Applications hosted on Enterprise Distributed Application Service (EDAS) may contain multiple services or subsystems. These services and subsystems may be developed and managed by different teams or engineers. EDAS supports enterprise-class access control that is regulated by account or permission. This allows you to control access to applications, resources, and data, or isolate these resources. Access control reinforces protection for your resources and data.

EDAS-defined permissions and permission policies of Resource Access Management (RAM)

EDAS is developed with a permission management system, and also integrated with RAM.

To manage permissions on Alibaba Cloud services including EDAS in the same system, we recommend that you use RAM. EDAS also allows you to replace EDAS-defined permissions with RAM permission policies. For more information, see Replace EDAS-defined permissions with RAM permission policies.

Note If you want to manage the EDAS-defined permissions granted to a sub-account, you must log on to the EDAS console and specify the resources that the sub-account is allowed or not allowed to access. After you replace EDAS-defined permissions with RAM permission policies, you can no longer grant EDAS-defined permissions to sub-accounts. Sub-accounts are switched to RAM users. You must grant RAM users permissions on EDAS in the RAM console.

EDAS supports both EDAS-defined permissions and RAM permission policies. Rules for managing sub-accounts and RAM users:

  • Access of RAM users is controlled by RAM permission policies, instead of EDAS-defined permissions.
  • For sub-accounts:
    • Access of sub-accounts that are granted the AliyunEDASFullAccess RAM permission is controlled by RAM, instead of EDAS-defined permissions.
    • We recommend that you switch sub-accounts that are regulated by EDAS-defined permissions to RAM users. For more information, see Replace EDAS-defined permissions with RAM permission policies. If you do not switch sub-accounts to RAM users, you can continue using EDAS-defined permissions to control access of the sub-accounts.

Benefits of RAM

RAM is a resource access control service that is provided by Alibaba Cloud. You can use permission policies to control access of RAM users, such as employees, systems, or applications, and grant a RAM user specific permissions on a resource. For example, you can grant a RAM user read-only permissions on an EDAS application. For more information, see Policy.

More precise access control

EDAS-defined permission RAM permission policy
How EDAS-defined permissions work How RAM permission policies work
After an Alibaba Cloud account grants a RAM user permissions on a resource, operations on the resource are controlled by all the permissions. For example, if you grant a RAM user permissions on APP1 and APP2, and permissions to deploy and stop applications, the RAM user can deploy and stop APP1 and APP2. Compared with RAM permission policies, EDAS-defined permissions are less precise. Compared with EDAS-defined permissions, RAM permission policies are more precise. Each permission defines specific resources. For example, you can grant a RAM user permissions to deploy and stop applications. You can specify the resources that the RAM user is allowed to deploy are APP1 and APP2, and the resources that the RAM user is allowed to stop are APP2 and APP3. In this case, the RAM user can deploy only APP1 and APP2, but cannot deploy APP3. The RAM user can stop only APP2 and APP3, but cannot stop APP1.

More types of syntax

Compared with EDAS-defined permissions, RAM permission policies support more types of syntax. For example, you can use wildcard characters in permission statements, and attach multiple permission policies to a RAM user to precisely regulate access control.

The following example shows the syntax of a RAM permission policy:

{
    "Statement": [
      {
        "Action": [
          "edas:ReadApplication"
        ],
        "Effect": "Allow",
        "Resource": ["acs:edas:*:*:namespace/*/application/*"]
      },
      {
        "Action": [
          "edas:ReadApplication"
        ],
        "Effect": "Deny",
        "Resource": ["acs:edas:cn-beijing:*:namespace/*/application/12345678"]
      }
    ],
    "Version": "1"
}

The preceding permission policy contains two statements:

  • In the first statement, the effect is set to Allow and the action is set to edas:ReadApplication, which allows the RAM user to query applications. The resource is set to a wildcard character asterisk (*), which specifies all applications. This statement specifies that the RAM user is allowed to query all EDAS applications.
  • In the second statement, the effect is set to Deny and the resource is set to 12345678, which specifies the application whose ID is 12345678. This statement specifies that the RAM user is not allowed to query the application whose ID is 12345678.

Therefore, the permission policy that contains the preceding statements specifies that the RAM user is allowed to query all applications other than the application whose ID is 12345678.

You can also use conditional expressions to define a permission policy. For more information, see Policy overview.

Relationship between EDAS-defined permissions and RAM permission policies

EDAS-defined permissions are not equivalent to RAM permissions. Therefore, you cannot directly change an EDAS-defined permission into a RAM permission policy. EDAS allows you to replace EDAS-defined permissions with RAM permission policies, which can inherit the EDAS-defined permissions in most cases. By default, the permissions that define whether a sub-account can perform a specific operation on EDAS resources such as applications and clusters are inherited by the RAM user to which the sub-account is switched.

Table 1. How EDAS-defined permissions and RAM permission policies are defined
EDAS-defined permission RAM permission policy Resource defined in a RAM permission policy
Super Admin(All privileges) edas:* acs:edas:*:*:*
Acting Alibaba Cloud account edas:ManageSystem acs:edas:*:*:*
System management - view operations logs edas:ReadOperationLog acs:edas:*:*:*
Application management - modify namespaces edas:ManageNamespace acs:edas:*:*:namespace/${namespaceId}
Application management - query namespaces edas:ReadNamespace acs:edas:*:*:namespace/${namespaceId}
Resource management - create clusters edas:CreateCluster acs:edas:*:*:namespace/*
Resource management - query clusters edas:ReadCluster acs:edas:*:*:namespace/${namespaceId}
Resource management - manage and delete clusters edas:ReadCluster

edas:ManageCluster

acs:edas:*:*:namespace/*/cluster/${clusterId}
Application management - create applications edas:CreateApplication acs:edas:*:*:namespace/*
Application management - deploy, start, scale up, and delete applications edas:ManageApplication

edas:ReadApplication

acs:edas:*:*:namespace/*/application/${applicationId}
Application management - query application information edas:ReadApplication acs:edas:*:*:namespace/*/application/${applicationId}
Application management - configure containers and set Java virtual machine (JVM) parameters for applications edas:ConfigApplication

edas:ReadApplication

acs:edas:*:*:namespace/*/application/${applicationId}
Application management - set log directories edas:ManageAppLog

edas:ReadApplication

acs:edas:*:*:namespace/*/application/${applicationId}