All Products
Search
Document Center

Domain Names:Authorize a RAM user to manage domain names

Last Updated:Jan 02, 2024

To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on domain names to RAM users. Then, the authorized RAM users can manage domain names. This topic describes how to authorize a RAM user to manage domain names.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is a resource access control service provided by Alibaba Cloud. You can use RAM to authorize a RAM user to manage your domain names. By default, system policies and custom policies are supported. The AliyunDomainFullAccess system policy is provided for Alibaba Cloud Domains. You can create a custom policy to provide finer-grained access control if the default system policy cannot meet your requirements.

Note

This topic describes two custom policies, which are used to grant a RAM user the read-only permissions on all domain names and the management permissions on a single domain name. For more information about how to create other custom policies, see Create custom policies.

Grant the read and write permissions to a RAM user by attaching a system policy

You can attach the AliyunDomainFullAccess system policy to a RAM user in the RAM console to authorize the RAM user to manage domain names. This system policy grants the highest-level permissions. The authorized RAM user can manage all domain names within the Alibaba Cloud account.

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. Create a RAM user.

  3. In the left-side navigation pane of the RAM console, choose Identities > Users.

  4. On the Users page, find the RAM user to which you want to grant permissions in the User Logon Name/Display Name column. Click Add Permissions in the Actions column. image.png

  5. In the Add Permissions panel, configure the parameters.

    image.png

    1. Set the Authorized Scope parameter to Alibaba Cloud Account.

      Note

      The system automatically enters the authorized principal in the Principal field.

    2. Set the Select Policy parameter to System Policy.

    3. Enter domain in the search box. The system policies related to domain names are displayed in the list.

    4. Click AliyunDomainFullAccess to add the policy to the Selected section.

    5. Click OK.

  6. Click Complete.

Grant the read-only permissions to a RAM user by creating a custom policy

You can create a custom policy in the RAM console to grant the read-only permissions to a RAM user. The authorized RAM user can view domain names within the Alibaba Cloud account but cannot manage these domain names. Perform the following steps:

  1. You can go to the Create Policy page by using one of the following methods:

    • Method 1:

      1. In the left-side navigation pane of the RAM console, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

    • Method 2:

      1. In the left-side navigation pane of the RAM console, choose Identities > Users.

      2. On the Users page, find the RAM user to which you want to grant permissions in the User Logon Name/Display Name column. Click Add Permissions in the Actions column.

      3. In the Add Permissions panel, click Create Policy. image.png

  2. On the Create Policy page, click the JSON tab.

  3. Enter the following script in the code editor. Click Next to edit policy information.

    {
       "Version": "1",
       "Statement": [
         {
           "Action": [
             "domain:Query*"
           ],
           "Resource": "acs:domain:*:*:*",
           "Effect": "Allow"
         }
        ]
    }

    image.png

  4. Enter a name and a description in the Name and Description fields in the Basic information section. The Description parameter is optional. image.png

    For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.

  5. Click OK.

    You can use one of the following methods to view the created custom policy:

    • Method 1: On the Policies page, select Custom Policy from the Policy Type drop-down list and find the created custom policy. image.png

    • Method 2: In the Add Permissions panel, set the Select Policy parameter to Custom Policy and find the created custom policy. image.png

Authorize a RAM user to manage a single domain name by creating a custom policy

You can create a custom policy in the RAM console to authorize a RAM user to manage a single domain name. The authorized RAM user can only manage the resources of the specified domain name. For example, you can authorize a RAM user to manage the example.com domain. Perform the following steps:

Note
  • Only some of the operations on a domain name can be authorized. For more information about the authorization rules of each operation, see Authentication rules for the Domains API.

  • After you attach the custom policy to a RAM user, the RAM user can log on to the Alibaba Cloud Domains console to view all the domain names within the Alibaba Cloud account. However, the RAM user can manage only the domain name specified in the custom policy.

  1. You can go to the Create Policy page by using one of the following methods:

    • Method 1:

      1. In the left-side navigation pane of the RAM console, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

    • Method 2:

      1. In the left-side navigation pane of the RAM console, choose Identities > Users.

      2. On the Users page, find the RAM user to which you want to grant permissions in the User Logon Name/Display Name column. Click Add Permissions in the Actions column.

      3. In the Add Permissions panel, click Create Policy. image.png

  2. On the Create Policy page, click the JSON tab.

  3. Enter the following script in the code editor and replace example.com with the domain name that you want to authorize the RAM user to manage. Then, click Next to edit policy information.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
          "domain:DnsModification",
          "domain:SecuritySetting",
          "domain:RealNameVerificationOperation",
          "domain:DnsHostModification",
          "domain:CreateOrderActivate",
          "domain:CreateOrderRenew",
          "domain:CreateOrderRedeem",
          "domain:CreateOrderTransfer",
          "domain:DomainTransferInOperation",
          "domain:DomainTransferOutOperation",
          "domain:QualificationAuditOperation",
          "domain:EnsSetting",
          "domain:DnsSecSetting",
          "domain:SaveArtExtension",
          "domain:CreateOrderPendingDelete"
          ],
          "Resource": "acs:domain:*:*:domain/example.com",
          "Effect": "Allow"
        },
        {
          "Action": [
          "domain:Query*"
          ],
          "Resource": "acs:domain:*:*:*",
          "Effect": "Allow"
        }
      ]
    }

    image.png

  4. Enter a name and a description in the Name and Description fields in the Basic information section. The Description parameter is optional. image.png

    For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.

  5. Click OK.

    You can use one of the following methods to view the created custom policy:

    • Method 1: On the Policies page, select Custom Policy from the Policy Type drop-down list and find the created custom policy.

    • Method 2: In the Add Permissions panel, set the Select Policy parameter to Custom Policy and find the created custom policy.

What to do next

Log on to the Alibaba Cloud Domains console as the authorized RAM user. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.