To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on domain names to RAM users. Then, the authorized RAM users can manage domain names. This topic describes how to authorize a RAM user to manage domain names.
Prerequisites
Background information
Grant the read and write permissions to a RAM user
You can use RAM to attach the AliyunDomainFullAccess system policy to a RAM user to authorize the user to manage domain names. This is the highest-level permission. The authorized RAM user can manage all domain names within the Alibaba Cloud account.
Grant the read-only permissions to a RAM user
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:Query*"
],
"Resource": "acs:domain:*:*:*",
"Effect": "Allow"
}
]
}
For more information, see Create a custom policy.
Authorize a RAM user to manage a single domain name
- Only the operations listed in the following script can be authorized. For more information about the authorization rules of each operation, see Authentication rules for the Domains API.
- After you attach the custom policy to a RAM user, the RAM user can log on to the Alibaba Cloud Domains console to view all the domain names within the Alibaba Cloud account. However, the RAM user can manage only the domain name specified in the custom policy.
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:DnsModification",
"domain:SecuritySetting",
"domain:RealNameVerificationOperation",
"domain:DnsHostModification",
"domain:CreateOrderActivate",
"domain:CreateOrderRenew",
"domain:CreateOrderRedeem",
"domain:CreateOrderTransfer",
"domain:DomainTransferInOperation",
"domain:DomainTransferOutOperation",
"domain:QualificationAuditOperation",
"domain:EnsSetting",
"domain:DnsSecSetting",
"domain:SaveArtExtension",
"domain:CreateOrderPendingDelete"
],
"Resource": "acs:domain:*:*:domain/example.com",
"Effect": "Allow"
},
{
"Action":
"domain:Query*",
"Resource": "acs:domain:*:*:*",
"Effect": "Allow"
}
]
}
For more information, see Create a custom policy.