This topic describes how to use the EDAS permission assistant to configure permissions for a Resource Access Management (RAM) role of EDAS. You can use the EDAS permission assistant to create RAM permission policies. The EDAS permission assistant allows you to replace EDAS-defined permissions with RAM permission policies.

System permission policies that EDAS provides

EDAS provides eight system permission policies on the Permission Assistant page in the EDAS console. You cannot modify the system permission policies. You can select and copy a system permission policy based on the purpose of a RAM user. Then, log on to the RAM console and attach the permission policy to the RAM user. For more information, see Replace EDAS-defined permissions with RAM permission policies.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. In the Policy Type column, System Strategy indicates that the corresponding permission policy is a system permission policy that EDAS provides. You can perform the following operations based on your requirements:
    • To create a permission policy, click Duplicate on the right side of a system permission policy. Then, you can customize the permission policy in the New Permission Policy panel based on your requirements.
    • To attach a permission policy to a RAM user, click View Detail and click Copy in the View Detail dialog box. Then, you are redirected to the RAM console. In the RAM console, you can attach the permission policy that you copied to a RAM user. For more information, see Replace EDAS-defined permissions with RAM permission policies.

For more information about the eight system permission policies that EDAS provides, see Introduction of system permission policies that EDAS provides.

Create custom permission policies

In addition to system permission policies, EDAS also allows you to create custom permission policies. The following example shows how to create a custom permission policy.

Grant the following permissions to a RAM user:
  • The permissions to view the test namespace in the China (Beijing) region.
  • The permissions to view the clusters that belong to the test namespace in the China (Beijing) region.
  • The full permissions on applications that belong to the test namespace except the permissions to create applications.
  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. On the Permission Assistant page, click New Permission Strategy.
  4. In the New Permission Strategy panel, enter a name in the Name of Strategy field. You can also enter a description in the Note field. Then, click New Permission Statement.
  5. In the Add Authorization Statement panel, complete the configuration and click Next Step.
    Notice
    • When you create a permission policy, you can set Effect to only one of the following options: Allow and Deny.
    • You can create multiple permission policies. If a permission policy contains two permission statements in which Effect is set to Allow and Deny separately, the Deny permission statement prevails.
    1. To create a permission statement to allow operations on resources that belong to the test namespace, set the following parameters and click Yes.
      Parameter Description
      Effect Allow is selected in this example.
      Operations and resource authorization Select the following resources and specify the information about the resources:
      • Select Query Namespaces from the left-side operation lists. Then, select China (Beijing) and test from the drop-down lists under resource.
      • Select Query Clusters from the left-side operation lists. Then, select China (Beijing), test, and All Clusters from the drop-down lists under resource.
      • Select Apply from the left-side operation lists. All permissions under Apply are selected. Then, select China (Beijing) and test from the drop-down lists under resource.
    2. Click New Permission Statement. To create a permission statement to deny operations on resources that belong to the test namespace, set the following parameters and click Yes.
      Parameter Description
      Effect Deny is selected in this example.
      Operations and resource authorization Select Create Application from the left-side operation lists. Then, select China (Beijing) and test from the drop-down lists under resource.
  6. In the Strategy to preview step, confirm the permission policy and click Complete in the lower part of the panel.
    The following message appears: New policy authorization succeeded. You can click Return to list view to view and manage the permission policy.
  7. In the Permission Policy list, copy the permission policy that you created.

Introduction of system permission policies that EDAS provides

Super administrators

Super administrators have full permissions on EDAS and have the same scope of permissions as your Alibaba Cloud account. We recommend that you do not assign the super administrator role to users unless it is necessary. You can create RAM users to enforce fine-grained access control. Super administrators have the following permissions:
  • Full permissions on namespaces.
  • Full permissions on clusters.
  • Full permissions on applications.
  • Full permissions on microservices.
  • Full permissions on configuration management

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
              "edas:ManageSystem",
            "edas:ManageOperation",
            "edas:ReadOperationLog"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      }
    ]
}

Application administrators

Application administrators have full permissions on the corresponding applications. Application administrators have the following permissions:
  • Full permissions on applications.
  • Full permissions on microservices.
  • Full permissions on clusters.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Application O&M engineers

Application operations and maintenance (O&M) engineers are responsible for the management and maintenance of applications. Compared with application administrators, application O&M engineers cannot create or delete applications. application O&M engineers are allowed to manage only existing applications. Application O&M engineers have the following permissions:
  • Full permissions on applications except the permissions to create applications.
  • Full permissions on microservices.
  • The edas:ManageOperation (system management) permission.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ManageOperation"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      },
        {
        "Effect": "Deny",
        "Action": [
          "edas:CreateApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      }
    ]
}

Application viewers

Application viewers can view all information about applications. Application viewers have the following permissions:
  • Permissions to view applications.
  • Permissions to view microservices.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadService"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      }
    ]
}

Resource administrators

Resource administrators have full permissions on namespaces and clusters. Resource administrators do not need to create or maintain applications. Resource administrators only manage resources in EDAS. For example, resource administrators can maintain namespaces and manage ECS resources in ECS clusters. Resource administrators have the following permissions:
  • Full permissions on namespaces.
  • Full permissions on clusters.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Resource O&M engineers

Compared with resource administrators, resource O&M engineers cannot create namespaces or clusters. Resource O&M engineers can manage only the current resources. Resource O&M engineers have the following permissions:
  • Full permissions on namespaces except the permissions to create namespaces.
  • Full permissions on clusters except the permissions to create clusters.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Deny",
        "Action": [
          "edas:CreateNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Deny",
        "Action": [
          "edas:CreateCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Resource viewers

Resource viewers can view only namespaces and clusters. Resource viewers have the following permissions:
  • Permissions to view namespaces.
  • Permissions to view clusters.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

EDAS read-only permissions

EDAS read-only permissions include the permissions to view the following resources in EDAS:
  • Permissions to read data from namespaces.
  • Permissions to read data from clusters.
  • Permissions to read data from applications.
  • Permissions to read data from microservices.
  • Permissions to read data from configurations.
  • Permissions to read data from operations logs.

The following RAM permission policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadService"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadOperationLog"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      }
    ]
}