When a subaccount accesses resources through ApsaraDB for MongoDB API, the ApsaraDB for MongoDB background performs a permission verification on RAM to make sure that the caller has relevant permissions.
Each ApsaraDB for MongoDB API determines the resource permissions that need to be checked based on the involved resources and the API semantics. The authorization rules for each API are shown in the following table.
| Operation name | Authentication rule |
|---|---|
| dds:CreateDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyDBInstanceSpec | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DeleteDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:RenewDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:CreateShardingDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DeleteNode | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:CreateNode | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyNodeSpec | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeDBInstances | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:RestartDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyDBInstanceMaintainTime | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyDBInstanceDescription | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeDBInstanceAttribute | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeReplicaSetRole | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeShardingNetworkAddress | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyDBInstanceNetworkType | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyDBInstanceNetExpireTime | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeDBInstancePerformance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeAccounts | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ResetAccountPassword | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeSecurityIps | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifySecurityIps | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeAuditRecords | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeAuditFiles | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeBackupPolicy | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:ModifyBackupPolicy | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:CreateBackup | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:RestoreDBInstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeBackups | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
| dds:DescribeDBInstancePerformance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |