How do I authorize a RAM user to track data changes by using DTS SDKs? - Data Transmission Service

Data Transmission Service (DTS) supports Resource Access Management (RAM). You can create and manage DTS tasks as a RAM user. You can also track data changes in real time by using the AccessKey ID and AccessKey secret of the RAM user.

Prerequisites

A RAM user is authorized to access the cloud resources such as ApsaraDB for RDS instances and Elastic Compute Service (ECS) instances of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to access the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.

Permission policies

DTS supports read/write and read-only policies.

Read/write policy: AliyunDTSFullAccess
This policy grants the read and write permissions on DTS. If this policy is attached to a RAM user, the RAM user can purchase, configure, and manage DTS instances.
Read-only policy: AliyunDTSReadOnlyAccess This policy grants the read permissions on DTS. If this policy is attached to a RAM user, the RAM user can view the details and configurations of all DTS tasks within the Alibaba Cloud account. However, the RAM user cannot perform change operations on these DTS tasks.
Note
Change operations include the purchase, configuration, and management of DTS instances.

Procedure

Log on to the RAM console by using your Alibaba Cloud account.
Create a RAM user.
Note
- When you create the RAM user, set the Access Mode to OpenAPI Access.
- After the RAM user is created, you must save the AccessKey ID and AccessKey secret of the RAM user.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column.
In the Add Permissions panel, specify the permission policy.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
3. Select System Policy for the Select Policy parameter.
4. Enter dts in the search box to query the system policies that are related to DTS.
5. Click AliyunDTSFullAccess to add the policy to the Selected section.
Click OK.
Click Complete.

Track data changes as a RAM user

After you create the RAM user and grant the required permissions to the RAM user, you can use DTS SDKs to track data changes as the RAM user. For more information, see Use the SDK demo to consume tracked data.

Note

You must replace the sample AccessKey pair in the SDK demo with the AccessKey pair of your RAM user.