Enterprise Distributed Application Service (EDAS) allows you to use resource groups provided by Resource Management to manage resource permissions. After you create resource groups for EDAS, you can add clusters and applications to different resource groups. Then, you can grant Resource Access Management (RAM) users required permissions on these resource groups. This simplifies the management of resource permissions.

Prerequisites

  • EDAS is developed with a primary and sub-account management system. To use resource groups to manage permissions, you must use RAM instead of the EDAS primary and sub-account management system. For more information, see Replace EDAS-defined permissions with RAM permission policies.
  • The Resource Management service is automatically activated for Alibaba Cloud accounts and RAM users.

Background information

Resource Management provides a wide array of services to facilitate IT governance for enterprises. Resource Management allows you to build a resource hierarchy based on your business requirements. You can create resource groups for different users and grant them required permissions on clusters and applications.

Resource Group allows you to sort resources owned by your Alibaba Cloud account into groups. This simplifies the resource and permission management within your Alibaba Cloud account.

  • Create resource groups to manage the resources of your Alibaba Cloud account in multiple regions.
  • Set an administrator for each resource group. Each administrator manages the resources in the resource group for which they are responsible.

Relationship between the EDAS primary and sub-account management system and RAM

EDAS supports the following permission management systems that are independent of each other:

Note Each Alibaba Cloud account can use only one of the following permission management systems. We recommend that you use RAM.
  • Before EDAS is integrated with RAM, EDAS uses a primary and sub-account management system to manage the permissions of sub-accounts.
  • After EDAS is integrated with RAM, EDAS uses resource groups to manage the permissions of RAM users.

Benefits of resource groups

The following example shows the benefits of resource groups in terms of permission management:

Scenario

Company A has two departments: deptA and deptB. deptA uses a RAM user named subA to manage a cluster named clusterA and applications named appA1 and appA2. deptB uses a RAM user named subB to manage a cluster named clusterB and applications named appB1 and appB2.

RAM allows you to manage permissions by using permission policies or by using resource groups.

Table 1. The following table describes the differences between permission policies and resource groups.
Item Permission policy Resource group
Scenarios Allows you to grant a user limited permissions on a specified resource. Allows you to grant a user limited permissions on a specified resource group that may contain one or more resources.
How it works You must use your Alibaba Cloud account to create a RAM user subA for deptA and a RAM user subB for deptB in the RAM console. Then, create a permission policy policyA for subA and a permission policyB for subB. In the permission policies, specify the clusters and applications that you allow the RAM users to manage and the permissions on the clusters and applications. You must use your Alibaba Cloud account to create a resource group groupA for deptA and a resource group groupB for deptB. Then, add clusters and applications that belong to deptA to groupA and those that belong to deptB to groupB. In the RAM console, create a RAM user subA for deptA and a RAM user subB for deptB. Then, create a custom permission policy for subA and subB. This custom permission policy is attached to both groupA and groupB. This grants subA and subB different permissions on resources in the groupA and groupB.
Characteristics

This method has the following disadvantages:

  • Frequent configurations

    If subA and subB manage different resources but require the same permissions, you still need to create two separate permission policies for them.

  • Frequent modifications

    Each time a resource is created or deleted, you must modify the permission policy. For example, if subA creates more applications, such as appA3 and appA4, you must add the application IDs to policyA.

This method provides the following benefits:

  • Simplified configurations

    Each resource group is a collection of resources. You can grant a RAM user permissions on a specific resource group instead of specific resources.

  • Fewer modifications

    You do not need to modify the permission policies attached to RAM users if resources are created or deleted. The action specified in the permission policy applies to all of the resources.

Note The preceding methods are applicable to different scenarios. Choose a method based on your business requirements.

Limits

Resource groups facilitate permission management. However, you must take note of the following limits:

  • Namespaces cannot be added to resource groups. Only applications and clusters can be added to resource groups. You can use only RAM to manage permissions on namespaces.
  • Application Configuration Management (ACM) and Application Real-Time Monitoring Service (ARMS) resources cannot be added to resource groups.

Procedure

The preceding example is used to demonstrate how to use resource groups to manage permissions.

  1. Log on to the Resource Management console and create two resource groups: groupA and groupB. For more information, see Create a resource group.
  2. Add clusters and applications to groupA and groupB. For more information, see Transfer resources to the current resource group.
  3. Log on to the RAM console and create a RAM user subA for deptA and a RAM user subB for deptB. For more information, see Create a RAM user.
  4. In the RAM console, create a permission policy for subA and subB. For more information, see Create a custom policy.
    The following code block shows the content of the permission policy:
    {
        "Version": "1",
        "Statement": [    
          {
            "Effect": "Allow",
            "Action": [
                  "edas:*Cluster",
                "edas:*Application"
            ],
            "Resource": [
              "acs:edas:*:*:*"
            ]
          }
        ]
    }
  5. In the Resource Management console, attach the permission policy to subA and subB. For more information, see Add RAM authorization.
  6. Optional:You can manage permissions on the resources by removing them from and adding them to resource groups.

Verify the result

After you perform the preceding steps, check whether the RAM users are granted the specified permissions.