Attach a WUYING Workspace system policy to a RAM user - WUYING Workspace

By default, you can use all WUYING Workspace resources when you log on to the WUYING Workspace console by using an Alibaba Cloud account. However, if an end user logs on to the console as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user before the end user can manage WUYING Workspace resources. This topic describes how to grant permissions to a RAM user.

Prerequisites

A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

Overview

RAM is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. You can use an Alibaba Cloud account to create multiple identities, such as RAM users, and grant different permissions to a single identity or a group of identities. This way, different RAM users can access different resources. For more information, see What is RAM?

By default, RAM users do not have permissions. You can grant permissions to a RAM user by using policies based on your business requirements. Policies fall into system policies and custom policies. For more information, see Policy overview. By default, WUYING Workspace provides the following system policies:

Policy	Permission	Description
AliyunECDFullAccess	Full permissions on WUYING Workspace	RAM users can perform all actions on all WUYING Workspace resources.
AliyunECDReadOnlyAccess	Read-only permissions on WUYING Workspace	RAM users can view all WUYING Workspace resources.
AliyunECDRamUserAccess	Permissions to use cloud computers by using clients Note RAM users can log on to clients only by using RAM directories. If end users use the IDs of office networks, formerly known as workspaces, of the RAM directory type as RAM users, you must grant permissions to the RAM users. If your business does not require Active Directory (AD), end users can use convenience accounts to log on to clients. This does not require authorization.	RAM users can start, connect to, query, stop, and restart cloud computers.
AliyunECDTagFullAccess	Permissions on cloud computer tags	RAM users can perform actions on cloud computer tags. For example, RAM users can create, delete, and query tags of cloud computers.
AliyunECDOfficeSiteFullAccess	Permissions to manage office networks in WUYING Workspace	RAM users can perform actions on office networks. For example, RAM users can create, view, edit, modify, destroy, and migrate office networks.
AliyunECDDesktopFullAccess	Permissions to manage cloud computers	RAM users can manage cloud computers. For example, RAM users can edit, modify, or release cloud computers, or switch billing methods for cloud computers.
AliyunECDUserFullAccess	Permissions to manage WUYING Workspace users	RAM users can manage users. For example, RAM users can create, synchronize, view, lock, and delete users. In addition, RAM users can authorize users to use cloud computers and can reset passwords, manage users by group, and manage multi-factor authentication (MFA) devices.
AliyunECDPolicyGroupFullAccess	Permissions to manage WUYING Workspace global security configurations and policies	RAM users can perform security audits and manage policies. For example, RAM users can create, view, modify, and delete global policies and related settings.
AliyunECDTechnicalSupportFullAccess	Permissions to manage WUYING Workspace technical support	RAM users can perform actions on or view cloud computers and applications of users. RAM users have the permissions to perform actions on cloud computers. For example, RAM users can stop, reset, and restart session hosts and also manage global sessions. Aside from the preceding actions, RAM users can run commands on all session hosts and sessions. RAM users can manage remote processes and application programs and provide remote assistance on cloud computers and cloud computer sessions. For example, RAM users can terminate the processes of applications and cloud computer sessions, and view session host resources and network data of users. RAM users can log on to the WUYING Workspace console and view related resources in the console. For example, RAM users can view details of cloud computers, such as user information, reset passwords, session information, and session connection records.

You can also create custom policies to grant permissions to RAM users based on your business requirements. For more information about how to create a custom policy, see Create a custom policy.

Procedure

Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, configure parameters to attach policies to the RAM user.

The following table describes the parameters.

Parameter	Description
Authorized Scope	The scope in which you want the permissions to take effect. Cloud computers do not support the resource group feature. Select Alibaba Cloud Account.
Principal	The RAM user to which you want to grant permissions. The RAM user that you selected is automatically filled in the Principal field. You can also specify another RAM user.
Select Policy	You can select policies based on your business requirements.

Click OK.
Confirm the authorization scope and policies and click Complete.

Result

If you attach policies to the RAM user, the RAM user has the permissions to view or manage specified resources.

For example, if you grant the AliyunECDReadOnlyAccess permission to a RAM user, the RAM user can log on to the WUYING Workspace console and view cloud computer resources. If you click Create Office Network on the Office Network (Formerly Workspace) page as the RAM user, a dialog box appears to remind you that you do not have the permissions.