Alibaba Cloud Document Center: Find the Documentation for Your Needs

This topic describes how to create a custom policy. Custom policies provide more precise control than system policies. For example, you can create a custom policy to control the permissions on specific instances or operations.

Background information

A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.

Step 1: Create a custom policy

Log on to the RAM console by using an Alibaba Cloud account.
In the left-side navigation pane, click Policies under Permissions.
On the Policies page, click Create Policy.

Configure parameters for the custom policy.


Parameter	Description
Policy Name	Enter an informative name for easy identification.
Note	Optional. Enter the description of the policy.
Configuration Mode	Select Script. To configure policies for DTS, you must select Script.
Policy Document	Select an existing system policy from the drop-down list. Note This topic describes how to create a custom policy. You do not need to configure this parameter.
Policy	Enter the permission policy. You can edit the sample policies that are listed in this topic based on your needs. Note A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax. Resource-level and operation-level authorization are supported.

Sample custom policies:

Note

You must replace the DTS instance ID in the following code with the actual ID of your DTS instance.
If the read-only permission on a DTS instance is granted to a RAM user, the RAM user can query task details and configurations but cannot change configurations. If the read/write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.

demo 1 demo 2 demo 3 demo 4

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dts:Describe*",
            "Resource": "acs:dts:*:*:instance/DTS instance ID"
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dts:*",
            "Resource": [
                "acs:dts:*:*:instance/DTS instance ID",
                "acs:dts:*:*:instance/DTS instance ID"
            ]
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dts:DescribeSynchronizationJobStatus",
                "dts:DescribeSynchronizationJobs"
            ],
            "Resource": "acs:dts:*:*:instance/DTS instance ID"
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dts:DescribeSubscriptionInstances",
                "dts:StartSynchronizationJob",
                "dts:SuspendSynchronizationJob"
            ],
            "Resource": [
                "acs:dts:*:*:instance/DTS instance ID",
                "acs:dts:*:*:instance/DTS instance ID",
        }
    ],
    "Version": "1"
}

demo 1: Read-only permission on a single DTS instance.
demo 2: Read/write permissions on multiple DTS instances.
demo 3: View the configurations of a data synchronization task.
demo 4: Start or pause a data synchronization task.

Click OK.

Step 2: Attach the custom policy to a RAM user

Log on to the RAM console by using an Alibaba Cloud account.
Create a RAM user.
In the left-side navigation pane, click Users under Identities.
In the User Logon Name/Display Name column, find the target RAM user.
Click Add Permissions in the Actions column.
In the Add Permissions pane, select the required permission policies.
1. Select Custom Policy.
2. Click the name of a custom policy to add the policy to the Selected section.
Click OK.
Click Finished.

Scenarios of operation-level authorization

Note

The DescribeMigrationJobs, DescribeSubscriptionInstances, and DescribeSynchronizationJobs policies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related operations.
To authorize a RAM user to configure data migration, data synchronization, or change tracking, you must create a custom policy and attach the policy to the user. For more information, see Permission policy.


Feature	Operation in the DTS console	Permission policy
Data migration	Create a data migration task	CreateMigrationJob
	Query data migration tasks	DescribeMigrationJobs
	View the details of a data migration task	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus
	Modify the name of a data migration task	DescribeMigrationJobs ModifyMigrationObject
	Configure a data migration task	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus CreateMigrationJob
	View precheck details	DescribeMigrationJobs DescribeMigrationJobStatus
	Create a similar data migration task	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus CreateMigrationJob
	Monitor a data migration task and set alerts	DescribeMigrationJobs DescribeMigrationJobAlert ConfigureMigrationJobAlert
	Change the password that is used to log on to an instance	DescribeMigrationJobs DescribeMigrationJobDetail ModifyMigrationObject
	Start a data migration task	DescribeMigrationJobs StartMigrationJob DescribeMigrationJobDetail
	Pause a data migration task	DescribeMigrationJobs SuspendMigrationJob
	View the details of schema migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the details of full data migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the details of incremental data migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the performance of full data migration or incremental data migration	DescribeMigrationJobs DescribeMigrationJobDetail
	View task logs	DescribeMigrationJobs DescribeMigrationJobDetail
Change tracking	Create a change tracking task	CreateSubscriptionInstance
	Query change tracking tasks	DescribeSubscriptionInstances
	View the details of a change tracking task	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus
	Modify the name of a change tracking task	DescribeSubscriptionInstances ModifySubscriptionObject
	Modify the objects for change tracking	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	Create consumer groups	DescribeSubscriptionInstances CreateConsumerGroup
	View the information about a consumer group	DescribeSubscriptionInstances DescribeConsumerGroup
	Modify the password of a consumer group	DescribeSubscriptionInstances ModifyConsumerGroupPassword
	Delete a consumer group	DescribeSubscriptionInstances DeleteConsumerGroup
	Change the password that is used to log on to an instance	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	Delete a change tracking task	DescribeSubscriptionInstances DeleteSubscriptionInstance
	Monitor a change tracking task and set alerts	DescribeSubscriptionInstances DescribeSubscriptionInstanceAlert ConfigureSubscriptionInstanceAlert
	Configure a change tracking task	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	View task logs	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus
Data synchronization	Create a data synchronization task	CreateSynchronizationJob
	Query data synchronization tasks	DescribeSynchronizationJobs
	View the details of a data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	Modify the name of a data synchronization task	DescribeSynchronizationJobs ModifySynchronizationObject
	View the configurations of a data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the objects to be synchronized	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the status of initial schema synchronization and initial full data synchronization	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the performance of full data synchronization or incremental data synchronization	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the modification records of the objects to be synchronized	DescribeSynchronizationJobs
	View task logs	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	Configure a data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySynchronizationObject
	Start a data synchronization task	DescribeSynchronizationJobs StartSynchronizationJob
	Pause a data synchronization task	DescribeSynchronizationJobs SuspendSynchronizationJob
	Modify the objects to be synchronized	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySynchronizationObject
	Delete a data synchronization task	DescribeSynchronizationJobs DeleteSynchronizationJob
	Stop a data synchronization task	DescribeSynchronizationJobs DeleteSynchronizationJob
	Monitor a data synchronization task and set alerts	DescribeSynchronizationJobs DescribeSynchronizationJobAlert ConfigureSynchronizationJobAlert
	Change the password that is used to log on to an instance	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySubscriptionObject

What to do next

Log on to the RAM console as a RAM user.

FAQ

Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user?

A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances on which the RAM user has administrative permissions. Then, you can search for DTS instances by using their IDs in the DTS console.