Operation Orchestration Service (OOS) - Resource Access Management

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Operation Orchestration Service (OOS).

The code (RamCode) in RAM that is used to indicate OOS is oos. You can grant permissions on OOS at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by OOS. The following list describes the columns in the table:

Action: the value that you can use in the Action element to specify the operation on a resource.
API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.
Access level: the access level of each action. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.
Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.
Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions	APIs	Access level	Resource types	Condition keys	Dependent actions
oos:CancelExecution	CancelExecution	WRITE	Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ChangeResourceGroup	ChangeResourceGroup	Write	All resources acs:oos::{#accountId}:	N/A	N/A
oos:CreateApplication	CreateApplication	Write	Application acs:oos:{#regionId}:{#accountId}:application/*	N/A	N/A
oos:CreateApplicationGroup	CreateApplicationGroup	Write	Application acs:oos:{#regionId}:{#accountId}:application/*	N/A	N/A
oos:CreateParameter	CreateParameter	WRITE	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:CreatePatchBaseline	CreatePatchBaseline	WRITE	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}	N/A	N/A
oos:CreateSecretParameter	CreateSecretParameter	WRITE	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:CreateStateConfiguration	CreateStateConfiguration	WRITE	stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/* template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	N/A	N/A
oos:CreateTemplate	CreateTemplate	WRITE	template acs:oos:{#regionId}:{#accountId}:template/*	oos:tag	ram:PassRole
oos:DeleteApplication	DeleteApplication	Read	Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}	N/A	N/A
oos:DeleteApplicationGroup	DeleteApplicationGroup	Write	Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}	N/A	N/A
oos:DeleteExecutions	DeleteExecutions	WRITE	Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:DeleteParameter	DeleteParameter	WRITE	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:DeletePatchBaseline	DeletePatchBaseline	WRITE	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}	N/A	N/A
oos:DeleteSecretParameter	DeleteSecretParameter	WRITE	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:DeleteStateConfigurations	DeleteStateConfigurations	WRITE	stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}	N/A	N/A
oos:DeleteTemplate	DeleteTemplate	WRITE	Template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:DeleteTemplates	DeleteTemplates	WRITE	Template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	N/A	N/A
oos:GenerateExecutionPolicy	GenerateExecutionPolicy	WRITE	Template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	N/A	N/A
oos:GetApplication	GetApplication	Read	Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}	N/A	N/A
oos:GetApplicationGroup	GetApplicationGroup	Read	Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}	N/A	N/A
oos:GetExecutionTemplate	GetExecutionTemplate	READ	Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:GetParameter	GetParameter	READ	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:GetParameters	GetParameters	READ	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:GetParametersByPath	GetParametersByPath	READ	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:GetPatchBaseline	GetPatchBaseline	READ	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}	N/A	N/A
oos:GetSecretParameter	GetSecretParameter	READ	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:GetSecretParameters	GetSecretParameters	READ	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:GetSecretParametersByPath	GetSecretParametersByPath	READ	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:GetServiceSettings	GetServiceSettings	READ	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:GetTemplate	GetTemplate	READ	template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:ListApplicationGroups	ListApplicationGroups	List	Application acs:oos:{#regionId}:{#accountId}:application/*	N/A	N/A
oos:ListApplications	ListApplications	List	Application acs:oos:{#regionId}:{#accountId}:application/*	N/A	N/A
oos:ListExecutionLogs	ListExecutionLogs	LIST	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ListExecutionRiskyTasks	ListExecutionRiskyTasks	LIST	template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:ListExecutions	ListExecutions	READ	execution acs:oos:{#regionId}:{#accountId}:execution/* execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ListInstancePatchStates	ListInstancePatchStates	LIST	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:ListInstancePatches	ListInstancePatches	LIST	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:ListInstanceStateReports	ListInstanceStateReports	LIST	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:ListInventoryEntries	ListInventoryEntries	LIST	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:ListParameterVersions	ListParameterVersions	LIST	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:ListParameters	ListParameters	LIST	parameter acs:oos:{#regionId}:{#accountId}:parameter/*	N/A	N/A
oos:ListPatchBaselines	ListPatchBaselines	LIST	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/*	N/A	N/A
oos:ListResourceExecutionStatus	ListResourceExecutionStatus	LIST	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ListSecretParameterVersions	ListSecretParameterVersions	LIST	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:ListSecretParameters	ListSecretParameters	LIST	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/*	N/A	N/A
oos:ListStateConfigurations	ListStateConfigurations	READ	stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/* stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}	N/A	N/A
oos:ListTagKeys	ListTagKeys	LIST	tags acs:oos:{#regionId}:{#accountId}:tags/*	N/A	N/A
oos:ListTagResources	ListTagResources	LIST	template acs:oos:{#regionId}:{#accountId}:template/{#templateName} Execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ListTagValues	ListTagValues	LIST	tags acs:oos:{#regionId}:{#accountId}:tags/*	N/A	N/A
oos:ListTaskExecutions	ListTaskExecutions	READ	execution acs:oos:{#regionId}:{#accountId}:execution/* execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:ListTemplateVersions	ListTemplateVersions	LIST	Template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	N/A	N/A
oos:ListTemplates	ListTemplates	READ	Template acs:oos:{#regionId}:{#accountId}:template/* Template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:NotifyExecution	NotifyExecution	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	oos:tag	N/A
oos:PutInventory	N/A	WRITE	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:RegisterDefaultPatchBaseline	RegisterDefaultPatchBaseline	WRITE	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}	N/A	N/A
oos:SearchInventory	SearchInventory	READ	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:SetServiceSettings	SetServiceSettings	WRITE	All resources acs:oos:{#regionId}:{#accountId}:*	N/A	N/A
oos:StartExecution	StartExecution	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/* template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:TagResources	TagResources	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:TriggerExecution	TriggerExecution	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	N/A	N/A
oos:UntagResources	UntagResources	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId} template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	N/A
oos:UpdateApplicationGroup	UpdateApplicationGroup	Write	Application acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}	N/A	N/A
oos:UpdateExecution	UpdateExecution	WRITE	execution acs:oos:{#regionId}:{#accountId}:execution/{#executionId}	N/A	N/A
oos:UpdateInstanceInformation	UpdateInstanceInformation	Write	All resources acs:oos::{#accountId}:	N/A	N/A
oos:UpdateParameter	UpdateParameter	WRITE	parameter acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}	N/A	N/A
oos:UpdatePatchBaseline	UpdatePatchBaseline	WRITE	patchbaseline acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}	N/A	N/A
oos:UpdateSecretParameter	UpdateSecretParameter	WRITE	secretparameter acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}	N/A	N/A
oos:UpdateStateConfiguration	UpdateStateConfiguration	WRITE	stateconfiguration acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}	N/A	N/A
oos:UpdateTemplate	UpdateTemplate	WRITE	template acs:oos:{#regionId}:{#accountId}:template/{#templateName}	oos:tag	ram:PassRole

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by OOS.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.
An asterisk (*) is used as a wildcard. Examples:
- If you specify {#resourceType}/*, all resources are specified.
- If {#regionId} is set to *, all regions are specified.
- If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
Execution	acs:oos:{#regionId}:{#accountId}:execution/{#ExecutionId}
Template	acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}
Application	acs:oos:{#regionId}:{#accountId}:application/{#Name}
Parameter	acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}
Patchbaseline	acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by OOS. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to OOS. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys	Description	Type
oos:tag	A tag key and value pair that are attached to a OOS resource.	String