This topic describes how to create a custom policy. Custom policies provide more precise control than system policies. For example, you can create a custom policy to control the access to instances or operation.

Background information

A policy defines a set of permissions that are described according to the policy structure and grammar. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and grammar.

Step 1: Create a custom policy

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the Policies page, click Create Policy.
  4. Configure parameters for the custom policy.
    Create a custom policy
    Parameter Description
    Policy Name Enter an informative name for easy identification.
    Note Optional. Enter the description of the policy.
    Configuration Mode Select Script. To configure policies for DTS, you can only select Script.
    Policy Document Select an existing system policy from the drop-down list.
    Note This topic describes how to create a custom policy. You do not need to configure this parameter.
    Policy Enter the permission policy. You can edit the sample policies that are listed in this topic based on your needs.
    Note
    • A policy defines a set of permissions that are described according to the policy structure and grammar. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and grammar.
    • Resource-and Action-level authorization is currently supported.

    Sample custom policies:

    Note
    • You must replace the DTS instance ID in the following code with the actual ID of your DTS instance.
    • If a RAM user has the read-only permission for DTS instances, the RAM user can query task details and configurations but cannot change configurations. If a RAM user has the read/write permissions for DTS instances, the RAM user can configure and manage the DTS instances.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:Describe*",
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:*",
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID"
                ]
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSynchronizationJobStatus",
                    "dts:DescribeSynchronizationJobs"
                ],
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSubscriptionInstances",
                    "dts:StartSynchronizationJob",
                    "dts:SuspendSynchronizationJob"
                ],
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID",
            }
        ],
        "Version": "1"
    }
    • demo1: Read-only permission for a single DTS instance
    • demo2: Read/write permissions for DTS instances.
    • demo3: View the configurations for a single data synchronization instance.
    • demo4: Start or pause data synchronization instances.
  5. Click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. Create a RAM user.
  3. In the left-side navigation pane, click Users under Identities.
  4. In the User Logon Name/Display Name column, find the target RAM user.
  5. Click Add Permissions in the Actions column.
    Add permissions
  6. In the Add Permissions dialog box, select the required permission policies.
    1. Select Custom Policy.
    2. Click the name of a custom policy to add the policy to the Selected section.
      Select a custom policy
  7. Click OK.
  8. Click Finished.

Common scenarios of operation-level authorization

Note
  • In the following table, DescribeMigrationJobs, DescribeSubscriptionInstances and DescribeSynchronizationJobs permissions are used to obtain the instances list. RAM users may only have permissions on some instances. Therefore, you must obtain the instances list before you perform related operations.
  • If you need to grant RAM users permission to configure data migration, synchronization, or subscription task, you also need to configure the custom policy for the user. For more information about the policy, see Permission policy.
Feature Action in the console The corresponding permission policy
Data migration Create a data migration task CreateMigrationJob
View the list of data migration tasks DescribeMigrationJobs
View the data migration task details

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

Modify a data migration task name

DescribeMigrationJobs

ModifyMigrationObject

Configure a data migration task

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

CreateMigrationJob

View the details of PreCheck

DescribeMigrationJobs

DescribeMigrationJobStatus

Duplicate Task

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

CreateMigrationJob

Configure monitoring and alerting

DescribeMigrationJobs

DescribeMigrationJobAlert

ConfigureMigrationJobAlert

Modify the database password

DescribeMigrationJobs

DescribeMigrationJobDetail

ModifyMigrationObject

Start a data migration task

DescribeMigrationJobs

StartMigrationJob

DescribeMigrationJobDetail

Suspend a data migration task

DescribeMigrationJobs

SuspendMigrationJob

View the details of schema migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the details of full data migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the details of incremental data migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the performance of full or incremental migration

DescribeMigrationJobs

DescribeMigrationJobDetail

View task logs

DescribeMigrationJobs

DescribeMigrationJobDetail

Data subscription Create a data subscription task CreateSubscriptionInstance
View the list of data subscription task DescribeSubscriptionInstances
View the details of data subscription task

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

Modify a data subscription task name

DescribeSubscriptionInstances

ModifySubscriptionObject

Modify objects for data subscription task

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

Create consumer groups

DescribeSubscriptionInstances

CreateConsumerGroup

View consumer groups

DescribeSubscriptionInstances

DescribeConsumerGroup

Modify the password of a consumer group

DescribeSubscriptionInstances

ModifyConsumerGroupPassword

Delete a consumer group

DescribeSubscriptionInstances

DeleteConsumerGroup

Modify the database password

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

Release a data subscription task

DescribeSubscriptionInstances

DeleteSubscriptionInstance

Configure monitoring and alerting

DescribeSubscriptionInstances

DescribeSubscriptionInstanceAlert

ConfigureSubscriptionInstanceAlert

Configure a data subscription task

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

View task logs

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

Data synchronization Create a data synchronization task. CreateSynchronizationJob
View the list of data synchronization task DescribeSynchronizationJobs
View the details of data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

Modify a data synchronization task name

DescribeSynchronizationJobs

ModifySynchronizationObject

View the configurations of data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the objects to be synchronized

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

Check the status of initial schema synchronization and initial full data synchronization

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the performance of full or incremental synchronization

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the modification records of the objects to be synchronized DescribeSynchronizationJobs
View task logs

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

Configure a data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySynchronizationObject

Start a data synchronization task

DescribeSynchronizationJobs

StartSynchronizationJob

Pause a data synchronization task

DescribeSynchronizationJobs

SuspendSynchronizationJob

Modify the objects to be synchronized

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySynchronizationObject

Release a data synchronization task

DescribeSynchronizationJobs

DeleteSynchronizationJob

Stop a data synchronization task

DescribeSynchronizationJobs

DeleteSynchronizationJob

Configure monitoring and alerting

DescribeSynchronizationJobs

DescribeSynchronizationJobAlert

ConfigureSynchronizationJobAlert

Modify the database password

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySubscriptionObject

Related operations

Log on to the RAM console as a RAM user.

FAQ

Q: Why does the DTS console not show the instance list when I log on to the DTS console as a RAM user and display an error message?Error message
A: The RAM user may not have permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the ID of the DTS instance that the RAM user has administrative permissions. Then, you can search for a DTS instance by using the instance ID in the DTS console.Search for a DTS instance