This topic describes how to create a custom policy. Custom policies provide more fine-grained permission control than system policies. You can create a custom policy to control the permissions on specific instances or actions.

Prerequisites

A RAM user is authorized to access the cloud resources (such as RDS instances and ECS instances) of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to call the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.

Background information

A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.

Precautions

  • If you need to synchronize data to MaxCompute, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
  • If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.

Step 1: Create a custom permission policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Configure parameters for the custom policy.
    Create a custom policy
    Parameter Description
    Policy Name Enter an informative name for easy identification.
    Note Optional. Enter the description of the policy.
    Configuration Mode Select Script. To configure policies for DTS, you must select Script.
    Policy Document Select an existing system policy from the drop-down list.
    Note This topic describes how to create a custom policy. You do not need to specify this parameter.
    Code Editor Enter the content of the policy in the code editor. Sample custom policies are provided for your reference below this table.
    Note
    • A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
    • You can grant permissions on specific resources and actions.

    Sample custom policies:

    Note
    • You must replace the DTS instance ID in the following code with the actual ID of your DTS instance.
    • If the read-only permission on a DTS instance is granted to a RAM user, the RAM user can query task details and configurations but cannot change configurations. If the read and write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:Describe*",
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "dts:*",
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID"
                ]
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSynchronizationJobStatus",
                    "dts:DescribeSynchronizationJobs"
                ],
                "Resource": "acs:dts:*:*:instance/DTS instance ID"
            }
        ],
        "Version": "1"
    }
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dts:DescribeSubscriptionInstances",
                    "dts:StartSynchronizationJob",
                    "dts:SuspendSynchronizationJob"
                ],
                "Resource": [
                    "acs:dts:*:*:instance/DTS instance ID",
                    "acs:dts:*:*:instance/DTS instance ID",
            }
        ],
        "Version": "1"
    }
    • Example 1: Read-only permissions on a single DTS instance
    • Example 2: Read and write permissions on multiple DTS instances
    • Example 3: View the configurations of a data synchronization task
    • Example 4: Start or pause multiple data synchronization tasks
  5. Click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. In the User Logon Name/Display Name column, find the RAM user.
  5. Click Add Permissions in the Actions column.
    Add Permissions
  6. In the Add Permissions panel, select the required permission policies.
    1. Select Custom Policy.
    2. Click the name of a custom policy to add the policy to the Selected section.
      Select a custom policy
  7. Click OK.
  8. Click Complete.

Scenarios of operation-level authorization

Note
  • The DescribeDTSIP, DescribeSubscriptionInstances, and DescribeSynchronizationJobs policies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related operations.
  • To authorize a RAM user to configure data migration, data synchronization, or change tracking, you must create a custom policy and attach the policy to the user. For more information, see Authorize DTS to access Alibaba Cloud resources.
  • API operations (new version)
    Feature Operation in the DTS console Permission policy
    Purchase an instance Purchase a DTS instance CreateDtsInstance
    Data migration or synchronization Configure a data migration or synchronization task ConfigureDtsJob
    Change tracking Configure a change tracking task ConfigureSubscription
    Start a task Start a DTS task StartDtsJob
    Start multiple tasks at a time Start multiple DTS tasks at a time StartDtsJobs
    Manage consumer groups Create a consumer group CreateConsumerChannel
    Query consumer groups DescribeConsumerChannel
    Modify the consumer group of a change tracking task ModifyConsumerChannel
    Delete the consumer group of a change tracking task DeleteConsumerChannel
    Query tasks Query the details of a DTS task DescribeDtsJobDetai
    Query DTS tasks and the details of each task DescribeDtsJobs
    Modify the configurations of a DTS task Modify the configurations of a data synchronization task ModifyDtsJob
    Modify the configurations of a change tracking task ModifySubscription
    Rename a DTS task ModifyDtsJobName
    Reset a task Reset a DTS task ResetDtsJob
    Pause a task Pause a DTS task SuspendDtsJob
    Pause multiple tasks at a time Pause multiple DTS tasks at a time SuspendDtsJobs
    Stop a task Stop a DTS task StopDtsJob
    Stop multiple tasks at a time Stop multiple DTS tasks at a time StopDtsJobs
    Release an instance Release a DTS instance DeleteDtsJob
    Release multiple instances at a time Release multiple DTS instances at a time DeleteDtsJobs
    Configure alerts for tasks Create an alert rule for a DTS task or modify the alert rule of a DTS task CreateJobMonitorRule
    Query the alert rules of a DTS task DescribeJobMonitorRule
    Query an ETL task Query the details of an ETL task DescribeDtsEtlJobVersionInfo
    Query the logs of an ETL task DescribeEtlJobLogs
  • API operations (old version)
    Feature Operation in the DTS console Permission policy
    Data migration Create a data migration task CreateMigrationJob
    Query data migration tasks DescribeMigrationJobs
    View the details of a data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    Rename a data migration task

