All Products
Search

This Product

    CloudOps Orchestration Service:Access control

    Document Center

    CloudOps Orchestration Service:Access control

    Last Updated:Feb 20, 2024

    This topic describes how to use Resource Access Management (RAM) to control the access of Alibaba Cloud accounts to CloudOps Orchestration Service (OOS). To implement access control, you must create RAM users or groups, and grant required permissions to the users or groups.

    Scenarios

    RAM is a resource access control service that is provided by Alibaba Cloud. The following section describes how you can use RAM to implement access control in OOS:

    OOS administrator: You can create an OOS administrator group and grant full access permissions on OOS to the administrator group. This way, an administrator can create, modify, and execute templates.

    Template developer: The template developer group requires the permissions to modify templates. You can attach a policy to the template developer group to grant the group members the permissions to call API operations such as CreateTemplate and UpdateTemplate.

    Template execution: You can grant only the permission to execute OOS templates to some users. This way, these users can only execute OOS templates and cannot create or modify OOS templates.

    Template authentication: You can restrict a template to be executed only by specified users or user groups.

    Grant the PassRole permission to a RAM user

    You can create an OOS-trusted RAM role to grant permissions to OOS. For more information, see Grant RAM permissions to OOS. Even if OOS has the permission to access this RAM role, it does not mean that the RAM user that uses OOS has the permission to use this RAM role. You need to grant the PassRole permission to the RAM user and the RAM role. This way, the RAM user can use the RAM role by using OOS.

    To authorize a RAM user to use all RAM roles of OOS, create the following policy and attach the policy to the RAM user:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "oos.aliyuncs.com"
        }
      }
    }
  ]
}

    For security reasons, you may need to restrict the RAM user to use only a specific RAM role, such as the default role OOSServiceRole. In this case, you can create the following policy and attach the policy to the RAM user:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "acs:ram::{parent_uid}:role/OOSServiceRole"
    }
  ]
}

    • If a RAM role, such as the default role OOSServiceRole, is internally used in a template and does not need to be specified as an input parameter for template execution, you do not need to grant the PassRole permission to the RAM user for executing the template. However, you must grant the PassRole permission to the RAM user to create or modify the template.

    • If a RAM role is dynamically obtained by using an input parameter for template execution and the template does not specify the RAM role that is required, you do not need to grant the PassRole permission to the RAM user for creating or modifying a template. However, you must grant the PassRole permission to the RAM user to execute the template so that the RAM user can use the specified RAM role.

    • In the preceding sample code, {parent_uid} indicates the ID of your Alibaba Cloud account.

    Grant permissions to a RAM user

    Step 1: Create a custom policy in the RAM console.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.image

    4. On the Create Policy page, click the JSON tab. Then, edit the policy.

      • Sample policy 1: grants a RAM user the permissions to execute templates but not modify templates. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:List*",
                "oos:Get*",
                "oos:StartExecution",
                "oos:CancelExecution",
                "oos:NotifyExecution"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      • Sample policy 2: grants a RAM user the permissions to create and modify templates but not execute templates. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:List*",
                "oos:Get*",
                "oos:CreateTemplate",
                "oos:UpdateTemplate",
                "oos:ValidateTemplateContent"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      • Sample policy 3: grants a RAM user the permissions of an OOS administrator. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "oos:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "oos.aliyuncs.com"
                }
            }
        }
    ]
}

    5. Click Next to edit policy information. Configure the basic information about the policy and click OK.

    Step 2: Grant a RAM user relevant permissions in the RAM console.

    1. In the left-side navigation pane, choose Identities > Users.image

    2. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column. In the Select Policy section of the Add Permissions pane, select one or more system policies or custom policies.

    3. Click OK.