All Products
Search

This Product

    Resource Access Management:Network Attached Storage (NAS)

    Document Center

    Resource Access Management:Network Attached Storage (NAS)

    Last Updated:Sep 30, 2021

    Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Apsara File Storage (NAS).

    The code (RamCode) in RAM that is used to indicate Apsara File Storage is nas. You can grant permissions on Apsara File Storage at the resource level.

    Action

    The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Apsara File Storage. The following list describes the columns in the table:

    • Action: the value that you can use in the Action element to specify the operation on a resource.

    • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

    • Access level: the access level of each action. The levels are read, write, and list.

    • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

      • The required resource types are displayed in bold characters.

      • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

    • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

    • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

    Actions

    APIs

    Access level

    Resource types

    Condition keys

    Dependent actions

    nas:AddTags

    AddTags

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:ApplyAutoSnapshotPolicy

    ApplyAutoSnapshotPolicy

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:BindStoragePackage

    N/A

    Write


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:CPFSCreateFileSystem

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/*


    N/A

    N/A

    nas:CPFSDeleteFileSystem

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CPFSModifyFileSystem

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CancelAutoSnapshotPolicy

    CancelAutoSnapshotPolicy

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:CancelDirQuota

    CancelDirQuota

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:CancelLifecycleRetrieveJob

    CancelLifecycleRetrieveJob

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CancelRecycleBinJob

    CancelRecycleBinJob

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CreateAccessGroup

    CreateAccessGroup

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:CreateAccessRule

    CreateAccessRule

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:CreateAutoSnapshotPolicy

    CreateAutoSnapshotPolicy

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:CreateFileSystem

    CreateFileSystem

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/*


    N/A

    N/A

    nas:CreateLDAPConfig

    CreateLDAPConfig

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CreateLifecyclePolicy

    CreateLifecyclePolicy

    Write


    LifecyclePolicy


    acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


    N/A

    N/A

    nas:CreateLifecycleRetrieveJob

    CreateLifecycleRetrieveJob

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CreateLogAnalysis

    N/A

    Write


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:CreateMountTarget

    CreateMountTarget

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    VPC:VSwitch


    acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId}



    vpc:Vpc


    N/A

    nas:CreateRecycleBinDeleteJob

    CreateRecycleBinDeleteJob

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CreateRecycleBinRestoreJob

    CreateRecycleBinRestoreJob

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:CreateSnapshot

    CreateSnapshot

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DeleteAccessGroup

    DeleteAccessGroup

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:DeleteAccessRule

    DeleteAccessRule

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:DeleteAutoSnapshotPolicy

    DeleteAutoSnapshotPolicy

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DeleteFileSystem

    DeleteFileSystem

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DeleteLDAPConfig

    DeleteLDAPConfig

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:DeleteLifecyclePolicy

    DeleteLifecyclePolicy

    Write


    LifecyclePolicy


    acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


    N/A

    N/A

    nas:DeleteLogAnalysis

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:DeleteMountTarget

    DeleteMountTarget

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DeleteSnapshot

    DeleteSnapshot

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DescribeAccessGroups

    DescribeAccessGroups

    Read


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:DescribeAccessRules

    DescribeAccessRules

    Read


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:DescribeAutoSnapshotPolicies

    DescribeAutoSnapshotPolicies

    Read


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DescribeAutoSnapshotTasks

    DescribeAutoSnapshotTasks

    Read


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DescribeDirQuotas

    DescribeDirQuotas

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DescribeFileSystems

    DescribeFileSystems

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DescribeLDAPConfig

    DescribeLDAPConfig

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:DescribeLifecyclePolicies

    DescribeLifecyclePolicies

    List


    LifecyclePolicy


    acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/*


    N/A

    N/A

    nas:DescribeLogAnalysis

    DescribeLogAnalysis

    Read


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:DescribeMountTargets

    DescribeMountTargets

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DescribeMountedClients

    DescribeMountedClients

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:DescribeNfsAcl

    N/A

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DescribeSmbAcl

    N/A

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DescribeSnapshots

    DescribeSnapshots

    Read


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:DescribeStoragePackages

    DescribeStoragePackages

    Read


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:DescribeTags

    DescribeTags

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DisableAndCleanRecycleBin

    DisableAndCleanRecycleBin

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:DisableNfsAcl

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:DisableSmbAcl

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:EnableNfsAcl

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:EnableRecycleBin

    EnableRecycleBin

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:EnableSmbAcl

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:GetDirectoryOrFileProperties

