All Products
Search

This Product

    DataWorks:Restrict RAM user logons to specific IP addresses

    Document Center

    DataWorks:Restrict RAM user logons to specific IP addresses

    Last Updated:Mar 25, 2026

    Allow a RAM user to log on to DataWorks only from a specific IP address

    By default, a RAM (Resource Access Management) user with DataWorks permissions can access the DataWorks console from any IP address. To restrict access to one or more specific IP addresses, create a custom RAM policy that denies all DataWorks actions when the source IP is outside an allowed list, then attach the policy to the RAM user.

    This topic covers two steps: create the policy that defines the IP allowlist, then attach it to the RAM user so it takes effect.

    Prerequisites

    Before you begin, ensure that you have:

    • A RAM user with the required DataWorks permissions. For setup instructions, see Prepare a RAM user

    • Admin rights to the RAM console

    The AliyunDataWorksFullAccess policy defines default DataWorks permissions and cannot be modified. To restrict access by IP, create a separate custom policy and attach it to the RAM user.

    How it works

    The IP restriction uses "Effect": "Deny" combined with a NotIpAddress condition operator. This combination means: deny all dataworks:* actions when the source IP is not in the specified list. Requests from listed IP addresses are unaffected and proceed based on other attached policies.

    Important

    Do not change "Effect" to "Allow". An allow-based policy cannot implement an IP allowlist in this context — it would grant access from listed IPs but leave unlisted IPs unaffected rather than blocked. For details on policy structure, see Policy structure and syntax.

    Step 1: Create a custom policy

    1. Log on to the RAM console as a RAM user with admin rights.

    2. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy, then click the JSON tab.

    3. In the code editor, paste the following policy. Replace 10.0.0.0 and 192.168.0.0 with the IP addresses from which you want to allow access. Add more entries to the array to allow additional addresses. The following policy denies all DataWorks actions for requests originating from any IP address outside the specified list:

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dataworks:*"
            ],
            "Resource": [
                "acs:dataworks:*:*:*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "10.0.0.0",
                        "192.168.0.0"
                    ]
                }
            }
        }
    ]
}

      For a full description of policy condition keys and operators, see Policy elements.

    4. (Optional) Click Optional advanced optimize. In the dialog box, click Perform. The system splits resources or conditions that are incompatible with actions, narrows down resources, and deduplicates or merges policy statements.

    5. Click OK. In the Create Policy dialog box, enter a Name and an optional Description for the policy.

    6. Click OK.

    Step 2: Attach the custom policy to the RAM user

    1. In the left-side navigation pane of the RAM console, choose Identities > Users. On the Users page, find the RAM user and click Add Permissions in the Actions column. To attach the policy to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.

    2. In the Grant Permission panel, select Custom Policy from the drop-down list, then select the policy you created in the Policy Name column.

      The system automatically sets Selected Principal to the RAM user you selected. To remove a policy before confirming, click the × icon next to it in the Selected Policy list.

    3. Click Grant permissions, then click Close.