All Products
Search
Document Center

Channel Platform RAM Authorization

Last Updated: Jan 11, 2019

Channel Platform supports the account system of Alibaba Cloud Resource Access Management (RAM). You can create RAM users under your tenant account to avoid sharing your account key with other users. You can also assign minimum permissions to RAM users as needed to separate responsibilities and conduct efficient enterprise management.

About RAM users

When you use your tenant account in Channel Platform, you can allocate different roles and resources to the RAM users under the tenant account to complete different types of jobs with different user identities. The permission mode is similar to the classification of system user and common user in Linux. A system user can grant and revoke permissions to/from regular users.

Note: Make sure that you have read the RAM Documentation and RAM API Reference before you use RAM to authorize and access Channel Platform.

Create a RAM user

Follow these steps:

  1. Click Users in the RAM console.

  2. Click Create User in the upper-right corner of the page. In the Create User dialog box, enter the username and other logon information, and then click OK. The user management page shows a new username, indicating that a RAM user is successfully created.

  3. Click the link to the User Name/Display Name of the user to access the user information page.

  4. In the Web Console Logon Management section, click Enable Console Logon to open the dialog box for password setting.

  5. Enter a new password, and select Require to reset the password upon next logon as needed.

After the preceding steps are complete, a RAM user with the console logon permission is successfully created.

Authorize a RAM user

RAM supports the following two types of policies:

  • System policy: A system policy is a group of common permissions provided by Alibaba Cloud. The permissions include read-only permissions in addition to permissions for different products that are commonly used. System policies cannot be modified by users. The policies are automatically upgraded by Alibaba Cloud.
  • Custom policy: The authorization granularity of the system authorization policies is coarse. If no system policy meets your requirements, you can create a custom policy as needed. For example, if you just want to assign the financial personnel the permission to “Get Bills”, then you must use a custom policy to meet this fine-grained requirement.

Solution 1: Grant system policies for a RAM user

Here are the steps to authorize a RAM user:

  1. Click Users in the left-side pane of the RAM console. Select the user to authorize and click Authorize from the corresponding Action options on the right.

  2. Enter Agency in the search box in the left part of the dialog box, select AliyunAgencyFullAccess and add this option to Selected Authorization Policy Name on the right, and click OK to grant full Channel Platform permissions to the user.

Here are the steps to deauthorize a RAM user:

  1. Click User in the left-side pane of the RAM console. Select the user to deauthorize and click Authorize from the corresponding Action options on the right.
  2. Move the AliyunAgencyFullAccess policy from the right-side area to the left-side area, and click OK.

Select the AliyunAgencyFullAccess system policy to grant all permissions supported by Channel Platform to the RAM user. If these policies with coarse-grained permissions cannot satisfy your requirements, you can create a custom policy as needed.

Solution 2: Grant a custom policy for a RAM user

Step 1: Create a custom policy

Before you create a custom policy, we recommend that you read about the basic structure and syntax of a policy. For details, see Syntactic Structure.

  1. Click Policy Management in the menu bar on the left side of the RAM console.
  2. Click Modify Authorization Policy in the upper-right corner of the page.
  3. Select “Blank Template” and fill in the policy name, comments, and content.

Example of custom policy content: a policy that grants the permission to “Invite Customers”

  1. {
  2. "Statement": [
  3. {
  4. "Action": "agency:InviteSubAccount",
  5. "Effect": "Allow",
  6. "Resource": "*"
  7. }
  8. ],
  9. "Version": "1"
  10. }

Example of custom policy content: a policy that grants the permission to “Get Monthly Bill” and “Get Daily Bill”

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Allow",
  5. "Action": [
  6. "agency:GetMonthlyBill",
  7. "agency:GetDailyBill"
  8. ],
  9. "Resource": "*"
  10. }
  11. ],
  12. "Version": "1"
  13. }

Example of custom policy content: a policy that grants the permission to manage reseller customers

  1. {
  2. "Statement": [
  3. {
  4. "Action":[
  5. "agency:GetAccountInfo"
  6. ] ,
  7. "Effect": "Allow",
  8. "Resource": "*"
  9. },
  10. {
  11. "Action":[
  12. "agency:GetCreditInfo",
  13. "agency:SetAccountInfo",
  14. "agency:SetCreditLine",
  15. "agency:DeductOutstandingBalance",
  16. "agency:SetZeroCreditShutdownPolicy",
  17. "agency:SetWarningThreshold",
  18. "agency:SetCreditStatus"
  19. ] ,
  20. "Effect": "Allow",
  21. "Resource": [
  22. "acs:agency:*:*:customer/12345",
  23. "acs:agency:*:*:customer/45678"
  24. ]
  25. }
  26. ],
  27. "Version": "1"
  28. }

The policy grants RAM users the permission to manage basic information and credit information of customers with UID 12345 and 45678.

For writing policy content in more authorization scenarios, see the following authentication list:

Authorization rules

Action Description Authorization granularity Console API
InviteSubAccount Invite different types of channel sub account Operation level
GetInviteStatus Query the status of invitation Operation level
ResendEmail Resend invitation email Operation level
GetUnassociatedCustomer Get unassociated customer list Operation level
Orders Get order information of associated customer Operation level
ExportOrder Export order data Operation level
ExportTask View export task list Operation level
Agency Bills Get bills of agency customer Operation level
GetAccountInfo Get channel sub account information Operation level
SetAccountInfo Set channel sub account information Resource level
GetCreditInfo Query channel sub account credit information Resource level
SetCreditLine Set channel sub account credit line Resource level
DeductOutstandingBalance Deduct outstanding balance Resource level
SetZeroCreditShutdownPolicy Set Zero Credit Shutdown Policy Resource level
SetWarningThreshold Set budget warning threshold Resource level
SetCreditStatus Set Credit Status Resource level
GetMonthlyBill Get monthly billing information Operation level
GetDailyBill Get daily bill Operation level
CreateCouponTemplate Create Coupon Template Operation level
GetTemplateInfo Get coupon template list Operation level
IssueCoupon Issue coupon Operation level
GetCouponAuthorizationStatus Get coupon authorization status Operation level
CancelRequest Cancel issue request Operation level
GetCouponUsage Get coupon usage status Operation level
Step 2: Grant custom policies for a RAM user

The custom authorization procedures for RAM users is as follows:

  1. Click User in the left-side pane of the RAM console. Select the user to authorize and click Authorize from the corresponding Action options on the right.
  2. On the left side of the dialog box, locate the custom policy name that you wrote, select and add this name to Selected Authorization Name on the right, and click OK.

Log on to the Channel console as a RAM user

  1. On the Overview page of the RAM console, locate the RAM user logon link.

    Note: The logon links of RAM users created by different tenant accounts are different.

  2. On the RAM user logon page, enter the name and password of the RAM user, and then click Logon to access the RAM console of the RAM user.

    Note:

    • Enterprise alias: It need not be set because it already exists in the logon link of the RAM user.
    • Name of the RAM user: Logon name that the tenant account sets when creating the RAM user.
    • Password of the RAM user: Password that the tenant account sets when enabling console logon for the RAM user. If the tenant account selects Required to reset the password at next logon, the RAM user will be asked to reset the password after its first logon, and this reset password will be used for all future logons.
  3. After accessing the RAM console, click Enterprise -> Channel Platform in the navigation bar at the top of the page to access the Channel console.