EDAS supports the account system of Alibaba Cloud Resource Access Management (RAM). You can create RAM sub-accounts under your primary account to avoid sharing your account key with other users. You can also assign minimum permissions to sub-accounts as needed to separate responsibilities and conduct efficient enterprise management. This topic introduces the following subjects:
- Introduction to RAM sub-accounts
- Create a RAM sub-account
- Use a RAM sub-account for EDAS logon
- Authorize a RAM account
- Unbind a RAM account
When you use your primary account in EDAS, you can allocate different roles and resources to the sub-accounts under the primary account so as to complete different types of jobs with different user identities, such as application administrator (with the permissions to create, start, query, and delete applications) and operation administrator (with the permissions to view resources, check application monitoring, and manage alarm policies, throttling and degradation rules). The primary and sub-account permission mode is similar to the classification of system user and common user in Linux. A system user can grant and revoke permissions to/from common users.
- A RAM account is created by a primary account in the RAM system. Validity check is not required for the RAM account, but the account name must be unique under the primary account.
- A dedicated logon portal is available for RAM accounts. For details about the logon portal, see relevant description in the RAM console.
Follow these steps:
In the EDAS console, choose Accounts > Sub-Account in the left-side navigation pane.
Click Bind Sub-Account in the upper-right corner to go to the RAM console. After you create a RAM user in the RAM console, by default, the RAM user is also a sub-account under your primary account in EDAS.
Click Users in the RAM console.
Click Create User in the upper-right corner. In the Create User dialog box that appears, enter your logon name and other information, and click OK. The user management page shows a new username, indicating that a RAM user is successfully created.
Note: The logon name must be unique under the primary account.
Click the logon name/displayed name link of the RAM user to go to the user information page.
Click Enable Console Logon in Web Console Logon Management. The password setting dialog box appears.
- Enter a new password, and select Require to reset the password upon next logon as needed.
After the preceding steps are complete, a RAM user with the console logon permission is successfully created.
Following these steps:
Click the RAM User Logon Link on the Dashboard page of the RAM console.
Note: The RAM user logon link varies depending on different primary accounts.
Enter the sub-account name and password on the RAM user logon page, and click Logon to go to the RAM console.
Enterprise Alias: Already exists in the logon link of the sub-account.
Sub-account Name: Logon name that the primary account sets when creating the RAM user.
Sub-account Password: Password that the primary account sets when enabling console logon for the RAM account. If Require to reset the password upon next logon is selected, the RAM account is required to reset the password after initial logon to the console. The new password is used for future logons.
Click Products & Services in the top navigation bar of the RAM console, and click Enterprise Distributed Application Service (EDAS) under the Middleware category to go to the EDAS console.
Two authorization methods are available:
- RAM authorization
- EDAS authorization
The two authorization methods are mutually exclusive. After you authorize a RAM account in RAM, you cannot authorize the same account in EDAS. You must revoke RAM authorization in the RAM console before you can perform EDAS authorization in the EDAS console. To authorize a RAM account in EDAS, ensure that the account is not authorized in RAM.
RAM authorization is performed at the EDAS service level, indicating that a RAM-authorized account has full permissions on EDAS. RAM authorization and revocation must be performed in the RAM console.
The procedure of RAM authorization is as follows:
In the RAM console, click Users in the left-side navigation pane, select the user to be authorized, and click Authorize in the “Action” field on the right.
Enter EDAS in the search box in the left part of the dialog box, select AliyunEDASFullAccess and add this option to Selected Authorization Policy Name on the right, and click OK to grant full EDAS permissions to the account.
After authorization is complete, use the primary account to log on to EDAS and select Accounts > Sub-Accounts on the left-side menu bar. Then the page lists the permissions, resources, and applications granted to the RAM account. The authorization function is disabled for the RAM account in the EDAS console.
To revoke RAM authorization, follow these steps:
In the RAM console, click Users in the left-side navigation pane, select the user, and click Authorize in the Actions field.
Move the AliyunEDASFullAccess option in the right-side field to the left and click OK.
After authorization is revoked, use the primary account to log on to EDAS and select Accounts > Sub-Accounts in the left-side navigation pane. Then the page shows that all resources and permissions of the RAM account are revoked. The authorization function is enabled for the RAM account on EDAS.
RAM users that are not authorized for EDAS can manage roles and resource groups, authorize applications, and perform other operations in EDAS, but cannot perform the unbind operation. Supported operations:
A primary account can assign a role to a sub-account to grant the role-specific permissions to this sub-account. The procedure of role management is as follows:
In the EDAS console, choose Accounts > Sub-Accounts on the left-side menu bar. Find the sub-account to be authorized and select Manage Roles in the “Actions” field on the right.
Select roles on the left side and click > to add the roles to the right side, then click OK.
Select Accounts > Roles on the left-side menu bar. The role name is displayed in the Roles page.
Authorize an application
A primary account can assign an application to a sub-account to grant the application ownership to this sub-account. The procedure of application authorization is the same as that of role management.
Note: Application authorization only grants the application ownership to the sub-account. To grant application operation permissions (to start or delete the application, for example) to the sub-account, you need to assign a role to the sub-account. Therefore, application authorization is typically followed by role authorization.
Authorize a resource group
A primary account can assign a resource group to a sub-account to give the sub-account access to resources in the resource group. For details about the concept of resource group, see Resource group. The procedure of resource group authorization is the same as that of role management.
Follow these steps:
Log on to the RAM console.
Click Users in the left-side navigation pane, find the account to be unbound, and click Delete in the “Actions” field on the right.