This topic describes how to create a custom policy. Custom policies provide more fine-grained permission control than system policies. You can create a custom policy to control the permissions on specific instances or actions.
Prerequisites
A RAM user is authorized to access the cloud resources (such as RDS instances and ECS instances) of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to call the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.
Background information
A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
Precautions
- If you need to synchronize data to MaxCompute, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
- If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.
Step 1: Create a custom permission policy
Log on to the RAM console by using an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
Configure parameters for the custom policy.
Parameter
Description
Policy Name
Enter an informative name for easy identification.
Note
Optional. Enter the description of the policy.
Configuration Mode
Select Script. To configure policies for DTS, you must select Script.
Policy Document
Select an existing system policy from the drop-down list.
NoteThis topic describes how to create a custom policy. You do not need to specify this parameter.
Code Editor
Enter the content of the policy in the code editor. Sample custom policies are provided for your reference below this table.
NoteA policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
You can grant permissions on specific resources and actions.
Sample custom policies:
NoteYou must replace the
DTS instance IDin the following code with the actual ID of your DTS instance.If the read-only permission on a DTS instance is granted to a RAM user, the RAM user can query task details and configurations but cannot change configurations. If the read and write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.
{ "Statement": [ { "Effect": "Allow", "Action": "dts:Describe*", "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }{ "Statement": [ { "Effect": "Allow", "Action": "dts:*", "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSynchronizationJobStatus", "dts:DescribeSynchronizationJobs" ], "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSubscriptionInstances", "dts:StartSynchronizationJob", "dts:SuspendSynchronizationJob" ], "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID", } ], "Version": "1" }Example 1: Read-only permissions on a single DTS instance
Example 2: Read and write permissions on multiple DTS instances
Example 3: View the configurations of a data synchronization task
Example 4: Start or pause multiple data synchronization tasks
Click OK.
Step 2: Attach the custom policy to a RAM user
Log on to the RAM console by using an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
In the User Logon Name/Display Name column, find the RAM user.
Click Add Permissions in the Actions column.
In the Add Permissions panel, select the required permission policies.
Select Custom Policy.
Click the name of a custom policy to add the policy to the Selected section.
Click OK.
Click Complete.
Scenarios of operation-level authorization
The
DescribeDTSIP,DescribeSubscriptionInstances, andDescribeSynchronizationJobspolicies authorize a RAM user to query available DTS instances. If a RAM user has the permissions only on some instances, the user must query available DTS instances before the user can perform related operations.To authorize a RAM user to configure data migration, data synchronization, or change tracking, you must create a custom policy and attach the policy to the user. For more information, see Authorize DTS to access Alibaba Cloud resources.
API operations (new version)
Feature
Operation in the DTS console
Permission policy
Purchase an instance
Purchase a DTS instance
CreateDtsInstance
Data migration or synchronization
Configure a data migration or synchronization task
ConfigureDtsJob
Change tracking
Configure a change tracking task
ConfigureSubscription
Start a task
Start a DTS task
StartDtsJob
Start multiple tasks at a time
Start multiple DTS tasks at a time
StartDtsJobs
Manage consumer groups
Create a consumer group
CreateConsumerChannel
Query consumer groups
DescribeConsumerChannel
Modify the consumer group of a change tracking task
ModifyConsumerChannel
Delete the consumer group of a change tracking task
DeleteConsumerChannel
Query tasks
Query the details of a DTS task
DescribeDtsJobDetail
Query DTS tasks and the details of each task
DescribeDtsJobs
Modify the configurations of a DTS task
Modify the configurations of a data synchronization task
ModifyDtsJob
Modify the configurations of a change tracking task
ModifySubscription
Rename a DTS task
ModifyDtsJobName
Reset a task
Reset a DTS task
ResetDtsJob
Pause a task
Pause a DTS task
SuspendDtsJob
Pause multiple tasks at a time
Pause multiple DTS tasks at a time
SuspendDtsJobs
Stop a task
Stop a DTS task
StopDtsJob
Stop multiple tasks at a time
