1. Create a RAM user.
Log on to the RAM console and create a Resource Access Management (RAM) user. For more information, see Create a RAM user.
2. Grant the read-only permissions on Alibaba Cloud DNS PrivateZone to the RAM user.
In the RAM console, choose Identities > Users. Select a RAM user and click Add Permissions in the Actions column. In the Add Permissions panel, attach the AliyunPvtzReadOnlyAccess system policy to the RAM user. For more information, see Grant permissions to RAM users.
3. Grant the full access permissions on Alibaba Cloud DNS PrivateZone to the RAM user.
In the RAM console, attach the AliyunPvtzFullAccess system policy to the RAM user. For more information, see Grant permissions to RAM users.
4. Grant the RAM user the permissions to manage specific Alibaba Cloud DNS PrivateZone zones.
In this case, you must create a custom policy. For example, the zone IDs are djiow001 and djiow002.
Create a custom policy named AliyunPvtzSingleAccess on the Policies page in the RAM console. The following section shows the content of the policy. For more information, see Create a custom policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "pvtz:*",
"Resource": [
"acs:pvtz:*:*:zone/djiow001",
"acs:pvtz:*:*:zone/djiow002"
],
"Effect": "Allow",
"Action": [
"pvtz:DescribeUserServiceStatus",
"pvtz:DescribeAllLines",
"pvtz:DescribeFusionResource",
"pvtz:DescribeVpcs",
"pvtz:DescribeResolveAnalysisConfig",
"pvtz:DescribeUserVpcAuthorizations",
"pvtz:DescribeZones",
"pvtz:DescribeJobOverview",
"pvtz:DescribeZoneInfo",
"pvtz:SearchZones"
],
"Resource": "acs:pvtz:*:*:*"
},
{
"Effect": "Allow",
"Action": "vpc:DescribeVpcs",
"Resource": "acs:vpc:*:*:*"
}
]
}Attach the AliyunPvtzSingleAccess policy to the RAM user. The permissions on the zones are granted to the RAM user.