    DescribeMigrationJobs

    ModifyMigrationObject

    Configure a data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    CreateMigrationJob

    View precheck details

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    Create a similar data migration task

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    DescribeMigrationJobStatus

    CreateMigrationJob

    Monitor a data migration task and set alerts

    DescribeMigrationJobs

    DescribeMigrationJobAlert

    ConfigureMigrationJobAlert

    Change the password that is used to log on to an instance

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    ModifyMigrationObject

    Start a data migration task

    DescribeMigrationJobs

    StartMigrationJob

    DescribeMigrationJobDetail

    Pause a data migration task

    DescribeMigrationJobs

    SuspendMigrationJob

    View the details of schema migration

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the details of full data migration

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the details of incremental data migration

    DescribeMigrationJobs

    DescribeMigrationJobStatus

    View the performance of full data migration or incremental data migration

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    View task logs

    DescribeMigrationJobs

    DescribeMigrationJobDetail

    Change tracking Create a change tracking task CreateSubscriptionInstance
    Query change tracking tasks DescribeSubscriptionInstances
    View the details of a change tracking task

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    Rename a change tracking task

    DescribeSubscriptionInstances

    ModifySubscriptionObject

    Change the objects for change tracking

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    Create a consumer group

    DescribeSubscriptionInstances

    CreateConsumerGroup

    View the information about a consumer group

    DescribeSubscriptionInstances

    DescribeConsumerGroup

    Change the password of a consumer group

    DescribeSubscriptionInstances

    ModifyConsumerGroupPassword

    Delete a consumer group

    DescribeSubscriptionInstances

    DeleteConsumerGroup

    Change the password that is used to log on to an instance

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    Delete a change tracking task

    DescribeSubscriptionInstances

    DeleteSubscriptionInstance

    Monitor a change tracking task and set alerts

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceAlert

    ConfigureSubscriptionInstanceAlert

    Configure a change tracking task

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    ModifySubscriptionObject

    View task logs

    DescribeSubscriptionInstances

    DescribeSubscriptionInstanceStatus

    Data synchronization Create a data synchronization task CreateSynchronizationJob
    Query data synchronization tasks DescribeSynchronizationJobs
    View the details of a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    Rename a data synchronization task

    DescribeSynchronizationJobs

    ModifySynchronizationObject

    View the configurations of a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the objects to be synchronized

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the status of schema synchronization and full data synchronization

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the performance of full data synchronization or incremental data synchronization

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    View the modification records of the objects to be synchronized DescribeSynchronizationJobs
    View task logs

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    Configure a data synchronization task

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySynchronizationObject

    Start a data synchronization task

    DescribeSynchronizationJobs

    StartSynchronizationJob

    Pause a data synchronization task

    DescribeSynchronizationJobs

    SuspendSynchronizationJob

    Change the objects to be synchronized

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySynchronizationObject

    Delete a data synchronization task

    DescribeSynchronizationJobs

    DeleteSynchronizationJob

    Stop a data synchronization task

    DescribeSynchronizationJobs

    DeleteSynchronizationJob

    Monitor a data synchronization task and set alerts

    DescribeSynchronizationJobs

    DescribeSynchronizationJobAlert

    ConfigureSynchronizationJobAlert

    Change the password that is used to log on to an instance

    DescribeSynchronizationJobs

    DescribeSynchronizationJobStatus

    ModifySubscriptionObject

Related operations

Log on to the Alibaba Cloud Management Console as a RAM user.

FAQ

Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user? Error message
A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances on which the RAM user has administrative permissions. Then, you can search for DTS instances by using their IDs in the DTS console. Search for DTS instances