Stop multiple DTS tasks at a time
StopDtsJobs
Release an instance
Release a DTS instance
DeleteDtsJob
Release multiple instances at a time
Release multiple DTS instances at a time
DeleteDtsJobs
Configure alerts for tasks
Create an alert rule for a DTS task or modify the alert rule of a DTS task
CreateJobMonitorRule
Query the alert rules of a DTS task
DescribeJobMonitorRule
Query an ETL task
Query the details of an ETL task
DescribeDtsEtlJobVersionInfo
Query the logs of an ETL task
DescribeEtlJobLogs
API operations (old version)
Feature
Operation in the DTS console
Permission policy
Data migration
Create a data migration task
CreateMigrationJob
Query data migration tasks
DescribeMigrationJobs
View the details of a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
Rename a data migration task
DescribeMigrationJobs
ModifyMigrationObject
Configure a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
View precheck details
DescribeMigrationJobs
DescribeMigrationJobStatus
Create a similar data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
Monitor a data migration task and set alerts
DescribeMigrationJobs
DescribeMigrationJobAlert
ConfigureMigrationJobAlert
Change the password that is used to log on to an instance
DescribeMigrationJobs
DescribeMigrationJobDetail
ModifyMigrationObject
Start a data migration task
DescribeMigrationJobs
StartMigrationJob
DescribeMigrationJobDetail
Pause a data migration task
DescribeMigrationJobs
SuspendMigrationJob
View the details of schema migration
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of full data migration
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of incremental data migration
DescribeMigrationJobs
DescribeMigrationJobStatus
View the performance of full data migration or incremental data migration
DescribeMigrationJobs
DescribeMigrationJobDetail
View task logs
DescribeMigrationJobs
DescribeMigrationJobDetail
Change tracking
Create a change tracking task
CreateSubscriptionInstance
Query change tracking tasks
DescribeSubscriptionInstances
View the details of a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Rename a change tracking task
DescribeSubscriptionInstances
ModifySubscriptionObject
Change the objects for change tracking
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Create a consumer group
DescribeSubscriptionInstances
CreateConsumerGroup
View the information about a consumer group
DescribeSubscriptionInstances
DescribeConsumerGroup
Change the password of a consumer group
DescribeSubscriptionInstances
ModifyConsumerGroupPassword
Delete a consumer group
DescribeSubscriptionInstances
DeleteConsumerGroup
Change the password that is used to log on to an instance
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Delete a change tracking task
DescribeSubscriptionInstances
DeleteSubscriptionInstance
Monitor a change tracking task and set alerts
DescribeSubscriptionInstances
DescribeSubscriptionInstanceAlert
ConfigureSubscriptionInstanceAlert
Configure a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
View task logs
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Data synchronization
Create a data synchronization task
CreateSynchronizationJob
Query data synchronization tasks
DescribeSynchronizationJobs
View the details of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Rename a data synchronization task
DescribeSynchronizationJobs
ModifySynchronizationObject
View the configurations of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the status of schema synchronization and full data synchronization
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the performance of full data synchronization or incremental data synchronization
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the modification records of the objects to be synchronized
DescribeSynchronizationJobs
View task logs
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Configure a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Start a data synchronization task
DescribeSynchronizationJobs
StartSynchronizationJob
Pause a data synchronization task
DescribeSynchronizationJobs
SuspendSynchronizationJob
Change the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Delete a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Stop a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Monitor a data synchronization task and set alerts
DescribeSynchronizationJobs
DescribeSynchronizationJobAlert
ConfigureSynchronizationJobAlert
Change the password that is used to log on to an instance
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySubscriptionObject
Related operations
Log on to the Alibaba Cloud Management Console as a RAM user.
FAQ
Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user? 
A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not show the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances on which the RAM user has administrative permissions. Then, you can search for DTS instances by using their IDs in the DTS console. 