Custom policies give you more granular control than system policies. Use them to restrict a RAM user's access to specific DTS instances or specific actions, rather than granting access to all DTS resources.
Prerequisites
Before you begin, ensure that you have:
Authorized the RAM user to access the cloud resources used by DTS, such as ApsaraDB for RDS instances and Elastic Compute Service (ECS) instances. This allows DTS to read the relevant resource information when the RAM user configures a DTS task. For details, see Authorize DTS to access Alibaba Cloud resources.
Usage notes
To synchronize data to a MaxCompute project, configure the task using an Alibaba Cloud account instead of a RAM user.
If the database connects over Database Gateway, grant the RAM user the AliyunDGFullAccess permission.
If the database connects over Cloud Enterprise Network (CEN), grant the RAM user the AliyunCENFullAccess permission.
Step 1: Create a custom policy
Log on to the RAM console as a RAM user with administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
In the code editor, enter your policy content. Keep the following in mind: The following examples cover common scenarios. Choose the one that matches your use case, or combine actions from multiple examples. Example 1: Read-only access to a single DTS instance Use this when you want a RAM user to view task details and configurations but not make any changes.
Replace the
DTS instance IDplaceholder with the actual ID of your DTS instance.Read-only permissions let a RAM user query task details and configurations, but not modify them. Read and write permissions let a RAM user configure and manage the DTS instance.
The policy must include the DescribeBasicConfigs and DescribeDomainRegions actions.
Example 1
{ "Statement": [ { "Effect": "Allow", "Action": "dts:Describe*", "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }Example 2
{ "Statement": [ { "Effect": "Allow", "Action": "dts:*", "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }Example 3
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSynchronizationJobStatus", "dts:DescribeSynchronizationJobs" ], "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }Example 4
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSubscriptionInstances", "dts:StartSynchronizationJob", "dts:SuspendSynchronizationJob" ], "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }Example 2: Full access to multiple DTS instances Use this when a RAM user needs to configure and manage multiple specific instances. List each instance ID as a separate resource.
Example 3: View configurations of a data synchronization task Use this when you want a RAM user to check the status and configuration of a synchronization task, without any write access.
Example 4: Start or pause multiple data synchronization tasks Use this when you want a RAM user to control task execution across multiple instances — start or pause tasks — without access to configuration settings.
Click OK.
Fill in the Name and Description fields.
Review and optimize the policy content.
Basic optimization (automatic): The system removes unnecessary conditions and arrays.
Advanced optimization (optional): Move the pointer over Optional: advanced optimize and click Perform. The system splits resources or conditions that are incompatible with actions, narrows down resources, and deduplicates or merges policy statements.
Click OK.
Step 2: Attach the custom policy to a RAM user
Log on to the RAM console as a RAM user with administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user in the User Logon Name/Display Name column.
Click Add Permissions in the Actions column.
In the Grant Permission panel, configure the following:
Set the Resource Scope parameter: > Important: If you select ResourceGroup, make sure that the required cloud service supports resource groups. For details, see Services that work with Resource Group. For instructions on granting resource group permissions, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Account: The permission applies to the current Alibaba Cloud account.
ResourceGroup: The permission applies to a specific resource group.
In the Policy section, select Custom Policy from the drop-down list.
Search for the policy you created in Step 1.
Click the policy name to add it to the Selected Policy section.
Click Grant permissions.
Click Close.
Action-level authorization reference
Use this section to identify which API actions to include in a custom policy for a specific console operation.
TheDescribeDTSIP,DescribeSubscriptionInstances, andDescribeSynchronizationJobsactions let RAM users query available DTS instances. If a RAM user has access only to specific instances, they must first query the available instances before performing related operations. To authorize a RAM user to configure a data migration, data synchronization, or change tracking task, create a custom policy and attach it. For details, see Authorize DTS to access Alibaba Cloud resources.
