All Products
Document Center

Use RAM to grant RAM users the NAS permission

Last Updated: Oct 27, 2017

Resource Access Management (RAM) is an Alibaba Cloud service that helps you manage user identities and control resource accesses. With RAM, you can authorize sub-accounts (RAM users) to perform actions on NAS.

We recommend that you follow best security practices and use a RAM user account to access NAS. This document describes the NAS actions and resources available for RAM.

NAS actions available for RAM

In RAM, you can authorize RAM users to perform the following NAS actions.

Action Description
DescribeFileSystems List file systems.
DescribeMountTargets List mount points of the file system.
DescribeAccessGroup List permission groups.
DescribeAccessRule List permission group rules.
CreateMountTarget Add a mount point for the file system.
CreateAccessGroup Create a permission group.
CreateAccessRule Add a permission group rule.
DeleteFileSystem Delete a file system.
DeleteMountTarget Delete a mount point.
DeleteAccessGroup Delete a permission group.
DeleteAccessRule Delete a permission group rule.
ModifyMountTargetStatus Disable or enable a mount point.
ModifyMountTargetAccessGroup Change the permission group of a mount point.
ModifyAccessGroup Edit a permission group.
ModifyAccessRule Edit a permission rule.

NAS resources available for RAM

In RAM authorization policies, NAS only supports the following resource abstraction.

Resource Description
* Indicate all the NAS resources.

Authorization policy example

The following policy allows read-only actions on all the NAS resources.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "nas:Describe*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }
  9. ]
  10. }