Revoke the permissions that allow a RAM user to change the metering method - CDN

You can create a custom policy in the Resource Access Management (RAM) console to revoke the permissions that allow a RAM user to change the metering method of Alibaba Cloud CDN. This topic describes how to create a custom policy in RAM to revoke the permissions on changing the metering method.

Background information

Alibaba Cloud CDN allows you to create RAM users to manage different types of workloads. RAM users that are granted the AliyunCDNFullAccess policy have full permissions on Alibaba Cloud CDN. For example, they can view data, manage domain names, and change the metering method of Alibaba Cloud CDN. If you want to revoke the permissions on changing the metering method but retain other permissions for a RAM user, you must create a custom policy in the RAM console. For more information about RAM user permissions, see View the permissions of a RAM user.

Procedure

Create a custom policy.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Select the JSON tab. In the editor, add the following script to revoke the permissions on changing the metering method.

{
    "Statement": [
        {
            "Action": "cdn:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cdn:OpenCdnService",
                "cdn:ModifyCdnService"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cdn-waf.cdn.aliyuncs.com",
                        "cdn-ddos.cdn.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

For more information about how to use the Action or Resource element, see Policy elements.
You can also select Visualized and click Add Statement to add custom statements.

Click Next to edit policy information.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- Optional:Advanced optimization
  You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Grant permissions to a RAM user

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.

In the Add Permissions panel, configure the required parameters.


Parameter	Description
Authorized Scope	Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account.
Principal	The RAM user created in the previous step is automatically selected.
Select Policy	Click the Custom Policy tab. Enter the name of the custom policy that you created. After the system displays the policy, click its name to add it to the Selected list.

Click OK.
Click Complete.