All Products
Search
Document Center

:Use a custom policy to authorize a RAM user to manage DTS instances

Last Updated:Oct 18, 2023

This topic describes how to create a custom policy. Custom policies provide more fine-grained permission control than system policies. You can use a custom policy to control the permissions on specific instances or actions.

Prerequisites

A RAM user is authorized to access the cloud resources (such as RDS instances and ECS instances) of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to call the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.

Background information

A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.

Precautions

  • If you need to synchronize data to MaxCompute, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
  • If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.

Step 1: Create a custom policy

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. On the JSON tab, enter the content of the custom policy in the code editor.

    Sample custom policies:

    Note
    • A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.

    • You can grant permissions on specific resources and actions.

    • You must replace the DTS instance ID field in the following code with the actual ID of your Data Transmission Service (DTS) instance.

    • If the read-only permissions on a DTS instance are granted to a Resource Access Management (RAM) user, the RAM user can query task details and configurations but cannot modify the configurations. If the read and write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.

    Example 1

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:Describe*",
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }

    Example 2

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:*",
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID"
                ]
            }
        ],
        "Version": "1"
    }

    Example 3

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSynchronizationJobStatus",
                    "dts:DescribeSynchronizationJobs"
                ],
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }

    Example 4

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSubscriptionInstances",
                    "dts:StartSynchronizationJob",
                    "dts:SuspendSynchronizationJob"
                ],
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID"
     	    ]
            }
        ],
        "Version": "1"
    }
    • Example 1: Read-only permissions on a single DTS instance

    • Example 2: Read and write permissions on multiple DTS instances

    • Example 3: Permissions to view the configurations of a data synchronization task

    • Example 4: Permissions to start or pause multiple data synchronization tasks

  6. Click Next to edit policy information.

  7. Specify the Name and Description fields.

  8. Check and optimize the document of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • Optional: Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  9. Click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. Create a RAM user. For more information, see Create a RAM user.

  3. In the left-side navigation pane, choose Identities > Users.

  4. In the User Logon Name/Display Name column, find the RAM user.

  5. Click Add Permissions in the Actions column.

  6. In the Add Permissions panel, configure the required parameters to attach the custom policy to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Select Custom Policy for the Select Policy parameter.

    3. In the search box, enter the name of the custom policy that you created in Step 1.

    4. Click the name of the custom policy to add the policy to the Selected section.

  7. Click OK.

  8. Click Complete.

Scenarios of action-level authorization

Note
  • The DescribeDTSIP, DescribeSubscriptionInstances, and DescribeSynchronizationJobs policies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related actions.

  • To authorize a RAM user to configure a data migration, data synchronization, or change tracking task, you must create a custom policy and attach the policy to the RAM user. For more information, see Authorize DTS to access Alibaba Cloud resources.

  • API operations (new version)

