Use a custom policy to authorize a RAM user to manage DTS instances - Access control| Alibaba Cloud Documentation Center

This topic describes how to create a custom policy. Custom policies provide more precise control than system policies. For example, you can create a custom policy to control the access to instances or operation.

Background information

A policy defines a set of permissions that are described according to the policy structure and grammar. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and grammar.

Step 1: Create a custom policy

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, click Policies under Permissions.
On the Policies page, click Create Policy.

Configure parameters for the custom policy.


Parameter	Description
Policy Name	Enter an informative name for easy identification.
Note	Optional. Enter the description of the policy.
Configuration Mode	Select Script. To configure policies for DTS, you can only select Script.
Policy Document	Select an existing system policy from the drop-down list. Note This topic describes how to create a custom policy. You do not need to configure this parameter.
Policy	Enter the permission policy. You can edit the sample policies that are listed in this topic based on your needs. Note A policy defines a set of permissions that are described according to the policy structure and grammar. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and grammar. Resource-and Action-level authorization is currently supported.

Sample custom policies:

Note

You must replace the DTS instance ID in the following code with the actual ID of your DTS instance.
If a RAM user has the read-only permission for DTS instances, the RAM user can query task details and configurations but cannot change configurations. If a RAM user has the read/write permissions for DTS instances, the RAM user can configure and manage the DTS instances.

demo1 demo2 demo3 demo4

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dts:Describe*",
            "Resource": "acs:dts:*:*:instance/DTS instance ID"
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dts:*",
            "Resource": [
                "acs:dts:*:*:instance/DTS instance ID",
                "acs:dts:*:*:instance/DTS instance ID"
            ]
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dts:DescribeSynchronizationJobStatus",
                "dts:DescribeSynchronizationJobs"
            ],
            "Resource": "acs:dts:*:*:instance/DTS instance ID"
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dts:DescribeSubscriptionInstances",
                "dts:StartSynchronizationJob",
                "dts:SuspendSynchronizationJob"
            ],
            "Resource": [
                "acs:dts:*:*:instance/DTS instance ID",
                "acs:dts:*:*:instance/DTS instance ID",
        }
    ],
    "Version": "1"
}

demo1: Read-only permission for a single DTS instance
demo2: Read/write permissions for DTS instances.
demo3: View the configurations for a single data synchronization instance.
demo4: Start or pause data synchronization instances.

Click OK.

Step 2: Attach the custom policy to a RAM user

Log on to the RAM console with an Alibaba Cloud account.
Create a RAM user.
In the left-side navigation pane, click Users under Identities.
In the User Logon Name/Display Name column, find the target RAM user.
Click Add Permissions in the Actions column.
In the Add Permissions dialog box, select the required permission policies.
1. Select Custom Policy.
2. Click the name of a custom policy to add the policy to the Selected section.
Click OK.
Click Finished.

Common scenarios of operation-level authorization

Note

In the following table, DescribeMigrationJobs, DescribeSubscriptionInstances and DescribeSynchronizationJobs permissions are used to obtain the instances list. RAM users may only have permissions on some instances. Therefore, you must obtain the instances list before you perform related operations.
If you need to grant RAM users permission to configure data migration, synchronization, or subscription task, you also need to configure the custom policy for the user. For more information about the policy, see Permission policy.


Feature	Action in the console	The corresponding permission policy
Data migration	Create a data migration task	CreateMigrationJob
	View the list of data migration tasks	DescribeMigrationJobs
	View the data migration task details	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus
	Modify a data migration task name	DescribeMigrationJobs ModifyMigrationObject
	Configure a data migration task	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus CreateMigrationJob
	View the details of PreCheck	DescribeMigrationJobs DescribeMigrationJobStatus
	Duplicate Task	DescribeMigrationJobs DescribeMigrationJobDetail DescribeMigrationJobStatus CreateMigrationJob
	Configure monitoring and alerting	DescribeMigrationJobs DescribeMigrationJobAlert ConfigureMigrationJobAlert
	Modify the database password	DescribeMigrationJobs DescribeMigrationJobDetail ModifyMigrationObject
	Start a data migration task	DescribeMigrationJobs StartMigrationJob DescribeMigrationJobDetail
	Suspend a data migration task	DescribeMigrationJobs SuspendMigrationJob
	View the details of schema migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the details of full data migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the details of incremental data migration	DescribeMigrationJobs DescribeMigrationJobStatus
	View the performance of full or incremental migration	DescribeMigrationJobs DescribeMigrationJobDetail
	View task logs	DescribeMigrationJobs DescribeMigrationJobDetail
Data subscription	Create a data subscription task	CreateSubscriptionInstance
	View the list of data subscription task	DescribeSubscriptionInstances
	View the details of data subscription task	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus
	Modify a data subscription task name	DescribeSubscriptionInstances ModifySubscriptionObject
	Modify objects for data subscription task	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	Create consumer groups	DescribeSubscriptionInstances CreateConsumerGroup
	View consumer groups	DescribeSubscriptionInstances DescribeConsumerGroup
	Modify the password of a consumer group	DescribeSubscriptionInstances ModifyConsumerGroupPassword
	Delete a consumer group	DescribeSubscriptionInstances DeleteConsumerGroup
	Modify the database password	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	Release a data subscription task	DescribeSubscriptionInstances DeleteSubscriptionInstance
	Configure monitoring and alerting	DescribeSubscriptionInstances DescribeSubscriptionInstanceAlert ConfigureSubscriptionInstanceAlert
	Configure a data subscription task	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus ModifySubscriptionObject
	View task logs	DescribeSubscriptionInstances DescribeSubscriptionInstanceStatus
Data synchronization	Create a data synchronization task.	CreateSynchronizationJob
	View the list of data synchronization task	DescribeSynchronizationJobs
	View the details of data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	Modify a data synchronization task name	DescribeSynchronizationJobs ModifySynchronizationObject
	View the configurations of data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the objects to be synchronized	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	Check the status of initial schema synchronization and initial full data synchronization	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the performance of full or incremental synchronization	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	View the modification records of the objects to be synchronized	DescribeSynchronizationJobs
	View task logs	DescribeSynchronizationJobs DescribeSynchronizationJobStatus
	Configure a data synchronization task	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySynchronizationObject
	Start a data synchronization task	DescribeSynchronizationJobs StartSynchronizationJob
	Pause a data synchronization task	DescribeSynchronizationJobs SuspendSynchronizationJob
	Modify the objects to be synchronized	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySynchronizationObject
	Release a data synchronization task	DescribeSynchronizationJobs DeleteSynchronizationJob
	Stop a data synchronization task	DescribeSynchronizationJobs DeleteSynchronizationJob
	Configure monitoring and alerting	DescribeSynchronizationJobs DescribeSynchronizationJobAlert ConfigureSynchronizationJobAlert
	Modify the database password	DescribeSynchronizationJobs DescribeSynchronizationJobStatus ModifySubscriptionObject

Related operations

Log on to the RAM console as a RAM user.

FAQ

Q: Why does the DTS console not show the instance list when I log on to the DTS console as a RAM user and display an error message?

A: The RAM user may not have permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the ID of the DTS instance that the RAM user has administrative permissions. Then, you can search for a DTS instance by using the instance ID in the DTS console.