To manage permissions on services including Enterprise Distributed Application Service (EDAS) in the same access control system, you can replace EDAS-defined permissions with permission policies of Resource Access Management (RAM). This topic describes how to replace EDAS-defined permissions with RAM permission policies.

Background information

You have read and understand the structure and syntax of permission policies. For more information, see Policy structure and syntax.
Parameter Description
Effect Specifies whether the statement results in an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action Describes one or more operations that are allowed or not allowed to be performed on a resource. You can specify one or more operations. Set the value to the name of the operation for the resource. Format: <service-name>:<action-name>.
  • service-name: the name of an Alibaba Cloud service.
  • action-name: service: one or more operation names.
Resource Specifies the object or objects that the statement covers. Syntax: acs:<service-name>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
Condition (optional) Specifies the conditions that are required for a permission policy to take effect. A condition block consists of one or more condition clauses. A condition clause consists of a key, an operator, and a value.

Step 1: Create a permission policy for EDAS

You can use one of the following methods to create or query a permission policy for EDAS:

Method 1: Query the library of sample permission policies

You can query RAM permission policies and EDAS-defined permissions in the library. For more information, see Permission policies.

Method 2: Use the permission assistant to create a permission policy

The scenario in the following example involves only basic operations. For scenarios that involve more complicated operations, see Use the EDAS permission assistant to create permission policies.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. On the Permission Assistant page, click New Permission Strategy.
  4. In the New Permission Strategy panel, set the parameters.
    1. On the Create a new custom permission policy tab, set the parameters and click next step.
      Parameter Description
      Name of strategy Enter a name for the permission policy.
      note Enter remarks for the permission policy.
      New permission statement
      1. Click New permission statement to add one or more statements.
      2. In the Add authorization statement panel, set the Effect and Action and Resource parameters. Click OK.
        Notice When you create a permission policy, you can select only one of the following effects:Allow or Deny.
      3. On the Create a new custom permission policy tab, you can copy, modify, or delete a statement in the Actions column.
    2. On the Strategy to preview tab, you can preview the permission policy. Click Copy in the upper-right corner and click OK in the lower-right corner.
      The following message appears: The permission policy is created. You can click Go to Policy List to view and manage the permission policy.
  5. In the Permission Policy list, copy the permission policy that you have created.

Method 3: Replace an EDAS-defined permission with a RAM permission policy

If you have specified the Alibaba Cloud accounts or sub-accounts that are allowed to manage EDAS resources in the EDAS console, you can replace the EDAS-defined permissions with RAM permission policies in the EDAS console.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > RAM User.
  3. On the RAM User page, select the sub-account that is granted EDAS-defined permissions and click Create RAM Permission Policy in the RAM Authorization column.
  4. In the RAM Permission Policy message, copy the permission and click OK.

Step 2: Create a permission policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. Navigate to the Policies page and click Create Policy.
  4. On the Create Custom Policy page, set the parameters and click OK.
    Create a permission policy
    Parameter Description
    Policy Name Enter a name for the permission policy. The name can contain letters, digits, and hyphens (-).
    Note This parameter is optional. Enter remarks for the permission policy.
    Configuration Mode Script is selected in this example. In the Policy Document field, paste the permission content copied in Step 1: Create a permission policy for EDAS.

Step 3: Create a RAM user and attach the permission policy to the RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, set the parameters and click OK.
    Create a RAM user
    Parameter Description
    Logon Name Enter a name used by the RAM user to log on to the Alibaba Cloud Management Console. The name can be up to 64 characters in length, and can contain periods (.), hyphens (-), letters, and digits.
    Note You can click Add User to create multiple RAM users at a time.
    Display Name The display name of the RAM user. The name can be up to 24 characters in length.
    Access Mode Select Console Access or Programmatic Access. Keep the password or AccessKey pair strictly confidential. To ensure security, you can select only one mode.
  5. On the Users page, find the RAM user that you have created and click Add Permissions in the Actions column.
  6. In the Add Permissions panel, grant permissions to the RAM user and click OK.
    Grant permissions to the RAM user
    Parameter Description
    Authorized Scope You can select Alibaba Cloud Account or Specified Resource Group. Select an option based on your business requirements.
    Principal The current RAM user is selected by default.
    Select Policy Custom Policy is selected in this example. Enter the policy name in the search box to search for the policy. Then, click the policy name in the Authorization Policy Name column.

Step 4: Replace the EDAS-defined permission with the RAM permission policy for the RAM user in the EDAS console

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > RAM User.
  3. On the RAM User page, find the sub-account that you want to manage and click Switch to RAM User in the RAM Authorization column.
    Note
    • After the sub-account is switched to the RAM user, the Switch to RAM User button in the Actions column is dimmed.
    • After a sub-account is switched to a RAM user, you cannot switch the RAM user back to the sub-account. The RAM user cannot use EDAS-defined permissions.

    When you switch a sub-account to a RAM user, EDAS checks whether the RAM user is granted permissions on EDAS.

    • If the RAM user is granted permissions on EDAS, click OK in the message that appears to switch the sub-account to the RAM user.
    • If the RAM user is not granted permissions on EDAS, you must first authorize the RAM user in the RAM console.