This topic describes how to create a custom policy. Custom policies provide more precise control than system policies. For example, you can create a custom policy to control the permissions on specific instances or operations.

Background information

A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.

Step 1: Create a custom policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the Policies page, click Create Policy.
  4. Configure parameters for the custom policy.
    Create a custom policy
    Parameter Description
    Policy Name Enter an informative name for easy identification.
    Note Optional. Enter the description of the policy.
    Configuration Mode Select Script. To configure policies for DTS, you must select Script.
    Policy Document Select an existing system policy from the drop-down list.
    Note This topic describes how to create a custom policy. You do not need to configure this parameter.
    Policy Enter the permission policy. You can edit the sample policies that are listed in this topic based on your needs.
    Note
    • A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.
    • Resource-level and operation-level authorization are supported.

    Sample custom policies:

    Note
    • You must replace the DTS instance ID in the following code with the actual ID of your DTS instance.
    • If the read-only permission on a DTS instance is granted to a RAM user, the RAM user can query task details and configurations but cannot change configurations. If the read/write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:Describe*",
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:*",
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID"
                ]
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSynchronizationJobStatus",
                    "dts:DescribeSynchronizationJobs"
                ],
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSubscriptionInstances",
                    "dts:StartSynchronizationJob",
                    "dts:SuspendSynchronizationJob"
                ],
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID",
            }
        ],
        "Version": "1"
    }
    • demo 1: Read-only permission on a single DTS instance.
    • demo 2: Read/write permissions on multiple DTS instances.
    • demo 3: View the configurations of a data synchronization task.
    • demo 4: Start or pause a data synchronization task.
  5. Click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a RAM user.
  3. In the left-side navigation pane, click Users under Identities.
  4. In the User Logon Name/Display Name column, find the target RAM user.
  5. Click Add Permissions in the Actions column.
    Add permissions
  6. In the Add Permissions pane, select the required permission policies.
    1. Select Custom Policy.
    2. Click the name of a custom policy to add the policy to the Selected section.
      Select a custom policy
  7. Click OK.
  8. Click Finished.

Scenarios of operation-level authorization

Note
  • The DescribeMigrationJobs, DescribeSubscriptionInstances, and DescribeSynchronizationJobs policies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related operations.
  • To authorize a RAM user to configure data migration, data synchronization, or change tracking, you must create a custom policy and attach the policy to the user. For more information, see Permission policy.
Feature Operation in the DTS console Permission policy
Data migration Create a data migration task CreateMigrationJob
Query data migration tasks DescribeMigrationJobs
View the details of a data migration task

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

Modify the name of a data migration task

DescribeMigrationJobs

ModifyMigrationObject

Configure a data migration task

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

CreateMigrationJob

View precheck details

DescribeMigrationJobs

DescribeMigrationJobStatus

Create a similar data migration task

DescribeMigrationJobs

DescribeMigrationJobDetail

DescribeMigrationJobStatus

CreateMigrationJob

Monitor a data migration task and set alerts

DescribeMigrationJobs

DescribeMigrationJobAlert

ConfigureMigrationJobAlert

Change the password that is used to log on to an instance

DescribeMigrationJobs

DescribeMigrationJobDetail

ModifyMigrationObject

Start a data migration task

DescribeMigrationJobs

StartMigrationJob

DescribeMigrationJobDetail

Pause a data migration task

DescribeMigrationJobs

SuspendMigrationJob

View the details of schema migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the details of full data migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the details of incremental data migration

DescribeMigrationJobs

DescribeMigrationJobStatus

View the performance of full data migration or incremental data migration

DescribeMigrationJobs

DescribeMigrationJobDetail

View task logs

DescribeMigrationJobs

DescribeMigrationJobDetail

Change tracking Create a change tracking task CreateSubscriptionInstance
Query change tracking tasks DescribeSubscriptionInstances
View the details of a change tracking task

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

Modify the name of a change tracking task

DescribeSubscriptionInstances

ModifySubscriptionObject

Modify the objects for change tracking

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

Create consumer groups

DescribeSubscriptionInstances

CreateConsumerGroup

View the information about a consumer group

DescribeSubscriptionInstances

DescribeConsumerGroup

Modify the password of a consumer group

DescribeSubscriptionInstances

ModifyConsumerGroupPassword

Delete a consumer group

DescribeSubscriptionInstances

DeleteConsumerGroup

Change the password that is used to log on to an instance

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

Delete a change tracking task

DescribeSubscriptionInstances

DeleteSubscriptionInstance

Monitor a change tracking task and set alerts

DescribeSubscriptionInstances

DescribeSubscriptionInstanceAlert

ConfigureSubscriptionInstanceAlert

Configure a change tracking task

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

ModifySubscriptionObject

View task logs

DescribeSubscriptionInstances

DescribeSubscriptionInstanceStatus

Data synchronization Create a data synchronization task CreateSynchronizationJob
Query data synchronization tasks DescribeSynchronizationJobs
View the details of a data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

Modify the name of a data synchronization task

DescribeSynchronizationJobs

ModifySynchronizationObject

View the configurations of a data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the objects to be synchronized

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the status of initial schema synchronization and initial full data synchronization

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the performance of full data synchronization or incremental data synchronization

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

View the modification records of the objects to be synchronized DescribeSynchronizationJobs
View task logs

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

Configure a data synchronization task

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySynchronizationObject

Start a data synchronization task

DescribeSynchronizationJobs

StartSynchronizationJob

Pause a data synchronization task

DescribeSynchronizationJobs

SuspendSynchronizationJob

Modify the objects to be synchronized

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySynchronizationObject

Delete a data synchronization task

DescribeSynchronizationJobs

DeleteSynchronizationJob

Stop a data synchronization task

DescribeSynchronizationJobs

DeleteSynchronizationJob

Monitor a data synchronization task and set alerts

DescribeSynchronizationJobs

DescribeSynchronizationJobAlert

ConfigureSynchronizationJobAlert

Change the password that is used to log on to an instance

DescribeSynchronizationJobs

DescribeSynchronizationJobStatus

ModifySubscriptionObject

What to do next

Log on to the RAM console as a RAM user.

FAQ

Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user?Error message
A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances on which the RAM user has administrative permissions. Then, you can search for DTS instances by using their IDs in the DTS console.Search for DTS instances