Allow a RAM user to log on to the DataWorks console only from a specific IP address - DataWorks

This topic describes how to allow a RAM user to log on to the DataWorks console only from a specific local IP address.

Prerequisites

A RAM user is created and granted the required permission. For more information, see Prepare a RAM user. The AliyunDataWorksFullAccess policy defines default permissions, and you cannot change the policy. You must create a custom policy and attach the policy to the RAM user.

Create a custom policy.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Configure the custom policy in the code editor.

The following code provides an example of the document of the custom policy. In the policy, set the acs:SourceIP parameter to the IP address that you want to use to access DataWorks. You can specify multiple IP addresses. For more information about the parameters in the policy, see Policy elements.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dataworks:*"
            ],
            "Resource": [
                "acs:dataworks:*:*:*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "10.0.0.0",
                        "192.168.0.0"
                    ]
                }
            }
        }
    ]
}

Enter the following policy content in the code editor and click Next to edit policy information.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- (Optional) Advanced optimization
  You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Attach the custom policy to the RAM user

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to attach the policy to the RAM users at a time.
In the Grant Permission panel, select Custom Policy from the drop-down list next to the search box in the Policy section and then select the custom policy that you want to attach to the RAM user.
Note
- The system automatically sets the Principal parameter to the created RAM user.
- To remove a policy, you can click the × icon for the policy in the Selected Policy list on the right side of the panel.

Click Grant permissions.
Click Close.