five services. The dev and ops teams can view only the services that they are authorized to manage.

You can the tagging feature to add teams to different groups and grant different permissions to different groups. In this scenario, you can attach the team:dev tag to five services and the team:ops tag to the other five services.

Procedure

1. Attach the team:dev tag to the five services that you will authorize the dev team to manage, and attach the team:ops tag to the five services that you will authorize the ops team to manage. For more information, see Create tags.
2. Create a RAM user.
3. Create a RAM user group.
   Create two user groups named dev and ops.
4. Add a RAM user to a RAM user group.
   Create RAM users and add them to the corresponding user groups.
5. Grant different permissions to these two user groups.
   Function Compute supports system policies and custom policies. You can select a proper policy based on actual needs.
   • Grant permissions to different user groups by using system policies.

     For more information, see Grant permissions to a RAM user group.

   • Grant permissions to different user groups by using custom policies.
     1. Create a custom policy.
        In this example, the custom policy named policyForDevTeam is used to grant permissions to the dev team. The following section shows the policy content:

        {
            "Statement": [
            {
                "Action": "fc:*",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "fc:tag/team": "dev"
                    }
                }
            },
            {
                "Action": "fc:*",
                "Effect": "Allow",
                "Resource": "*"
            }
            ],
            "Version": "1"
        }            

        In this example, the custom policy named policyForOpsTeam is used to grant permissions to the ops team. The following section shows the policy content:

        {
            "Statement": [
            {
                "Action": "fc:*",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "fc:tag/team": "ops"
                    }
                }
            },
            {
                "Action": "fc:*",
                "Effect": "Allow",
                "Resource": "*"
            }
            ],
            "Version": "1"
        }           

     2. Grant permissions to a RAM user group.

        Select the created custom policies when you grant permissions to user groups.

   After authorization is completed, the RAM users in the dev user group can manage only the services tagged with team:dev and the RAM users in the ops user group can manage only the services tagged with team:ops.