This topic describes how to authorize Resource Access Management (RAM) users to manage PolarDB by using custom policies. If the system policies that are provided by RAM cannot meet your business requirements, you can create custom policies to manage PolarDB permissions. For example, you can create custom policies to grant permissions on specific resources and operations.

Prerequisites

Make sure that an Alibaba Cloud account is created before you use RAM to manage permissions. If you do not have an Alibaba Cloud account, create your Alibaba Cloud account.

Background information

  • A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
  • Before you use custom policies for fine-grained PolarDB permission management, familiarize yourself with how to specify PolarDB resources for RAM users in policies. For more information, see Use RAM for resource authorization.
Note To customize permissions or grant the specific permissions on tables, you can use the permission management feature of Database Management Service (DMS). For more information, see Manage user permissions on MySQL databases.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, specify the parameters.
    1
    Parameter Description
    Policy Name Enter an informative name for easy identification.
    Note Optional. Enter the description of the policy.
    Configuration Mode Select Script. PolarDB supports only the Script configuration mode.
    Policy Document Select an existing system policy from the drop-down list to import the policy.
    Note This example demonstrates how to create a custom policy. You do not need to specify this parameter.
    Code Editor Enter the content of the policy in the code editor. Sample custom policies are provided for your reference.
    Note
    • For more information about policy structure and syntax, see Policy structure and syntax.
    • You can grant permissions on specific resources and actions.

    Sample custom policies:

    • Example 1: Authorize a RAM user to manage the two specified PolarDB clusters.

      Assume that you have multiple PolarDB clusters within your Alibaba Cloud account. You want to authorize a RAM user to use only two clusters whose IDs are i-001 and i-002. In this case, you can create the following policy:

      {
        "Statement": [
          {
            "Action": "polardb:*",
            "Effect": "Allow",
            "Resource": [
                        "acs:polardb:*:*:dbinstance/i-001",
                        "acs:polardb:*:*:dbinstance/i-002"
                        ]
          },
          {
            "Action": "polardb:Describe*",
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "1"
      }
      Note
      • The authorized RAM user can view all the clusters and resources, but can manage only the two clusters whose IDs are i-001 and i-002. You can still manage the two clusters by using API operations, command-line interfaces (CLIs), or software development kits (SDKs).
      • The policy must include Describe*. Otherwise, the authorized RAM user cannot view clusters in the PolarDB console.
    • Example 2: Authorize a RAM user to use only specific features of PolarDB.

      If you want to authorize a RAM user to use only some features of PolarDB, you can create the following policy:

      {
          "Statement": [
              {
                  "Action": [
                    "polardb:Describe*",
                    "polardb:CreateBackup",
                    "polardb:DeleteBackup",
                    "polardb:ModifyDBClusterAccessWhitelist"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ],
          "Version": "1"
      }
      Note
      • The authorized RAM user can only query cluster information and backups, create and delete backups, and modify whitelists for all the PolarDB clusters within your account.
      • PolarDB allows you to specify whether RAM users can perform specific operations on PolarDB resources. You can specify API operations in policies for fine-grained PolarDB permission management. For more information, see Alibaba Cloud services that support RAM and API overview.
  5. Click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, find the custom policy that you want to attach to the RAM user, and click the name of the custom policy.
    2
  4. On the Basic Information page of the custom policy, click the References tab.
  5. Click Grant Permission. In the Add Permissions panel, specify the following parameters.
    Parameter Description
    Authorization Set Authorization as Alibaba Cloud account all resources or Specified Resource Group.
    Principal Enter the name of the RAM user, the user group, or the RAM role to perform a fuzzy match. Then, select the RAM user to whom you want to attach the custom policy.
    Select Policy By default, the current custom policy appears in the Selected section on the right side of the panel. If you want to grant other permissions to the RAM user, select the policies in the Authorization Policy Name column on the left side of the panel. Then, the selected policies appear in the Selected section on the right side of the panel.
    Note You can attach up to five policies at a time. To attach more policies to the RAM user, repeat the preceding operations.
  6. Click OK.
    Note For more information about how to grant permissions to RAM users and RAM user groups, see Grant permissions to a RAM user and Grant permissions to a RAM user group.