All Products
Search
Document Center

Operation Orchestration Service (OOS)

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Operation Orchestration Service (OOS).

The code (RamCode) in RAM that is used to indicate OOS is oos. You can grant permissions on OOS at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by OOS. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

oos:CancelExecution

CancelExecution

WRITE


Execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ChangeResourceGroup

ChangeResourceGroup

Write


All resources


acs:oos:*:{#accountId}:*


N/A

N/A

oos:CreateApplication

CreateApplication

Write


Application


acs:oos:{#regionId}:{#accountId}:application/*


N/A

N/A

oos:CreateApplicationGroup

CreateApplicationGroup

Write


Application


acs:oos:{#regionId}:{#accountId}:application/*


N/A

N/A

oos:CreateParameter

CreateParameter

WRITE


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:CreatePatchBaseline

CreatePatchBaseline

WRITE


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}


N/A

N/A

oos:CreateSecretParameter

CreateSecretParameter

WRITE


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:CreateStateConfiguration

CreateStateConfiguration

WRITE


stateconfiguration


acs:oos:{#regionId}:{#accountId}:stateconfiguration/*


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}


N/A

N/A

oos:CreateTemplate

CreateTemplate

WRITE


template


acs:oos:{#regionId}:{#accountId}:template/*



oos:tag



ram:PassRole


oos:DeleteApplication

DeleteApplication

Read


Application


acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}


N/A

N/A

oos:DeleteApplicationGroup

DeleteApplicationGroup

Write


Application


acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}


N/A

N/A

oos:DeleteExecutions

DeleteExecutions

WRITE


Execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:DeleteParameter

DeleteParameter

WRITE


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:DeletePatchBaseline

DeletePatchBaseline

WRITE


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}


N/A

N/A

oos:DeleteSecretParameter

DeleteSecretParameter

WRITE


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:DeleteStateConfigurations

DeleteStateConfigurations

WRITE


stateconfiguration


acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}


N/A

N/A

oos:DeleteTemplate

DeleteTemplate

WRITE


Template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:DeleteTemplates

DeleteTemplates

WRITE


Template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}


N/A

N/A

oos:GenerateExecutionPolicy

GenerateExecutionPolicy

WRITE


Template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}


N/A

N/A

oos:GetApplication

GetApplication

Read


Application


acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}


N/A

N/A

oos:GetApplicationGroup

GetApplicationGroup

Read


Application


acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}


N/A

N/A

oos:GetExecutionTemplate

GetExecutionTemplate

READ


Execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:GetParameter

GetParameter

READ


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:GetParameters

GetParameters

READ


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:GetParametersByPath

GetParametersByPath

READ


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:GetPatchBaseline

GetPatchBaseline

READ


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}


N/A

N/A

oos:GetSecretParameter

GetSecretParameter

READ


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:GetSecretParameters

GetSecretParameters

READ


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:GetSecretParametersByPath

GetSecretParametersByPath

READ


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:GetServiceSettings

GetServiceSettings

READ


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:GetTemplate

GetTemplate

READ


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:ListApplicationGroups

ListApplicationGroups

List


Application


acs:oos:{#regionId}:{#accountId}:application/*


N/A

N/A

oos:ListApplications

ListApplications

List


Application


acs:oos:{#regionId}:{#accountId}:application/*


N/A

N/A

oos:ListExecutionLogs

ListExecutionLogs

LIST


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ListExecutionRiskyTasks

ListExecutionRiskyTasks

LIST


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:ListExecutions

ListExecutions

READ


execution


acs:oos:{#regionId}:{#accountId}:execution/*


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ListInstancePatchStates

ListInstancePatchStates

LIST


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:ListInstancePatches

ListInstancePatches

LIST


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:ListInstanceStateReports

ListInstanceStateReports

LIST


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:ListInventoryEntries

ListInventoryEntries

LIST


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:ListParameterVersions

ListParameterVersions

LIST


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:ListParameters

ListParameters

LIST


parameter


acs:oos:{#regionId}:{#accountId}:parameter/*


N/A

N/A

oos:ListPatchBaselines

ListPatchBaselines

LIST


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/*


N/A

N/A

oos:ListResourceExecutionStatus

ListResourceExecutionStatus

LIST


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ListSecretParameterVersions

ListSecretParameterVersions

LIST


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:ListSecretParameters

ListSecretParameters

LIST


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/*


N/A

N/A

oos:ListStateConfigurations

ListStateConfigurations

READ


stateconfiguration


acs:oos:{#regionId}:{#accountId}:stateconfiguration/*


stateconfiguration


acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}


N/A

N/A

oos:ListTagKeys

ListTagKeys

LIST


tags


acs:oos:{#regionId}:{#accountId}:tags/*


N/A

N/A

oos:ListTagResources

ListTagResources

LIST


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}


Execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ListTagValues

ListTagValues

LIST


tags


acs:oos:{#regionId}:{#accountId}:tags/*


N/A

N/A

oos:ListTaskExecutions

ListTaskExecutions

READ


execution


acs:oos:{#regionId}:{#accountId}:execution/*


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:ListTemplateVersions

ListTemplateVersions

LIST


Template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}


N/A

N/A

oos:ListTemplates

ListTemplates

READ


Template


acs:oos:{#regionId}:{#accountId}:template/*


Template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:NotifyExecution

NotifyExecution

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}



oos:tag


N/A

oos:PutInventory

N/A

WRITE


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:RegisterDefaultPatchBaseline

RegisterDefaultPatchBaseline

WRITE


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}


N/A

N/A

oos:SearchInventory

SearchInventory

READ


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:SetServiceSettings

SetServiceSettings

WRITE


All resources


acs:oos:{#regionId}:{#accountId}:*


N/A

N/A

oos:StartExecution

StartExecution

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/*


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:TagResources

TagResources

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:TriggerExecution

TriggerExecution

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}


N/A

N/A

oos:UntagResources

UntagResources

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag


N/A

oos:UpdateApplicationGroup

UpdateApplicationGroup

Write


Application


acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}


N/A

N/A

oos:UpdateExecution

UpdateExecution

WRITE


execution


acs:oos:{#regionId}:{#accountId}:execution/{#executionId}


N/A

N/A

oos:UpdateInstanceInformation

UpdateInstanceInformation

Write


All resources


acs:oos:*:{#accountId}:*


N/A

N/A

oos:UpdateParameter

UpdateParameter

WRITE


parameter


acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}


N/A

N/A

oos:UpdatePatchBaseline

UpdatePatchBaseline

WRITE


patchbaseline


acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}


N/A

N/A

oos:UpdateSecretParameter

UpdateSecretParameter

WRITE


secretparameter


acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}


N/A

N/A

oos:UpdateStateConfiguration

UpdateStateConfiguration

WRITE


stateconfiguration


acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}


N/A

N/A

oos:UpdateTemplate

UpdateTemplate

WRITE


template


acs:oos:{#regionId}:{#accountId}:template/{#templateName}



oos:tag



ram:PassRole


Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by OOS.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Execution

acs:oos:{#regionId}:{#accountId}:execution/{#ExecutionId}

Template

acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}

Application

acs:oos:{#regionId}:{#accountId}:application/{#Name}

Parameter
acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}
Patchbaseline
acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by OOS. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to OOS. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

oos:tag

A tag key and value pair that are attached to a OOS resource.

String