By default, newly created Resource Access Management (RAM) users do not have permissions to activate Alibaba Cloud Dynamic Route for CDN (DCDN) or change the billing method. To perform these tasks, you must first log on to the RAM console and authorize the RAM users.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is an Alibaba Cloud service that is used to manage user identities and resource access permissions. RAM supports system and custom policies. You can use system policies to grant RAM users the permissions to activate DCDN and modify configurations. You can use custom policies to grant RAM users full permissions on DCDN or only the permissions to activate DCDN and modify configurations.
  • System policies

    System policies are predefined by Alibaba Cloud and cannot be modified. A system policy grants RAM users full permissions on DCDN. It takes only a few steps to authorize RAM users by using system policies.

  • Custom policies

    You can create or modify custom policies to enforce fine-grained permission control. For example, you can use custom policies to grant RAM users full permissions on DCDN or only the permissions to activate DCDN and modify configurations.

Permission scopes

The following table describes the scopes of permissions that you can grant to a RAM user. For example, you can grant a RAM user the permissions to activate DCDN or modify configurations.
Note The term "configuration modification" described in this topic refers to changing the billing method.
Permission scope Description References
Full permissions (including service activation and configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings, activate DCDN, and change the billing method. Example 1: Attach a system policy to a RAM user (service activation and configuration modification)
Full permissions (excluding service activation) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and change the billing method. The permissions to activate DCDN are excluded. Example 2: Attach a custom policy to a RAM user (service activation or configuration modification)
Full permissions (excluding configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and activate DCDN. The permissions to change the billing method are excluded.
Service activation permissions Only the permissions to activate DCDN. Other permissions are excluded.
Configuration modification permissions Only the permissions to change the billing method. Other permissions are excluded.
Service activation and configuration modification permissions Only the permissions to activate DCDN and change the billing method. Other permissions are excluded. Example 3: Attach a custom policy to a RAM user (including service activation and configuration modification)
Full permissions (excluding service activation and configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings. The permissions to activate DCDN and change the billing method are excluded. Example 4: Attach a custom policy to a RAM user (excluding service activation and configuration modification)

Example 1: Attach a system policy to a RAM user (service activation and configuration modification)

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
    Add permissions
  4. In the Add Permissions panel, set the required parameters.
    Add permissions
    1. In the Authorized Scope section, select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the RAM user cannot acquire the required permissions.
    2. Click System Policy.
    3. Enter DCDN into the search box. The system automatically displays all policies that are related to DCDN.
    4. Click AliyunDCDNFullAccess to add the policy to the Selected list.
  5. Click OK.
  6. Click Complete.

Example 2: Attach a custom policy to a RAM user (service activation or configuration modification)

  1. Create a custom policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom policy.
      Custom policy settings
      Parameter Description
      Policy Name Enter a descriptive name for the custom policy. AliyunDcdntest is entered in this example.
      Note Optional. Enter a description for the custom policy.
      Configuration Mode Select Script.
      Policy Document Enter the content of the custom policy into the code editor. Sample custom policies are provided for your reference.
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    5. Click OK.
  2. Attach the custom policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, set the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the RAM user cannot acquire the required permissions.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom policy created in Step 1. The name of the custom policy in this example is AliyunDcdntest. After the system displays the policy, click its name to add the custom policy to the Selected list.
    5. Click OK.
    6. Click Complete.

Example 3: Attach a custom policy to a RAM user (including service activation and configuration modification)

  1. Create a custom policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom policy.
      Add permissions 01
      Parameter Description
      Policy Name Enter a descriptive name for the custom policy. AliyunDcdntest is entered in this example.
      Note Optional. Enter a description for the custom policy.
      Configuration Mode Select Script.
      Policy Document
      Enter the following policy content:
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:OpenDcdnService",
                       "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    5. Click OK.
  2. Attach the custom policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, set the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the RAM user cannot acquire the required permissions.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom policy created in Step 1. The name of the custom policy in this example is AliyunDcdntest. After the system displays the policy, click its name to add the custom policy to the Selected list.
    5. Click OK.
    6. Click Complete.

Example 4: Attach a custom policy to a RAM user (excluding service activation and configuration modification)

  1. Create a custom policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom policy.
      Add permissions 02
      Parameter Description
      Policy Name Enter a descriptive name for the custom policy. AliyunDcdntest is entered in this example.
      Note Optional. Enter a description for the custom policy.
      Configuration Mode Select Script.
      Policy Document
      Enter the following policy content:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:ModifyDcdnService",
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }
    5. Click OK.
  2. Attach the custom policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, set the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the RAM user cannot acquire the required permissions.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom policy created in Step 1. The name of the custom policy in this example is AliyunDcdntest. After the system displays the policy, click its name to add the custom policy to the Selected list.
    5. Click OK.
    6. Click Complete.