Before you call the BaaS API as a RAM user, you must grant the RAM user corresponding permissions by using your Alibaba Cloud account. In the authorization policy, an Alibaba Cloud Resource Name (ARN) is used as the unique identifier of the resource to authorize.

This topic describes how to use Alibaba Cloud Resource Names (ARN) in BaaS to authenticate users or user groups, grant RAM user accounts access to resources, and implement access authorization across cloud services. Make sure that you have read the RAM documentation and RAM API reference carefully before you use RAM to authorize the access to BaaS.

Hyperledger Fabric API operations

The following table describes the ARN format for different types of Hyperledger Fabric resources.

Resource type ARN format
Consortium acs:baas:$regionId:$accountId:consortium/$consortiumId
Organization acs:baas:$regionId:$accountId:organization/$organizationId
Channel acs:baas:*:$accountId:channel/$channelId
Chaincode acs:baas:*:$accountId:chaincode/$chiancodeId

$regionIdindicates the region ID of the resource. $accountIdindicates the Alibaba Cloud Account ID of the resource owner. $consortiumId/$organizationId/$channelId/$chiancodeIdindicates the of the resource in the blockchain service.

Note The channel and chaincode are global resources, and their regions must be "*".

Hyperledger Fabric API operations

The following table lists the default authorized API operations in the Hyperledger Fabric blockchain (RAM users and STS Token holders have default permissions).

API operation
CheckFabricConsortiumDomain
CheckFabricOrganizationDomain
DescribeTasks
DescribeRootDomain
DescribeFabricConsortiumConfig
DescribeFabricConsortiumSpecs
DescribeFabricOrganizationSpecs
DescribeFabricInviter
DescribeFabricChaincodeUploadPolicy
AcceptFabricInvitation

The following table lists Hyperledger Fabric API operations that can be authorized and the corresponding ARN formats.

API Operation ARN format
CreateFabricOrganization acs:baas:$regionId:$accountId:organization/*
DescribeFabricOrganization acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationDeletable acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizations acs:baas:*:$accountId:organization/*
DescribeFabricCandidateOrganizations acs:baas:*:$accountId:organization/*
CreateFabricChannel acs:baas:*:$accountId:channel/*

acs:baas:$regionId:$accountId:consortium/$consortiumId

DescribeFabricOrganizationChannels acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiumChannels acs:baas:$regionId:$accountId:consortium/$consortiumId
CreateFabricChannelMember acs:baas:*:$accountId:channel/$channelId
DescribeFabricChannelMembers acs:baas:*:$accountId:channel/$channelId
JoinFabricChannel acs:baas:*:$accountId:channel/$channelId
CreateFabricConsortium acs:baas:$regionId:$accountId:consortium/*
CreateFabricConsortiumMember acs:baas:$regionId:$accountId:consortium/$consortiumId
ConfirmFabricConsortiumMember acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricOrganizationMembers acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationPeers acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiums acs:baas:*:$accountId:consortium/*
DescribeFabricConsortiumAdminStatus acs:baas:*:$accountId:consortium/*
DescribeFabricConsortiumMembers acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumMemberApproval acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumOrderers acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumDeletable acs:baas:$regionId:$accountId:consortium/$consortiumId
CreateFabricChaincode acs:baas:*:$accountId:chaincode/*

acs:baas:*:$accountId:channel/$channelId

acs:baas:$regionId:$accountId:consortium/$consortiumId

acs:baas:$regionId:$accountId:organization/$organizationId

DescribeFabricOrganizationChaincodes acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiumChaincodes acs:baas:$regionId:$accountId:consortium/$consortiumId
DeleteFabricChaincode acs:baas:*:$accountId:chaincode/$chaincodeId
InstallFabricChaincode acs:baas:*:$accountId:chaincode/$chaincodeId

acs:baas:$regionId:$accountId:organization/$organizationId

InstantiateFabricChaincode acs:baas:*:$accountId:chaincode/$chaincodeId

acs:baas:$regionId:$accountId:organization/$organizationId

UpgradeFabricChaincode acs:baas:*:$accountId:chaincode/$chaincodeId

acs:baas:$regionId:$accountId:organization/$organizationId

SynchronizeFabricChaincode acs:baas:*:$accountId:chaincode/$chaincodeId

acs:baas:$regionId:$accountId:organization/$organizationId

CreateFabricOrganizationUser acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationUsers acs:baas:$regionId:$accountId:organization/$organizationId
ResetFabricOrganizationUserPassword acs:baas:$regionId:$accountId:organization/$organizationId
DownloadFabricOrganizationSDK acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricInvitationCode acs:baas:$regionId:$accountId:consortium/$consortiumId

Examples of Hyperledger Fabric RAM authorization rules

Example 1: Authorize BaaS to read-only operations. This type of permission allows the user to view the blockchain status through the console or API and download the SDK.

{
   "Statement": [{ 
       "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
       "Effect": "Allow",
       "Resource": "acs:baas:*:*:*"
   }],
   "Version": "1"
}
Example 2: Authorize BaaS to chaincode management operations, including uploading, installing, and instantiating chaincodes. This type of permission allows the user to manage all chaincodes through the console or API.
{
  "Statement": [{
     "Action": "baas:*Chaincode",
     "Effect": "Allow",
     "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/*", "acs:baas:*:*:consortium/*","acs:baas:*:*:channel/*"]
  }],
  "Version": "1"
}

Example 3: Chaincode development authorization. This permission usually requires all read-type operations and chaincode management operations of specific organizations. Based on the principle of minimum permission, the user must be restricted only to create chaincodes for specific consortia, organizations, and channels, and install or instantiate chaincodes in specific organizations. Replace $consortiumId/$organizationId/$channelId with the ID of the specific resource in the blockchain service.

{
 "Statement": [{
   "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
   "Effect": "Allow",
   "Resource": "acs:baas:*:*:*"
 },
 {
   "Action": "baas:*Chaincode",
   "Effect": "Allow",
   "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/$organizationId","acs:baas:*:*:consortium/$consortiumId","acs:baas:*:*:channel/$channelId"]
 }],
 "Version": "1"
}