Grant permissions on Compute Nest to a RAM user of a customer - Compute Nest

A Resource Access Management (RAM) user does not have any permissions on Compute Nest by default. You must grant permissions to the RAM user. Otherwise, an error message appears when the RAM user logs on to the Compute Nest console. This topic describes how to grant permissions on Compute Nest to a RAM user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can create a RAM user by using an Alibaba Cloud account. You can also create a RAM user by using another RAM user or a RAM role that has administrator permissions. A RAM user is not an independent Alibaba Cloud account. Instead, it belongs to an Alibaba Cloud account.
A RAM user has an independent password for logging on to the Alibaba Cloud Management Console or accessing Alibaba Cloud API. Multiple RAM users can be created within an Alibaba Cloud account.
A RAM user can log on to the Compute Nest console and create service instances only after the RAM user is granted the required permissions. You can grant permissions to a RAM user by attaching policies to the RAM user based on your business requirements.
If a RAM user needs to only log on to the Compute Nest console, you can attach only the system policies of Compute Nest to the RAM user. Compute Nest provides the following system policies:
- AliyunComputeNestUserFullAccess: grants full permissions for a customer on Compute Nest.
- AliyunComputeNestUserReadOnlyAccess: grants read-only permissions for a customer on Compute Nest.
If a RAM user needs to create service instances, you also need to grant permissions on cloud resources to the RAM user in addition to AliyunComputeNestUserFullAccess. Cloud resource permissions are divided into two categories: required and optional.
- You must grant required cloud resource permissions to a RAM user before the RAM user can create a service instance. The following section lists the required cloud resource permissions:
  - AliyunVPCFullAccess: grants full permissions on Virtual Private Cloud (VPC).
  - AliyunECSFullAccess: grants full permissions on Elastic Compute Service (ECS).
  - AliyunTagAdministratorAccess: grants the permissions to use the tag service and manage the tags of all Alibaba Cloud services.
  - AliyunCloudMonitorFullAccess: grants full permissions on CloudMonitor.
  - AliyunROSFullAccess: grants full permissions on Resource Orchestration Service (ROS).
- You can grant optional cloud resource permissions to a RAM user based on the service instances to be created. For example, if a RAM user needs to assign a public IP address to a cloud resource when the RAM user creates a service instance, you must attach the AliyunEIPFullAccess policy to the RAM user. This policy grants full permissions on Elastic IP Address (EIP). For more information about the Alibaba Cloud services that work with RAM, see Services that work with RAM.

Procedure

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The permissions take effect on resources within the current Alibaba Cloud account.
  - ResourceGroup: The permissions take effect on a specific resource group.
    Important
    If you want to select ResourceGroup for the Resource Scope parameter, make sure that the involved cloud services and resources support resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to whom you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy is a collection of access permissions. Compute Nest provides the following system policies:
  - AliyunComputeNestUserFullAccess: grants full permissions for a customer on Compute Nest.
  - AliyunComputeNestUserReadOnlyAccess: grants read-only permissions for a customer on Compute Nest.
Click Grant permissions.
In the Grant Permission panel, verify that the permissions are granted and click Close.