All Products
Search
Document Center

Ram account authorization and access control

Last Updated: Mar 10, 2021

Resource Access Management (RAM) is an Alibaba Cloud service designed for user identity management and resource access control. RAM allows you to create and manage multiple identities within an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. Therefore, different RAM users are authorized to access different resources. RAM users are a type of entity identities. A RAM user has a fixed identity ID and certificate. Generally, a RAM user is a specific person or application.

mPaaS fully supports the features of RAM. After you create a RAM user and grant required permissions, the RAM user can log on to the mPaaS console. You can further set permission rules for RAM users. This allows you to implement resource isolation between RAM users in the mPaaS console.

Prerequisites

  1. An Alibaba Cloud account is created. Otherwise, Create an Alibaba Cloud Account first.
  2. A RAM user is created. Otherwise, Create a RAM User first.

Procedure

  1. Grant the RAM user the permission to log on to the mPaaS console.
    1. Use your Alibaba Cloud account to log on to the RAM Console.
    2. In the left-side navigation pane, click Users under Identities.
    3. On the Users page, select the RAM user that needs the permission to log on to the mPaaS console and click Add Permissions.Add Permissions
    4. In the Add Permissions pane, search for the AliyunMPAASFullAccess permission in the Select Policy section, click the permission, and then click OK. Now, you have granted the RAM user the permission to log on to the mPaaS console. The RAM user can access all the apps that are created within the Alibaba Cloud account. If you do not need to implement resource isolation between RAM users, skip the following steps.Add Permissions
  2. Add a policy to implement resource isolation for the RAM user.
    1. Use your Alibaba Cloud account to log on to the RAM Console.
    2. In the left-side navigation pane, click Policies under Permissions.
    3. On the Policies page, click Create Policy.
    4. On the Create Custom Policy page, set the Policy Name and Note parameters.
    5. Set the Configuration Mode parameter to Script.
      Note: Do not set Configuration Mode to Visualized, because mPaaS does not support visualized configuration.
      1. Write the content of the policy. You can use the following sample code to allow RAM users to access only specific applications or to allow RAM users to access all applications. To allow RAM users to access only specific applications, you must replace “App ID” in the corresponding code with the IDs of the specific applications. Separate the IDs with commas (,).
        • Allow RAM users to access only specific applications
          1. {
          2. "Version": "1",
          3. "Statement": [
          4. {
          5. "Action": [
          6. "mpaas:FilterApp"
          7. ],
          8. "Resource": "*",
          9. "Effect": "Deny",
          10. "Condition": {
          11. "StringNotEquals": {
          12. "acs:appid": [
          13. "ONEXCBAD96A290957",
          14. "..."
          15. ]
          16. }
          17. }
          18. },
          19. {
          20. "Action": [
          21. "mpaas:*"
          22. ],
          23. "Resource": "*",
          24. "Effect": "Allow"
          25. }
          26. ]
          27. }
        • Allow RAM users to access all applications
          1. {
          2. "Version": "1",
          3. "Statement": [
          4. {
          5. "Action": [
          6. "mpaas:*"
          7. ],
          8. "Resource": "*",
          9. "Effect": "Allow"
          10. }
          11. ]
          12. }
      2. Click OK.
      3. In the left-side navigation pane, click Users under Identities.
      4. On the Users page, select the RAM user that needs the permission to log on to the mPaaS console and click Add Permissions.
      5. In the Add Permissions pane, search for the custom policy that you created in the Select Policy section, click the policy, and then click OK. Now, you have added the policy to implement resource isolation for the RAM user.