Permissions define the conditions for the system to allow or deny specific operations on target resources.

Procedure

Permissions are defined in authorization policies. Customizing permissions refers to defining certain permissions during permission policy customization.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, define a custom policy.
    Parameter Description
    Policy Name Enter the policy name.
    Note Enter the policy description.
    Configuration Mode Select Script.
    Policy Document A permission policy in JSON format includes the following parameters:
    • Action: indicates the action that you want to authorize. IoT actions start with iot:. For more information about actions and examples, see the section of Define actions.
    • Effect: indicates the authorization type. Valid values: Allow and Deny.
    • Resource: indicates the resource you want to authorize.
      • If you want to authorize a RAM user to access all your IoT Platform resources, set this parameter to *.
      • If you want to perform authorization at the resource level, such as products, devices, or rules, enter an Alibaba Cloud Resource Name (ARN). The format is acs:iot:$regionid:$accountid:<resource-relative-id>.

        For example, to grant permissions on a specific product, set the Resource parameter to a value in the acs:iot:$regionid:$accountid:product/$productKey format.

    • Condition: indicates the authentication condition. For more information, see Define conditions.

Define actions

Action is an application programming interface (API) operation name. When creating an authorization policy, use iot: as the prefix for each action, and separate multiple actions with commas (,). Asterisk (*) are wildcard characters. For information about operation name definitions that are used on IoT Platform, see API permissions.

The following section provides some examples on action definitions.

  • Define a single API operation.
    "Action": "iot:CreateProduct"
  • Define multiple API operations.
    "Action": [
    "iot:UpdateProduct",
    "iot:QueryProduct"
    ]
  • Define all read-only API operations, including the permissions of the rules engine to transfer data to the target product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*", 
            "iot:Check*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:GetInstance", 
            "ots:ListTable", 
            "ots:DescribeTable"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            cms:QueryMetricList
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • Define all read/write API operations, including the permissions of the rules engine to transfer data to the target product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": "iot:*", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo", 
            "rds:ModifySecurityIps*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:ListTable", 
            "ots:DescribeTable", 
            "ots:GetInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:PassRole", 
          "Resource": "*", 
          "Effect": "Allow", 
          "Condition": {
            "StringEquals": {
              "acs:Service": "iot.aliyuncs.com"
            }
          }
        }, 
        {
          "Action": [
            cms:QueryMetricList
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • Define resource-level authorization. .

    Example

    • The following code provides an example of a permission policy for querying information about a specific product:
      {
       "Statement": [
         {
           "Action": "iot:QueryProduct",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****",
         }
       ],
       "Version": "1"
      }
    • The following code provides an example of a permission policy for querying information about a specific device:
      {
       "Statement": [
         {
           "Action": "iot:QueryDeviceDetail",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****/device/testdevice1",
         }
       ],
       "Version": "1"
      }
    • The following code provides an example of a permission policy for querying information about a specific rule:
      {
       "Statement": [
         {
           "Action": "iot:GetRule",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:rule/6601****",
         }
       ],
       "Version": "1"
      }

Define conditions

RAM permission policies currently support multiple authentication conditions, such as restrictions on allowed IP addresses, restrictions on access time, whether HTTPS access is allowed, and whether multi-factor authentication (MFA) access is required. All API operations on IoT Platform support these authentication conditions.

  • Restriction on Access IP addresses

    This access control restricts source IP addresses that can access IoT Platform, and filters IP addresses by using Classless Inter-Domain Routing (CIDR) blocks. Typical scenarios are as follows:

    • Specify one IP address or CIDR block. In the following example, only access requests from IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111/24"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
    • Specify multiple IP addresses. For example, the following code indicates that only access requests from IP addresses 10.101.168.111 and 10.101.169.111 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
  • HTTPS-based access control

    RAM allows you to specify whether resources must be accessed by requests over HTTPS.

    For example, the following code indicates that only HTTPS-based access is allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • MFA-based access control

    This access control allows you to enable or disable MFA-based access. MFA access applies to console logon. An MFA code is not required for API access.

    For example, the following code indicates that only MFA-based access is allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:MFAPresent ": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • Time-based access control

    This access control allows you to limit the access time of requests. Access requests earlier than the specified time are allowed or rejected based on the access control.

    In the following example, only access requests earlier than 00:00:00 UTC+8 on January 1, 2019 are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }
          }
        }
      ], 
      "Version": "1"
    }

Typical scenarios

Based on the above definitions of actions, resources, and conditions, authorization policies are described in the following typical scenarios:

  • The following is an example of a permission policy that allows access.

    Scenario: Assigns IoT Platform access permissions to IP address 10.101.168.111/24, and only allows HTTPS access before 00:00:00 UTC+8 on January 1, 2019.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.168.111/24"
              ]
            }, 
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }, 
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • The following code provides an example of a permission policy that denies access.

    Scenario: Denies read requests from IP address 10.101.169.111.

    {
      "Statement": [
        {
          "Effect": "Deny", 
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*"
          ], 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.169.111"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }

After the permission policy is created, apply it to the RAM users. Authorized RAM users can perform the operations defined in this policy. For more information about how to create RAM users and how to grant permissions, see Use RAM users.