The permission assistant is a feature provided by Enterprise Distributed Application Service (EDAS) to help you create EDAS-related policies in Resource Access Management (RAM). You can use the EDAS permission assistant to create RAM policies based on EDAS-defined permission policies with efficiency.

View system permission policies

EDAS provides eight system permission policies for different roles on the Permission Assistant page in the EDAS console. You can select a system permission policy and copy its content based on the purpose of a role in the EDAS console. Then, log on to the RAM console, create a RAM policy by using the copied content, and attach the RAM policy to the RAM user that corresponds to the role. For more information, see Replace EDAS-defined permissions with RAM policies.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. On the Permission Assistant page, view the system permission policies provided by EDAS.
    In the Policy Type column, System Strategy indicates that the corresponding permission policy is a system permission policy provided by EDAS. You can perform the following operations on a system permission policy based on your requirements:
    • Click duplicate on the right side to go to the New permission Strategy panel. In this panel, modify the configuration of the system permission policy to create another permission policy.
    • Click view detail on the right side to open the view detail dialog box. In this dialog box, click copy to copy the content of the system permission policy. Log on to the RAM console, create a RAM policy by using the copied content, and then attach the RAM policy to a RAM user as required. For more information, see Replace EDAS-defined permissions with RAM policies.

For more information about the eight system permission policies provided by EDAS, see Overview of system permission policies provided by EDAS.

Create a custom permission policy

You can also use the EDAS permission assistant to create custom permissions policies. The following example shows how to create a custom permission policy.

For example, you want to grant the following permissions to a RAM user:
  • The permissions to view the test microservice namespace in the China (Beijing) region.
  • The permissions to view all clusters in the test microservice namespace in the China (Beijing) region.
  • Full permissions except for the creation permissions on the test microservice namespace.
  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. On the Permission Assistant page, click New permission Strategy.
  4. In the New permission Strategy panel, set the Name of strategy and note parameters in the Create a new custom permission policy step.
  5. Specify the effects of the custom permission policy and click next step.
    Notice
    • When you create a custom permissions policy, you can specify only one effect type. Available effect types are Allow and Deny.
    • You can configure multiple permission statements. If a permission policy contains two permission statements for which the Permissions for parameter is separately set to Allow and Deny, the permission statement of the Deny effect type prevails.
    1. In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure statements for the allowed permissions described in the preceding section and click yes.
      1. Set the Permissions for parameter to Allow.
      2. In the left-side list of the Operations and resource authorization section, choose Namespace > View Namespace. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side.
      3. In the left-side list of the Operations and resource authorization section, choose Clusters > View Cluster. Then, select China North 2 (Beijing), test, and All Clusters from the drop-down lists on the right side.
      4. In the left-side list of the Operations and resource authorization section, select Applications. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side. If you select Applications, all permissions on applications are selected.
    2. In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure a statement for the denied application creation permissions described in the preceding section and click yes.
      1. Set the Permissions for parameter to Deny.
      2. In the left-side list of the Operations and resource authorization section, choose Applications > Create Application. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side.
  6. In the Strategy to preview step, confirm the permission policy and click Finish.

    The New policy authorization succeeded message appears. Click Return to list view to go to the Permission Assistant page.

    Find the created custom permission policy and click view detail on the right side to open the view detail dialog box. In this dialog box, click copy to copy the content of the custom permission policy. Log on to the RAM console, create a RAM policy by using the copied content, and then attach the RAM policy to a RAM user as required. For more information, see Replace EDAS-defined permissions with RAM policies.

Overview of system permission policies provided by EDAS

Super Admin

The Super Admin permission policy is designed for super administrators. Super administrators have full permissions on EDAS and have the same scope of permissions as your Alibaba Cloud account. Do not assign the super administrator role to RAM users unless necessary. We recommend that you implement fine-grained access control. Super administrators have the following permissions:
  • Full permissions on microservice namespaces
  • Full permissions on clusters
  • Full permissions on applications
  • Full permissions on microservices
  • Full permissions on configuration management

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
              "edas:ManageSystem",
            "edas:ManageOperation",
            "edas:ReadOperationLog"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      }
    ]
}

App Admin

The App Admin permission policy is designed for application administrators. Application administrators have the following permissions on applications:
  • Full permissions on applications
  • Full permissions on microservices
  • Full permissions on clusters

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

App Operator

The App Operator permission policy is designed for application O&M engineers. Application O&M engineers are responsible for the management and maintenance of applications. Compared with application administrators, application O&M engineers cannot create or delete applications. application O&M engineers are allowed to manage only existing applications. Application O&M engineers have the following permissions:
  • Full permissions on applications except for the permissions to create applications
  • Full permissions on microservices
  • The edas:ManageOperation (system management) permission

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Application"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Service"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ManageOperation"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      },
        {
        "Effect": "Deny",
        "Action": [
          "edas:CreateApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      }
    ]
}

App Browser

The App Browser permission policy is designed for application viewers. Application viewers can view all information about applications. Application viewers have the following permissions:
  • Permissions to view applications
  • Permissions to view microservices

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadService"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      }
    ]
}

Resource Admin

The Resource Admin permission policy is designed for resource administrators. Resource administrators have full permissions on microservice namespaces and clusters. Resource administrators do not need to create or maintain applications. Resource administrators only manage resources in EDAS. For example, resource administrators can maintain microservice namespaces and manage Elastic Compute Service (ECS) resources in ECS clusters. Resource administrators have the following permissions:
  • Full permissions on microservice namespaces
  • Full permissions on clusters

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Resource Operator

The Resource Operator permission policy is designed for resource O&M engineers. Compared with resource administrators, resource O&M engineers cannot create microservice namespaces or clusters. Resource O&M engineers can manage only the current resources. Resource O&M engineers have the following permissions:
  • Full permissions on microservice namespaces except for the permissions to create microservice namespaces
  • Full permissions on clusters except for the permissions to create clusters

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Namespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:*Cluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Deny",
        "Action": [
          "edas:CreateNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Deny",
        "Action": [
          "edas:CreateCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Resource Browser

The Resource Browser permission policy is designed for resource viewers. Resource viewers can view only microservice namespaces and clusters. Resource viewers have the following permissions:
  • Permissions to view microservice namespaces
  • Permissions to view clusters

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      }
    ]
}

Edas Browser

The Edas Browser permission policy is designed to grant EDAS read-only permissions. EDAS read-only permissions are the permissions to view the following resources in EDAS:
  • Microservice namespaces
  • Clusters
  • Applications
  • Microservices
  • Configurations
  • Operation logs

The following RAM policy grants the same permissions:

{
    "Version": "1",
    "Statement": [
        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadNamespace"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadCluster"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/cluster/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadApplication"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },        
      {
        "Effect": "Allow",
        "Action": [
          "edas:ReadService"
        ],
        "Resource": [
          "acs:edas:*:*:namespace/*/application/*"
        ]
      },
        {
        "Effect": "Allow",
        "Action": [
          "edas:ReadOperationLog"
        ],
        "Resource": [
          "acs:edas:*:*:*"
        ]
      }
    ]
}