Cloud Architect Design Tools:CADT permission management overview

Function introduction

On the CADT Permission Management page, you can create users, create resource groups, and grant authorization to users and resource groups.

• Create a user: Create a RAM user and grant permissions to allow the user to access the required resources.

• Create a resource group: Create resource groups to manage cloud resources by dimensions, such as business departments or projects.

• User authorization: After you grant permissions to a RAM user, the user can access the corresponding Alibaba Cloud resources.

• Resource group authorization: This grants the authorized entity the specified permissions on resources within the current resource group.

Scenario Simulation

Assume you have two applications in CADT: app-test and app-dev. You need to grant permissions for these applications to specific users. For example, you want to grant a developer (cadt-dev001) permissions to operate only the app-dev application, and grant a tester (cadt-test001) permissions to operate only the app-test application.

Prerequisites

Before you begin, create two applications in CADT: app-test and app-dev. For more information, see Create a CADT application. The applications are shown in the following figure.

Step 1: Create users

First, create two RAM users to represent the developer (cadt-dev001) and the tester (cadt-test001).

1. (Alibaba Cloud account) Log on to the Cloud Architect Design Tools (CADT) console.

2. In the menu bar, choose Management > Permission Management to open the Permission Management page.

   Note

   The permission management feature of Cloud Architect Design Tools is exclusive to root accounts.

3. On the Permission Management page, click Create User.

4. Create the developer user (cadt-dev001). Configure the parameters as shown in the following figure and click OK.

5. Create the tester user (cadt-test001) in the same way.

   After the two RAM users are created, they are displayed as shown in the following figure:

   

Step 2: Create resource groups

Create two resource groups: a development environment (dev) and a staging environment (test). These groups correspond to the operating environments for the developer and the tester and are used for resource fencing.

1. On the CADT Permission Management page, click Create Resource Group.

2. Create the development environment (dev) resource group. Configure the parameters as shown in the following figure and click OK.

3. Create the staging environment (test) resource group in the same way.

   After the resource groups are created, they are displayed on the Permission Management page as shown in the following figure:

Step 3: Grant authorization to RAM users and resource groups

After you create the RAM users and resource groups, grant the RAM users permissions to operate cloud resources in specific resource groups.

1. On the CADT Permission Management page, click User Authorization or Resource Group Authorization.

2. Select a user, such as the developer cadt-dev001, and click Add Permission.

3. On the Add Permission page, configure the following parameters and click OK.

   • Authorization Scope: Select an authorization scope. For account-level authorization, enter the account in the Authorized Entity field. For resource group-level authorization, specify a resource group.

   • Authorized Entity: sls-test@*****aliyun.com

   • Access policy: For more information about CADT system policies, see CADT system policies and usage. If the system policies do not meet your requirements, you can create custom policies for CADT to implement fine-grained permission management.

     This example grants the sls-test user the administrative permissions for CADT.

• Grant permissions to the tester cadt-test001 in the same way.

Step 4: Grant authorization for CADT applications

After you grant permissions to the RAM users and resource groups, add the CADT applications to the corresponding resource groups. This ensures that only users within the same resource group can operate the corresponding CADT applications.

1. On the CADT Permission Management page, find the development environment (dev) resource group and click Add Authorization.

2. On the Add Authorization page, open the My Applications tab. Select the application or template to authorize. In this example, select the app-dev application and click Authorize.

3. After authorization is complete, the page appears as shown in the following figure:

4. Add the app-test application to the staging environment (test) resource group in the same way:

Step 5: Verify the results

After you complete the steps, verify that the developer (cadt-dev001) can operate only the app-dev application, and the tester (cadt-test001) can operate only the app-test application.

1. On the Overview page of the Resource Access Management (RAM) console for your Alibaba Cloud account, record the user logon URL.

2. In a different browser or in incognito mode, open the user logon URL. Log on using the username and password. For example, log on as the developer (cadt-dev001):

3. Log on to the CADT console. The developer (cadt-dev001) has permissions for only the development environment, which is the expected result. Switch to the development environment.

4. Go to the Applications > My Applications page. The developer account (cadt-dev001) can view only the app-dev application.

   

5. Similarly, verify the test user account (cadt-test001). The account is successfully verified.