Grant permissions to a RAM user for DAS using system and custom policies - Database Autonomy Service - Alibaba Cloud - Database Autonomy Service

Grant a RAM user access to Database Autonomy Service (DAS) through Resource Access Management (RAM). Choose the approach that fits your access requirements:

Attach a system policy — Fastest setup for standard access levels (full, read-only, or read-only with SQL log export).
Create a custom policy — Restrict access to specific database instances or define exact allowed actions.
Grant SQL Explorer and Audit export permissions — Add export and search permissions on top of an existing policy, per database type.

Grant access using system policies

System policies are predefined and cover the most common DAS access levels. Use this approach when you need standard access and do not need to restrict access to specific instances.

Policy	Access level
`AliyunHDMFullAccess`	Full permissions on DAS
`AliyunHDMReadOnlyAccess`	Read-only permissions on DAS
`AliyunHDMReadOnlyWithSQLLogArchiveAccess`	Read-only permissions on DAS, plus the search and export features in SQL Explorer and Audit

Steps:

Create a RAM user.
Grant permissions to the RAM user by attaching the appropriate policy from the table above.

Note

You can also use custom policies to grant a RAM user the permissions to use the search and export features in SQL Explorer and Audit. See the Grant SQL Explorer and Audit search and export permissions section below.

Grant access using custom policies

Custom policies let you restrict access to specific database instances or grant only the exact actions a RAM user needs. Use this approach when system policies are broader than your requirements.

A policy defines the authorized resource set, allowed operations, and conditions. For details on policy structure and syntax, see Policy elements and Policy structure and syntax.

Steps:

Sample custom policy

The following policy grants read-only DAS permissions on a specific ApsaraDB RDS instance:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "hdm:Get*",
                "hdm:Describe*",
                "hdm:Query*"
            ],
            "Resource": "acs:rds:*:*:dbinstance/<ApsaraDB RDS instance ID>",
            "Effect": "Allow"
        }
    ]
}

Replace <ApsaraDB RDS instance ID> with your actual instance ID. For other database types, use the corresponding Resource pattern:

Database type	Resource pattern
ApsaraDB RDS	`acs:rds:::dbinstance/<ApsaraDB RDS instance ID>`
ApsaraDB for Redis	`acs:kvstore:::*/<ApsaraDB for Redis instance ID>`
ApsaraDB for MongoDB	`acs:dds:::dbinstance/<ApsaraDB for MongoDB instance ID>`
PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle)	`acs:polardb:::*/<PolarDB cluster ID>`
PolarDB-X 2.0	`acs:polardbx:::*/<PolarDB-X 2.0 instance ID>`

Tip: Add DAS-related permissions to a custom policy of a database service to use DAS features directly in that database service's console.

Troubleshoot the "no permissions" message

After custom permissions are granted, the DAS console may display the following message when the RAM user logs in:

You do not have permissions. Contact the Alibaba Cloud account administrator for authorization

Click the icon to dismiss the message. Then append performance/instance/<Instance ID>/detail to the DAS console URL and refresh the page to go directly to the instance details page.

Grant SQL Explorer and Audit search and export permissions

To grant a RAM user access to the search and export features in SQL Explorer and Audit, create a custom policy with the actions listed below for your database type.

Important

To export data from a database service's console, the RAM user must also have read-only permissions on that database service.

Steps:

Create a custom policy on the JSON tab using the policy for your database type.
Attach the custom policy to the RAM user.

ApsaraDB RDS instances

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeSQLLogRecordsList",
        "rds:DescribeSqlLogDetailArchiveStatus",
        "rds:StartSqlLogDetailArchive"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

To restrict export permissions to a specific instance, replace "Resource": "*" with "Resource": "acs:rds:*:*:dbinstance/<ApsaraDB RDS instance ID>".

PolarDB for MySQL clusters

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "polardb:DescribeSQLLogRecords",
        "polardb:DescribeSqlLogDetailArchiveStatus",
        "polardb:StartSqlLogDetailArchive"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

To restrict export permissions to a specific cluster, replace "Resource": "*" with "Resource": "acs:polardb:*:*:*/<PolarDB for MySQL cluster ID>".

PolarDB-X 2.0 instances

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "hdm:DescribeDasSQLLogRecordsList",
        "hdm:DescribeDasSqlLogDetailArchiveStatus",
        "hdm:StartDasSqlLogDetailArchive"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

To restrict export permissions to a specific instance, replace "Resource": "*" with "Resource": "acs:polardbx:*:*:instance/<PolarDB-X 2.0 instance ID>".