This topic describes authorization policies of Operation Orchestration Services (OOS). You can use the Resource Access Management (RAM) service to grant permissions to the specified groups, group members, and RAM users. You can also perform cross-service access control in the RAM console.

Background

When RAM users are trying to access OOS resources by using API operations, OOS sends requests to the RAM system to confirm that resource owners have granted the relevant permissions to the users. Required permissions vary with OOS resources and API operations. For more information about fine-grained authorization policies and access control, see the RAM documentation.
Note If authentication is not required, skip this topic.

API operations for authorization

The following table lists API operations and the corresponding Alibaba resource name (ARN). For more information about ARN, see Terms.
API operation OOS action ARN
CreateTemplate oos:CreateTemplate acs:oos:$regionid:$accountid:template/*
ListTemplates oos:ListTemplates acs:oos:$regionid:$accountid:template/${templateName}
UpdateTemplate oos:UpdateTemplate acs:oos:$regionid:$accountid:template/${templateName}
GetTemplate oos:GetTemplate acs:oos:$regionid:$accountid:template/${templateName}
DeleteTemplate oos:DeleteTemplate acs:oos:$regionid:$accountid:template/${templateName}
GenerateTemplatePolicy oos:GenerateTemplatePolicy acs:oos:$regionid:$accountid:template/${templateName}
StartExecution oos:StartExecution acs:oos:$regionid:$accountid:template/${templateName}execution/*
ListExecutions oos:ListExecutions acs:oos:$regionid:$accountid:acs:oos:$regionid:$accountid:execution/${executionId}
ListExecutionTasks oos:ListExecutionTasks acs:oos:$regionid:$accountid:execution/${executionId}
CancelExecution oos:CancelExecution acs:oos:$regionid:$accountid:execution/${executionId}
NotifyExecution oos:NotifyExecution acs:oos:$regionid:$accountid:execution/${executionId}
DeleteExecutions oos:DeleteExecutions acs:oos:$regionid:$accountid:execution/${executionId}
ListExecutionLogs oos:ListExecutionLogs acs:oos:$regionid:$accountid:execution/${executionId}
GetExecutionTemplate oos:GetExecutionTemplate acs:oos:$regionid:$accountid:execution/${executionId}