When a subaccount accesses resources through ApsaraDB for MongoDB API, the ApsaraDB for MongoDB background performs a permission verification on RAM to make sure that the caller has relevant permissions.

Each ApsaraDB for MongoDB API determines the resource permissions that need to be checked based on the involved resources and the API semantics. The authorization rules for each API are shown in the following table.

Operation name Authentication rule
CreateDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyDBInstanceSpec acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DeleteDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
RenewDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
CreateShardingDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DeleteNode acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
CreateNode acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyNodeSpec acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeDBInstances acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
RestartDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyDBInstanceMaintainTime acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyDBInstanceDescription acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeDBInstanceAttribute acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeReplicaSetRole acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeShardingNetworkAddress acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyDBInstanceNetworkType acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyDBInstanceNetExpireTime acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeDBInstancePerformance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeAccounts acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ResetAccountPassword acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeSecurityIps acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifySecurityIps acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeAuditRecords acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeAuditFiles acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeBackupPolicy acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
ModifyBackupPolicy acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
CreateBackup acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
RestoreDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeBackups acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
DescribeDBInstancePerformance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid