All Products
Search
Document Center

Network Attached Storage (NAS)

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Apsara File Storage (NAS).

The code (RamCode) in RAM that is used to indicate Apsara File Storage is nas. You can grant permissions on Apsara File Storage at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Apsara File Storage. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

nas:AddTags

AddTags

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:ApplyAutoSnapshotPolicy

ApplyAutoSnapshotPolicy

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:BindStoragePackage

N/A

Write


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:CPFSCreateFileSystem

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/*


N/A

N/A

nas:CPFSDeleteFileSystem

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CPFSModifyFileSystem

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CancelAutoSnapshotPolicy

CancelAutoSnapshotPolicy

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:CancelDirQuota

CancelDirQuota

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:CancelLifecycleRetrieveJob

CancelLifecycleRetrieveJob

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CancelRecycleBinJob

CancelRecycleBinJob

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CreateAccessGroup

CreateAccessGroup

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:CreateAccessRule

CreateAccessRule

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:CreateAutoSnapshotPolicy

CreateAutoSnapshotPolicy

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:CreateFileSystem

CreateFileSystem

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/*


N/A

N/A

nas:CreateLDAPConfig

CreateLDAPConfig

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CreateLifecyclePolicy

CreateLifecyclePolicy

Write


LifecyclePolicy


acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


N/A

N/A

nas:CreateLifecycleRetrieveJob

CreateLifecycleRetrieveJob

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CreateLogAnalysis

N/A

Write


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:CreateMountTarget

CreateMountTarget

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


VPC:VSwitch


acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId}



vpc:Vpc


N/A

nas:CreateRecycleBinDeleteJob

CreateRecycleBinDeleteJob

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CreateRecycleBinRestoreJob

CreateRecycleBinRestoreJob

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:CreateSnapshot

CreateSnapshot

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DeleteAccessGroup

DeleteAccessGroup

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:DeleteAccessRule

DeleteAccessRule

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:DeleteAutoSnapshotPolicy

DeleteAutoSnapshotPolicy

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DeleteFileSystem

DeleteFileSystem

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DeleteLDAPConfig

DeleteLDAPConfig

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:DeleteLifecyclePolicy

DeleteLifecyclePolicy

Write


LifecyclePolicy


acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


N/A

N/A

nas:DeleteLogAnalysis

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:DeleteMountTarget

DeleteMountTarget

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DeleteSnapshot

DeleteSnapshot

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DescribeAccessGroups

DescribeAccessGroups

Read


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:DescribeAccessRules

DescribeAccessRules

Read


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:DescribeAutoSnapshotPolicies

DescribeAutoSnapshotPolicies

Read


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DescribeAutoSnapshotTasks

DescribeAutoSnapshotTasks

Read


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DescribeDirQuotas

DescribeDirQuotas

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DescribeFileSystems

DescribeFileSystems

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DescribeLDAPConfig

DescribeLDAPConfig

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:DescribeLifecyclePolicies

DescribeLifecyclePolicies

List


LifecyclePolicy


acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/*


N/A

N/A

nas:DescribeLogAnalysis

DescribeLogAnalysis

Read


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:DescribeMountTargets

DescribeMountTargets

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DescribeMountedClients

DescribeMountedClients

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:DescribeNfsAcl

N/A

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DescribeSmbAcl

N/A

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DescribeSnapshots

DescribeSnapshots

Read


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:DescribeStoragePackages

DescribeStoragePackages

Read


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:DescribeTags

DescribeTags

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DisableAndCleanRecycleBin

DisableAndCleanRecycleBin

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:DisableNfsAcl

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:DisableSmbAcl

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:EnableNfsAcl

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:EnableRecycleBin

EnableRecycleBin

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:EnableSmbAcl

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:GetDirectoryOrFileProperties

GetDirectoryOrFileProperties

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:GetRecycleBinAttribute

GetRecycleBinAttribute

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ListDirectoriesAndFiles

ListDirectoriesAndFiles

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ListLifecycleRetrieveJobs

ListLifecycleRetrieveJobs

List


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/*


N/A

N/A

nas:ListRecentlyRecycledDirectories

ListRecentlyRecycledDirectories

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ListRecycleBinJobs

ListRecycleBinJobs

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:ListRecycledDirectoriesAndFiles

ListRecycledDirectoriesAndFiles

Read


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ListTagKeys

N/A

Read


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:ListTagResources

ListTagResources

LIST


FileSystem

acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}

FileSystem

acs:nas:{#regionId}:{#accountId}:filesystem/*


N/A

N/A

nas:ListTagValues

N/A

Read


All resources


acs:nas:*:{#accountId}:*


N/A

N/A

nas:ModifyAccessGroup

ModifyAccessGroup

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:ModifyAccessRule

ModifyAccessRule

Write


AccessGroup


acs:nas:{#regionId}:{#accountId}:accessgroup/{#accessgroupName}


N/A

N/A

nas:ModifyAutoSnapshotPolicy

ModifyAutoSnapshotPolicy

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/*


N/A

N/A

nas:ModifyFileSystem

ModifyFileSystem

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ModifyLDAPConfig

ModifyLDAPConfig

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:ModifyLifecyclePolicy

ModifyLifecyclePolicy

Write


LifecyclePolicy


acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}


N/A

N/A

nas:ModifyMountTarget

ModifyMountTarget

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:ModifySmbAcl

N/A

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:OpenNASService

OpenNASService

Write


All resources


acs:nas::{#accountId}:*


N/A

N/A

nas:RemoveTags

RemoveTags

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:ResetFileSystem

ResetFileSystem

Write


Snapshot


acs:nas:{#regionId}:{#accountId}:snapshot/{#SnapshotId}


N/A

N/A

nas:RetryLifecycleRetrieveJob

RetryLifecycleRetrieveJob

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:SetDirQuota

SetDirQuota

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:TagResources

TagResources

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:UntagResources

UntagResources

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

nas:UpdateRecycleBinAttribute

UpdateRecycleBinAttribute

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}


N/A

N/A

nas:UpgradeFileSystem

UpgradeFileSystem

Write


FileSystem


acs:nas:{#regionId}:{#accountId}:filesystem/{#filesystemId}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Apsara File Storage.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

FileSystem

acs:nas:{#regionId}:{#accountId}:filesystem/{#FileSystemId}

Snapshot

acs:nas:{#regionId}:{#accountId}:snapshot/{#SnapshotId}

AccessGroup

acs:nas:*:{#accountId}:accessgroup/{#AccessGroupName}

LifecyclePolicy

acs:nas:{#regionId}:{#accountId}:lifecyclepolicy/{#LifecycleRuleName}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Apsara File Storage. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Apsara File Storage. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

vpc:Vpc

The resource ARN of a VPC Instance. You can use Condition to restrict access to a specified vpc.

String