To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant the management permissions on ApsaraDB for MongoDB to RAM users. In this way, RAM users can manage ApsaraDB for MongoDB instances.

Grant permissions to RAM users

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Create a RAM user. For more information, see Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the RAM user to which you want to attach authorization policies and click Add Permissions in the Actions column.
  5. In the Add Permissions panel, grant permissions to the RAM user.
    1. Specify the Authorized Scope parameter.
      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specified resource group.
        Note This value takes effect only if ApsaraDB for MongoDB supports the specified resource group. For more information, see Services that work with Resource Group.
    2. Specify the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify a different RAM user.

    3. Select authorization policies.
      1. Enter mongodb in the search box. Then, the related permission policies are displayed.
        Note
        • AliyunMongoDBFullAccess: grants a RAM user full management permissions on ApsaraDB for MongoDB.
        • AliyunMongoDBReadOnlyAccess: grants a RAM user the read-only permissions on ApsaraDB for MongoDB.
      2. Click a policy name to add the policy to the Selected section.
  6. Click OK.
  7. Click Complete.

Customize a RAM policy

You can use system policies to grant RAM users permissions on all ApsaraDB for MongoDB resources. You can also use custom policies as needed to grant RAM users specific operation permissions on specific instances. For information about the syntax of custom policies, see Policy structure and syntax.

Use RAM to grant permissions on ApsaraDB for MongoDB resources

You can use RAM to grant permissions only on ApsaraDB for MongoDB instances. When you use RAM to grant permissions, you can describe resources in the Resource field of the policy.
Resource type Resource description in the policy
dbinstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
The following table describes the parameters used in the preceding resource description.
Parameter Description
$regionid The region ID. This value can be set to a wildcard asterisk (*).
$dbinstanceid The instance ID. This value can be set to a wildcard asterisk (*).
$accountid The ID of your Alibaba Cloud account. This value can be set to a wildcard asterisk (*).

Operations that you can authorize RAM users to call

In the RAM console, you can authorize RAM users to call the following operations on an ApsaraDB for MongoDB resource.

Operation Description
CreateDBInstance Creates an ApsaraDB for MongoDB instance.
ModifyDBInstanceSpec Modifies the configurations of an ApsaraDB for MongoDB instance.
DeleteDBInstance Deletes an ApsaraDB for MongoDB instance.
DescribeDBInstances Queries an ApsaraDB for MongoDB instance.
RestartDBInstance Restarts an ApsaraDB for MongoDB instance.
DescribeSecurityIps Queries the whitelists of an ApsaraDB for MongoDB instance.
ModifySecurityIps Modifies the whitelists of an ApsaraDB for MongoDB instance.
ResetAccountPassword Resets the account password for an ApsaraDB for MongoDB instance.
DescribeBackupPolicy Queries the backup policy of an ApsaraDB for MongoDB instance.
ModifyBackupPolicy Modifies the backup policy of an ApsaraDB for MongoDB instance.
CreateBackup Creates a backup for an ApsaraDB for MongoDB instance.
RestoreDBInstance Restores the data in an ApsaraDB for MongoDB instance.
DescribeAccounts Queries the database accounts of an ApsaraDB for MongoDB instance.
DescribeDBInstancePerformance Queries the state of an ApsaraDB for MongoDB instance.
DescribeReplicaSetRole Queries the primary/secondary attribute of an ApsaraDB for MongoDB instance.
ModifyDBInstanceDescription Modifies the description of an ApsaraDB for MongoDB instance.
ModifyAccountDescription Modifies the database accounts of an ApsaraDB for MongoDB instance.
DescribeDBInstanceAttribute Queries the attributes of an ApsaraDB for MongoDB instance.
RenewDBInstance Renews an ApsaraDB for MongoDB instance.
ModifyDBInstanceNetworkType Modifies the network type of an ApsaraDB for MongoDB instance.