Permissions define the conditions for the system to allow or deny specific operations on specific resources.

Procedure

Permissions are defined in policies. You can define permissions when you create custom policies.

  1. Log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, configure a custom policy.
    Parameter Description
    Policy Name Enter the name of the policy.
    Note Enter the description of the policy.
    Configuration Mode Select Script.
    Policy Document Configure the policy content in the JSON format. The following parameters are required:
    • Action: the actions that you want to authorize. IoT Platform actions start with iot:. For more information about actions and examples, see the "Define actions" section of this article.
    • Effect: the authorization type. Valid values: Allow and Deny.
    • Resource: the resources that you want to authorize.
      • If you want to authorize a RAM user to access all resources of your IoT Platform service, set this parameter to *.
      • If you want to grant permissions on specific resources, such as products, devices, or rules, set this parameter to an Alibaba Cloud Resource Name (ARN) in the following format: acs:iot:$regionid:$accountid:<resource-relative-id>.

        For example, to grant permissions on a specific product, set the Resource parameter to a value in the acs:iot:$regionid:$accountid:product/$productKey format.

    • Condition: the authentication condition. For more information, see the "Define conditions" section of this article.

Define actions

To define actions for a policy, you must specify API operations in the Action parameter. When you create a policy to grant permissions on IoT Platform, specify IoT Platform actions in the Action parameter. Each IoT Platform action must start with iot:. Multiple actions must be separated by commas (,). You can also set the Action parameter to an asterisk (*), which indicates a wildcard. For information about the API operations of IoT Platform, see API permissions.

The following examples show you how to define actions.

  • Specify a single API operation to define an action.
    "Action": "iot:CreateProduct"
  • Specify multiple API operations to define actions.
    "Action": [
    "iot:UpdateProduct",
    "iot:QueryProduct"
    ]
  • Specify all read-only API operations to define actions, including the actions that are involved when the rules engine forwards data to a product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*", 
            "iot:Check*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:GetInstance", 
            "ots:ListTable", 
            "ots:DescribeTable"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • Specify all read/write API operations to define actions, including the actions that are involved when the rules engine forwards data to a product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": "iot:*", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo", 
            "rds:ModifySecurityIps"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:ListTable", 
            "ots:DescribeTable", 
            "ots:GetInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:PassRole", 
          "Resource": "*", 
          "Effect": "Allow", 
          "Condition": {
            "StringEquals": {
              "acs:Service": "iot.aliyuncs.com"
            }
          }
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • Define actions for specific resources.

    Examples:

    • Configure a policy that contains the permission to query the information about a specific product.
      {
       "Statement": [
         {
           "Action": "iot:QueryProduct",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/*$productKey"
         }
       ],
       "Version": "1"
      }
    • Configure a policy that contains the permission to query the information about a specific device.
      {
       "Statement": [
         {
           "Action": "iot:QueryDeviceDetail",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/*$productKey/device/$deviceName"
         }
       ],
       "Version": "1"
      }
    • Configure a policy that contains the permission to query the information about a specific rule.
      {
       "Statement": [
         {
           "Action": "iot:GetRule",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:rule/*$ruleId"
         }
       ],
       "Version": "1"
      }

Define conditions

RAM policies support multiple authentication conditions. For example, you can set limits on the access IP addresses and access time. You can also specify whether HTTPS-based access is allowed, and whether multi-factor authentication (MFA) is required. All API operations of IoT Platform support these authentication conditions.

  • IP address-based access control

    RAM allows you to specify the source IP addresses from which access requests are allowed. You can also use Classless Inter-Domain Routing (CIDR) blocks to specify source IP addresses. The following examples show you how to set limits on access IP addresses.

    • Specify a single IP address or CIDR block. In the following example, only access requests from the IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111/24"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
    • Specify multiple IP addresses. In the following sample example, only access requests from the IP addresses 10.101.168.111 and 10.101.169.111 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
  • HTTPS-based access control

    RAM allows you to specify whether resources must be requested over HTTPS.

    In the following example, only access requests over HTTPS are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • MFA-based access control

    RAM allows you to specify whether to enable MFA for access requests. MFA applies to console logon and is not required for API requests.

    In the following example, only access requests that pass MFA are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:MFAPresent ": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • Time-based access control

    RAM allows you to specify the access time. Access requests earlier than the specified time are allowed or denied.

    In the following example, only access requests that are earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }
          }
        }
      ], 
      "Version": "1"
    }

Scenarios

Based on the Action, Resource, and Condition parameters that are described in the preceding sections, this section describes the scenarios of custom policies.

  • A custom policy that allows specific access requests

    Scenario: Only access requests that are sent over HTTPS, from the IP addresses in 10.101.168.111/24, and earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.168.111/24"
              ]
            }, 
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }, 
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • A custom policy that denies specific access requests

    Scenario: Read requests from the IP address 10.101.169.111 are denied.

    {
      "Statement": [
        {
          "Effect": "Deny", 
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*"
          ], 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.169.111"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }

After a policy is created, attach the policy to RAM users. Then, the RAM users can perform the operations that are defined in the policy. For more information about how to create and authorize RAM users, see Use RAM users.