This topic describes how to create a custom policy. Custom policies provide more fine-grained permission control than system policies. You can use a custom policy to control the permissions on specific instances or actions.
Prerequisites
A RAM user is authorized to access the cloud resources (such as RDS instances and ECS instances) of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to call the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.
Background information
A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.
Precautions
- If you need to synchronize data to MaxCompute, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
- If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.
Step 1: Create a custom policy
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
On the JSON tab, enter the content of the custom policy in the code editor.
Sample custom policies:
NoteA policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.
You can grant permissions on specific resources and actions.
You must replace the
DTS instance ID
field in the following code with the actual ID of your Data Transmission Service (DTS) instance.If the read-only permissions on a DTS instance are granted to a Resource Access Management (RAM) user, the RAM user can query task details and configurations but cannot modify the configurations. If the read and write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.
Example 1
{ "Statement": [ { "Effect": "Allow", "Action": "dts:Describe*", "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }
Example 2
{ "Statement": [ { "Effect": "Allow", "Action": "dts:*", "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }
Example 3
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSynchronizationJobStatus", "dts:DescribeSynchronizationJobs" ], "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }
Example 4
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSubscriptionInstances", "dts:StartSynchronizationJob", "dts:SuspendSynchronizationJob" ], "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }
Example 1: Read-only permissions on a single DTS instance
Example 2: Read and write permissions on multiple DTS instances
Example 3: Permissions to view the configurations of a data synchronization task
Example 4: Permissions to start or pause multiple data synchronization tasks
Click Next to edit policy information.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
Optional: Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Step 2: Attach the custom policy to a RAM user
Log on to the RAM console with an Alibaba Cloud account.
Create a RAM user. For more information, see Create a RAM user.
In the left-side navigation pane, choose .
In the User Logon Name/Display Name column, find the RAM user.
Click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters to attach the custom policy to the RAM user.
Select the authorization scope.
Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
Specific Resource Group: The permissions take effect in a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.
Select Custom Policy for the Select Policy parameter.
In the search box, enter the name of the custom policy that you created in Step 1.
Click the name of the custom policy to add the policy to the Selected section.
Click OK.
Click Complete.
Scenarios of action-level authorization
The
DescribeDTSIP
,DescribeSubscriptionInstances
, andDescribeSynchronizationJobs
policies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related actions.To authorize a RAM user to configure a data migration, data synchronization, or change tracking task, you must create a custom policy and attach the policy to the RAM user. For more information, see Authorize DTS to access Alibaba Cloud resources.
API operations (new version)
Feature
Action in the DTS console
Policy
Purchase an instance
Purchase a DTS instance
CreateDtsInstance
Migrate or synchronize data
Configure a data migration or synchronization task
ConfigureDtsJob
Track data changes
Configure a change tracking task
ConfigureSubscription
Start a task
Start a DTS task
StartDtsJob
Start multiple tasks at a time
Start multiple DTS tasks at a time
StartDtsJobs
Manage consumer groups
Create a consumer group for a change tracking task
CreateConsumerChannel
Query the consumer group of a change tracking task
DescribeConsumerChannel
Modify the consumer group of a change tracking task
ModifyConsumerChannel
Delete the consumer group of a change tracking task
DeleteConsumerChannel
Query tasks
Query the details of a DTS task
DescribeDtsJobDetail
Query DTS tasks and the details of each task
DescribeDtsJobs
Modify the configurations of a DTS task
Modify the configurations of a data synchronization task
ModifyDtsJob
Modify the configurations of a change tracking task
ModifySubscription
Rename a DTS task
ModifyDtsJobName
Reset a task
Reset a DTS task
ResetDtsJob
Pause a task
Pause a DTS task
SuspendDtsJob
Pause multiple tasks at a time
Pause multiple DTS tasks at a time
SuspendDtsJobs
Stop a task
Stop a DTS task
StopDtsJob
Stop multiple tasks at a time
Stop multiple DTS tasks at a time
StopDtsJobs
Release an instance
Release a DTS instance
DeleteDtsJob
Release multiple instances at a time
Release multiple DTS instances at a time
DeleteDtsJobs
Configure alerts for tasks
Create an alert rule for a DTS task or modify the alert rules of a DTS task
CreateJobMonitorRule
Query the alert rules of a DTS task
DescribeJobMonitorRule
Query an extract, transform, and load (ETL) task
Query the details of an ETL task
DescribeDtsEtlJobVersionInfo
Query the logs of an ETL task
DescribeEtlJobLogs
API operations (old version)
Feature
Action in the DTS console
Policy
Manage data migration tasks
Create a data migration task
CreateMigrationJob
Query data migration tasks
DescribeMigrationJobs
View the details of a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
Rename a data migration task
DescribeMigrationJobs
ModifyMigrationObject
Configure a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
View precheck details
DescribeMigrationJobs
DescribeMigrationJobStatus
Create a similar data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
Monitor a data migration task and set an alert rule for the data migration task
DescribeMigrationJobs
DescribeMigrationJobAlert
ConfigureMigrationJobAlert
Change the password that is used to log on to an instance
DescribeMigrationJobs
DescribeMigrationJobDetail
ModifyMigrationObject
Start a data migration task
DescribeMigrationJobs
StartMigrationJob
DescribeMigrationJobDetail
Pause a data migration task
DescribeMigrationJobs
SuspendMigrationJob
View the details of a schema migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of a full data migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of an incremental data migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the performance of a full data migration task or an incremental data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
View task logs
DescribeMigrationJobs
DescribeMigrationJobDetail
Manage change tracking tasks
Create a change tracking task
CreateSubscriptionInstance
Query change tracking tasks
DescribeSubscriptionInstances
View the details of a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Rename a change tracking task
DescribeSubscriptionInstances
ModifySubscriptionObject
Change the objects for change tracking
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Create a consumer group
DescribeSubscriptionInstances
CreateConsumerGroup
View the information about a consumer group
DescribeSubscriptionInstances
DescribeConsumerGroup
Change the password of a consumer group
DescribeSubscriptionInstances
ModifyConsumerGroupPassword
Delete a consumer group
DescribeSubscriptionInstances
DeleteConsumerGroup
Change the password that is used to log on to an instance
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Release a change tracking task
DescribeSubscriptionInstances
DeleteSubscriptionInstance
Monitor a change tracking task and set an alert rule for the change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceAlert
ConfigureSubscriptionInstanceAlert
Configure a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
View task logs
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Manage data synchronization tasks
Create a data synchronization task
CreateSynchronizationJob
Query data synchronization tasks
DescribeSynchronizationJobs
View the details of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Rename a data synchronization task
DescribeSynchronizationJobs
ModifySynchronizationObject
View the configurations of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the status of a schema synchronization or full data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the performance of full data synchronization or incremental data synchronization
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the change records of the objects to be synchronized
DescribeSynchronizationJobs
View task logs
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Configure a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Start a data synchronization task
DescribeSynchronizationJobs
StartSynchronizationJob
Pause a data synchronization task
DescribeSynchronizationJobs
SuspendSynchronizationJob
Change the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Release a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Stop a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Monitor a data synchronization task and set an alert rule for the data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobAlert
ConfigureSynchronizationJobAlert
Change the password that is used to log on to an instance
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySubscriptionObject
Manage network settings
Query the CIDR blocks of DTS servers
DescribeDTSIP
What to do next
Log on to the Alibaba Cloud Management Console as a RAM user.
FAQ
Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user?
A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not display the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances that the RAM user has permissions to manage. Then, you can search for DTS instances by using their IDs in the DTS console.