If you purchase an Alibaba Cloud Elasticsearch cluster and other personnel (such as O&M, development, or data analytics personnel) in your organization want to use RAM users to access the cluster, you can attach policies to the RAM users based on the features that are required by the personnel. This improves system security and availability. You can also create multiple user groups and attach different policies to the user groups. This way, you can manage user permissions by user group.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM?

Policy description

Policies are categorized into system policies and custom policies.
  • System policies
    System policyDescription
    AliyunElasticsearchReadOnlyAccessThe read-only permissions on Elasticsearch or Logstash clusters. You can attach this policy to users to whom you want to grant only read-only permissions.
    AliyunElasticsearchFullAccessThe management permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. After you attach this policy to a user, the user becomes an administrator.
  • Custom policies

    If system policies do not meet your business requirements, you can create custom policies. For more information, see Create a custom policy.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, configure the following parameters based on your business requirements.
    Grant permissions to a RAM user
    ParameterDescription
    Authorized Scope
    • Alibaba Cloud Account: Permissions take effect on resources within the current Alibaba Cloud account.
    • Specific Resource Group: Permissions take effect on resources in the resource group you select.
    PrincipalThe RAM user to which you want to grant permissions. You can enter the name of a RAM user, RAM user group, or RAM role to which you want to grant permissions. Fuzzy searches are supported.
    Select Policy
    • System Policy: Enter Elasticsearch to search for Elasticsearch system policies and click the name of the policy that you want to attach to the RAM user. For more information about Elasticsearch system policies, see Policy description.
    • Custom Policy: If the system policies do not meet your business requirements, select an existing custom policy. Fuzzy searches are supported. For more information about Elasticsearch custom policies, see Create a custom policy.
  5. Click OK.
  6. Click Complete.
    The granted permissions then take effect. You can use the RAM user to log on to the Elasticsearch console and perform authorized operations.
    Note If the RAM user no longer requires the permissions, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.