RAM authorization - AnalyticDB for MySQL - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by ADB. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ADB is adb. You can grant permissions on ADB at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

ADB defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
adb:AllocateClusterPublicConnection	AllocateClusterPublicConnection	Write	All Resources *	None	None
adb:ApplyAdviceById	ApplyAdviceById	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:AttachUserENI	AttachUserENI	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:BatchApplyAdviceByIdList	BatchApplyAdviceByIdList	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:BindDBResourceGroupWithUser	BindDBResourceGroupWithUser	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:BindDBResourcePoolWithUser	BindDBResourcePoolWithUser	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:CreateAccount	CreateAccount	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:CreateDBCluster	CreateDBCluster	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/*	adb:DiskEncryption	None
adb:CreateDBResourceGroup	CreateDBResourceGroup	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:CreateDBResourcePool	CreateDBResourcePool	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:CreateElasticPlan	CreateElasticPlan	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DeleteAccount	DeleteAccount	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DeleteDBCluster	DeleteDBCluster	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DeleteDBResourceGroup	DeleteDBResourceGroup	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DeleteDBResourcePool	DeleteDBResourcePool	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DeleteElasticPlan	DeleteElasticPlan	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAccounts	DescribeAccounts	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeAdviceServiceEnabled	DescribeAdviceServiceEnabled	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAllDataSource	DescribeAllDataSource	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeAppliedAdvices	DescribeAppliedAdvices	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAuditLogConfig	DescribeAuditLogConfig	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAuditLogRecords	DescribeAuditLogRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAutoRenewAttribute	DescribeAutoRenewAttribute	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeAvailableAdvices	DescribeAvailableAdvices	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeAvailableResource	DescribeAvailableResource	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/*	None	None
adb:DescribeBackups	DescribeBackups	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeColumns	DescribeColumns	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeComputeResource	DescribeComputeResource	Read	All Resources *	None	None
adb:DescribeConnectionCountRecords	DescribeConnectionCountRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDBClusterAccessWhiteList	DescribeDBClusterAccessWhiteList	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeDBClusterAttribute	DescribeDBClusterAttribute	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeDBClusterHealthStatus	DescribeDBClusterHealthStatus	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDBClusterNetInfo	DescribeDBClusterNetInfo	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeDBClusterPerformance	DescribeDBClusterPerformance	List	DBClusterLakeVersion acs:adb:{#Region}:{#AccountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDBClusterResourcePoolPerformance	DescribeDBClusterResourcePoolPerformance	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDBClusters	DescribeDBClusters	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/*	None	None
adb:DescribeDBResourceGroup	DescribeDBResourceGroup	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeDBResourcePool	DescribeDBResourcePool	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDiagnosisDimensions	DescribeDiagnosisDimensions	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDiagnosisMonitorPerformance	DescribeDiagnosisMonitorPerformance	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDiagnosisRecords	DescribeDiagnosisRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDiagnosisSQLInfo	DescribeDiagnosisSQLInfo	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDiagnosisTasks	DescribeDiagnosisTasks	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeDownloadRecords	DescribeDownloadRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeEIURange	DescribeEIURange	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeElasticDailyPlan	DescribeElasticDailyPlan	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeElasticPlan	DescribeElasticPlan	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeInclinedTables	DescribeInclinedTables	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeLoadTasksRecords	DescribeLoadTasksRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeMaintenanceAction	DescribeMaintenanceAction	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/*	None	None
adb:DescribePatternPerformance	DescribePatternPerformance	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeProcessList	DescribeProcessList	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeResubmitConfig	DescribeResubmitConfig	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeSQAConfig	DescribeSQAConfig	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeSQLPatterns	DescribeSQLPatterns	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeSQLPlan	DescribeSQLPlan	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeSQLPlanTask	DescribeSQLPlanTask	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeSchemas	DescribeSchemas	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeSlowLogRecords	DescribeSlowLogRecords	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:DescribeSlowLogTrend	DescribeSlowLogTrend	Read	All Resources *	None	None
adb:DescribeSqlPattern	DescribeSqlPattern	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeTableAccessCount	DescribeTableAccessCount	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeTablePartitionDiagnose	DescribeTablePartitionDiagnose	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeTableStatistics	DescribeTableStatistics	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeTables	DescribeTables	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DescribeTaskInfo	DescribeTaskInfo	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DetachUserENI	DetachUserENI	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DisableAdviceService	DisableAdviceService	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:DownloadDiagnosisRecords	DownloadDiagnosisRecords	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:EnableAdviceService	EnableAdviceService	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:GrantOperatorPermission	GrantOperatorPermission	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ListTagResources	ListTagResources	Read	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:MigrateDBCluster	MigrateDBCluster	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyAuditLogConfig	ModifyAuditLogConfig	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyAutoRenewAttribute	ModifyAutoRenewAttribute	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyBackupPolicy	ModifyBackupPolicy	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyClusterConnectionString	ModifyClusterConnectionString	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyDBCluster	ModifyDBCluster	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyDBClusterAccessWhiteList	ModifyDBClusterAccessWhiteList	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyDBClusterDescription	ModifyDBClusterDescription	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyDBClusterMaintainTime	ModifyDBClusterMaintainTime	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyDBClusterPayType	ModifyDBClusterPayType	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyDBClusterResourceGroup	ModifyDBClusterResourceGroup	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyDBResourceGroup	ModifyDBResourceGroup	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:ModifyDBResourcePool	ModifyDBResourcePool	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyElasticPlan	ModifyElasticPlan	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifyLogBackupPolicy	ModifyLogBackupPolicy	Write	All Resources *	None	None
adb:ModifyMaintenanceAction	ModifyMaintenanceAction	Write	All Resources *	None	None
adb:ModifyResubmitConfig	ModifyResubmitConfig	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ModifySQAConfig	ModifySQAConfig	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}	None	None
adb:ResetAccountPassword	ResetAccountPassword	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:TagResources	TagResources	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:UnbindDBResourceGroupWithUser	UnbindDBResourceGroupWithUser	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None
adb:UntagResources	UntagResources	Write	DBCluster acs:adb:{#regionId}:{#accountId}:dbcluster/{#dbclusterId}	None	None

Resource

ADB defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
DBCluster	acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}
DBClusterLakeVersion	acs:adb:{#regionId}:{#accountId}:dbcluster/{#DBClusterId}

Condition

ADB defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ADB. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
adb:DiskEncryption		String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: