All Products
Document Center

Access DTS with a sub-account

Last Updated: Nov 22, 2018

Alibaba Cloud accounts are master accounts and RAM users are sub-accounts. Master accounts can purchase and manage DTS tasks. Sub-accounts can also do so after being authorized by master accounts.
This topic describes how to access DTS with a sub-account.

Sub-account definition

DTS currently supports only two access policies for sub-accounts: read-write and read-only. DTS does not support access authorization at API granularity.
The read-write and read-only policies are provided by RAM.

  • Read-write policy
    The read-write policy is named AliyunDTSFullAccess and defined as follows:
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "dts:*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. },
  9. {
  10. "Action": "ram:PassRole",
  11. "Resource": "*",
  12. "Effect": "Allow",
  13. "Condition": {
  14. "StringEquals": {
  15. "acs:Service": ""
  16. }
  17. }
  18. }
  19. ]
  20. }

The read-write policy has all the DTS read and write permissions. Sub-accounts with this policy can perform DTS full lifecycle management, including purchasing, configuring, and managing DTS instances.

  • Read-only policy

The read-only policy is named AliyunDTSReadOnlyAccess and is defined as follows:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "dts:Describe*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }
  9. ]
  10. }

The read-only policy has all the DTS read permissions. Sub-accounts with this policy can view details about all DTS tasks under the master account, but cannot perform change operations, including purchase, configure, modify, start, pause, finish, and release.

Sub-account authorization

For security purposes, you can authorize a sub-account to create and manage DTS tasks, instead of providing the master account to each employee. This section describes how to create a sub-account that can use DTS.

Create a sub-account

Create a sub-account if you do not have one. For more information, see Create a RAM user.

Authorize a sub-account

  1. Log on to the RAM console and access the User Management page. Find the sub-account and click Authorize.authorize

  2. In the displayed dialog box, search for and select the desired DTS access policy, add it to the selected policy list, and click OK.

Access DTS

  1. Open the RAM console and find the RAM user logon link on the RAM Overview page.

  2. Open the link and log on with the sub-account.

  3. Access the DTS console.choose

    Now you can create and manage DTS tasks with the sub-account.