    Feature

    Action in the DTS console

    Policy

    Purchase an instance

    Purchase a DTS instance

    CreateDtsInstance

    Migrate or synchronize data

    Configure a data migration or synchronization task

    ConfigureDtsJob

    Track data changes

    Configure a change tracking task

    ConfigureSubscription

    Start a task

    Start a DTS task

    StartDtsJob

    Start multiple tasks at a time

    Start multiple DTS tasks at a time

    StartDtsJobs

    Manage consumer groups

    Create a consumer group for a change tracking task

    CreateConsumerChannel

    Query the consumer group of a change tracking task

    DescribeConsumerChannel

    Modify the consumer group of a change tracking task

    ModifyConsumerChannel

    Delete the consumer group of a change tracking task

    DeleteConsumerChannel

    Query tasks

    Query the details of a DTS task

    DescribeDtsJobDetail

    Query DTS tasks and the details of each task

    DescribeDtsJobs

    Modify the configurations of a DTS task

    Modify the configurations of a data synchronization task

    ModifyDtsJob

    Modify the configurations of a change tracking task

    ModifySubscription

    Rename a DTS task

    ModifyDtsJobName

    Reset a task

    Reset a DTS task

    ResetDtsJob

    Pause a task

    Pause a DTS task

    SuspendDtsJob

    Pause multiple tasks at a time

    Pause multiple DTS tasks at a time

    SuspendDtsJobs

    Stop a task

    Stop a DTS task

    StopDtsJob

    Stop multiple tasks at a time

    Stop multiple DTS tasks at a time

    StopDtsJobs

    Release an instance

    Release a DTS instance

    DeleteDtsJob

    Release multiple instances at a time

    Release multiple DTS instances at a time

    DeleteDtsJobs

    Configure alerts for tasks

    Create an alert rule for a DTS task or modify the alert rules of a DTS task

    CreateJobMonitorRule

    Query the alert rules of a DTS task

    DescribeJobMonitorRule

    Query an extract, transform, and load (ETL) task

    Query the details of an ETL task

    DescribeDtsEtlJobVersionInfo

    Query the logs of an ETL task

    DescribeEtlJobLogs

  • API operations (old version)

    Feature

    Action in the DTS console

    Policy

    Manage data migration tasks

    Create a data migration task

    CreateMigrationJob

    Query data migration tasks

    DescribeMigrationJobs

    View the details of a data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    Rename a data migration task

    DescribeMigrationJobs

    ModifyMigrationObject

    Configure a data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    CreateMigrationJob

    View precheck details

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    Create a similar data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    CreateMigrationJob

    Monitor a data migration task and set an alert rule for the data migration task

    DescribeMigrationJobs

    DescribeMigrationJobAlert

    ConfigureMigrationJobAlert

    Change the password that is used to log on to an instance

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    ModifyMigrationObject

    Start a data migration task

    DescribeMigrationJobs

    StartMigrationJob

    DescribeMigrationJobDetail

    Pause a data migration task

    DescribeMigrationJobs

    SuspendMigrationJob

    View the details of a schema migration task

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the details of a full data migration task

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the details of an incremental data migration task

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the performance of a full data migration task or an incremental data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    View task logs

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    Manage change tracking tasks

    Create a change tracking task

    CreateSubscriptionInstance

    Query change tracking tasks

    DescribeSubscriptionInstances

    View the details of a change tracking task

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    Rename a change tracking task

    DescribeSubscriptionInstances

    ModifySubscriptionObject

    Change the objects for change tracking

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    Create a consumer group

    DescribeSubscriptionInstances

    CreateConsumerGroup

    View the information about a consumer group

    DescribeSubscriptionInstances

    DescribeConsumerGroup

    Change the password of a consumer group

    DescribeSubscriptionInstances

    ModifyConsumerGroupPassword

    Delete a consumer group

    DescribeSubscriptionInstances

    DeleteConsumerGroup

    Change the password that is used to log on to an instance

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    Release a change tracking task

    DescribeSubscriptionInstances

    DeleteSubscriptionInstance

    Monitor a change tracking task and set an alert rule for the change tracking task

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceAlert

    ConfigureSubscriptionInstanceAlert

    Configure a change tracking task

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    View task logs

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    Manage data synchronization tasks

    Create a data synchronization task

    CreateSynchronizationJob

    Query data synchronization tasks

    DescribeSynchronizationJobs

    View the details of a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    Rename a data synchronization task

    DescribeSynchronizationJobs

    ModifySynchronizationObject

    View the configurations of a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the objects to be synchronized

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the status of a schema synchronization or full data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the performance of full data synchronization or incremental data synchronization

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the change records of the objects to be synchronized

    DescribeSynchronizationJobs

    View task logs

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    Configure a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySynchronizationObject

    Start a data synchronization task

    DescribeSynchronizationJobs

    StartSynchronizationJob

    Pause a data synchronization task

    DescribeSynchronizationJobs

    SuspendSynchronizationJob

    Change the objects to be synchronized

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySynchronizationObject

    Release a data synchronization task

    DescribeSynchronizationJobs

    DeleteSynchronizationJob

    Stop a data synchronization task

    DescribeSynchronizationJobs

    DeleteSynchronizationJob

    Monitor a data synchronization task and set an alert rule for the data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobAlert

    ConfigureSynchronizationJobAlert

    Change the password that is used to log on to an instance

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySubscriptionObject

    Manage network settings

    Query the CIDR blocks of DTS servers

    DescribeDTSIP

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user.

FAQ

Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user?RAM用户登录提示

A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not display the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances that the RAM user has permissions to manage. Then, you can search for DTS instances by using their IDs in the DTS console.RAM登录后搜索实例