    GetDirectoryOrFileProperties

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:GetRecycleBinAttribute

    GetRecycleBinAttribute

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ListDirectoriesAndFiles

    ListDirectoriesAndFiles

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ListLifecycleRetrieveJobs

    ListLifecycleRetrieveJobs

    List


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/*


    N/A

    N/A

    nas:ListRecentlyRecycledDirectories

    ListRecentlyRecycledDirectories

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ListRecycleBinJobs

    ListRecycleBinJobs

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:ListRecycledDirectoriesAndFiles

    ListRecycledDirectoriesAndFiles

    Read


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ListTagKeys

    N/A

    Read


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:ListTagResources

    ListTagResources

    LIST


    FileSystem

    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}

    FileSystem

    acs:nas:{#regionId}:{#accountId}:filesystem/*


    N/A

    N/A

    nas:ListTagValues

    N/A

    Read


    All resources


    acs:nas:*:{#accountId}:*


    N/A

    N/A

    nas:ModifyAccessGroup

    ModifyAccessGroup

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:ModifyAccessRule

    ModifyAccessRule

    Write


    AccessGroup


    acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


    N/A

    N/A

    nas:ModifyAutoSnapshotPolicy

    ModifyAutoSnapshotPolicy

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/*


    N/A

    N/A

    nas:ModifyFileSystem

    ModifyFileSystem

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ModifyLDAPConfig

    ModifyLDAPConfig

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:ModifyLifecyclePolicy

    ModifyLifecyclePolicy

    Write


    LifecyclePolicy


    acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


    N/A

    N/A

    nas:ModifyMountTarget

    ModifyMountTarget

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:ModifySmbAcl

    N/A

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:OpenNASService

    OpenNASService

    Write


    All resources


    acs:nas::{#accountId}:*


    N/A

    N/A

    nas:RemoveTags

    RemoveTags

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:ResetFileSystem

    ResetFileSystem

    Write


    Snapshot


    acs:nas:{#regionId}:{#accountId}:snapshot/{#SnapshotId}


    N/A

    N/A

    nas:RetryLifecycleRetrieveJob

    RetryLifecycleRetrieveJob

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:SetDirQuota

    SetDirQuota

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:TagResources

    TagResources

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:UntagResources

    UntagResources

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    nas:UpdateRecycleBinAttribute

    UpdateRecycleBinAttribute

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


    N/A

    N/A

    nas:UpgradeFileSystem

    UpgradeFileSystem

    Write


    FileSystem


    acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


    N/A

    N/A

    Resource

    The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Apsara File Storage.

    The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

    • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

    • An asterisk (*) is used as a wildcard. Examples:

      • If you specify {#resourceType}/*, all resources are specified.

      • If {#regionId} is set to *, all regions are specified.

      • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

    Resource type

    ARN

    FileSystem

    acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}

    Snapshot

    acs:nas:{#regionId}:{#accountId}:snapshot/{#SnapshotId}

    AccessGroup

    acs:nas:*:{#accountId}:accessgroup/{#AccessGroupName}

    LifecyclePolicy

    acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}

    Condition

    The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Apsara File Storage. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Apsara File Storage. For more information about the common condition keys, see Policy elements.

    The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

    Condition keys

    Description

    Type

    vpc:Vpc

    The resource ARN of a VPC Instance. You can use Condition to restrict access to a specified vpc.

    String