API operations (new version)
| Feature | Action in the DTS console | Policy |
|---|---|---|
| Purchase an instance | Purchase a DTS instance | CreateDtsInstance |
| Migrate or synchronize data | Configure a data migration or synchronization task | ConfigureDtsJob |
| Track data changes | Configure a change tracking task | ConfigureSubscription |
| Start a task | Start a DTS task | StartDtsJob |
| Start multiple tasks at a time | Start multiple DTS tasks at a time | StartDtsJobs |
| Manage consumer groups | Create a consumer group for a change tracking task | CreateConsumerChannel |
| Query the consumer group of a change tracking task | DescribeConsumerChannel | |
| Modify the consumer group of a change tracking task | ModifyConsumerChannel | |
| Delete the consumer group of a change tracking task | DeleteConsumerChannel | |
| Query tasks | Query the details of a DTS task | DescribeDtsJobDetail |
| Query DTS tasks and the details of each task | DescribeDtsJobs | |
| Modify task configurations | Modify the configurations of a data synchronization task | ModifyDtsJob |
| Modify the configurations of a change tracking task | ModifySubscription | |
| Rename a task | Rename a DTS task | ModifyDtsJobName |
| Reset a task | Reset a DTS task | ResetDtsJob |
| Pause a task | Pause a DTS task | SuspendDtsJob |
| Pause multiple tasks at a time | Pause multiple DTS tasks at a time | SuspendDtsJobs |
| Stop a task | Stop a DTS task | StopDtsJob |
| Stop multiple tasks at a time | Stop multiple DTS tasks at a time | StopDtsJobs |
| Release an instance | Release a DTS instance | DeleteDtsJob |
| Release multiple instances at a time | Release multiple DTS instances at a time | DeleteDtsJobs |
| Configure alerts | Create or modify an alert rule for a DTS task | CreateJobMonitorRule |
| Query the alert rules of a DTS task | DescribeJobMonitorRule | |
| Query an ETL task | Query the details of an extract, transform, and load (ETL) task | DescribeDtsEtlJobVersionInfo |
| Query the logs of an ETL task | DescribeEtlJobLogs |
API operations (old version)
Data migration tasks
| Feature | Required actions |
|---|---|
| Create a data migration task | CreateMigrationJob |
| Query data migration tasks | DescribeMigrationJobs |
| View task details | DescribeMigrationJobs, DescribeMigrationJobDetail, DescribeMigrationJobStatus |
| Rename a task | DescribeMigrationJobs, ModifyMigrationObject |
| Configure a task | DescribeMigrationJobs, DescribeMigrationJobDetail, DescribeMigrationJobStatus, CreateMigrationJob |
| View precheck details | DescribeMigrationJobs, DescribeMigrationJobStatus |
| Create a similar task | DescribeMigrationJobs, DescribeMigrationJobDetail, DescribeMigrationJobStatus, CreateMigrationJob |
| Monitor a task and set an alert rule | DescribeMigrationJobs, DescribeMigrationJobAlert, ConfigureMigrationJobAlert |
| Change the instance login password | DescribeMigrationJobs, DescribeMigrationJobDetail, ModifyMigrationObject |
| Start a task | DescribeMigrationJobs, StartMigrationJob, DescribeMigrationJobDetail |
| Pause a task | DescribeMigrationJobs, SuspendMigrationJob |
| View schema migration details | DescribeMigrationJobs, DescribeMigrationJobStatus |
| View full data migration details | DescribeMigrationJobs, DescribeMigrationJobStatus |
| View incremental data migration details | DescribeMigrationJobs, DescribeMigrationJobStatus |
| View task performance | DescribeMigrationJobs, DescribeMigrationJobDetail |
| View task logs | DescribeMigrationJobs, DescribeMigrationJobDetail |
Change tracking tasks
| Feature | Required actions |
|---|---|
| Create a change tracking task | CreateSubscriptionInstance |
| Query change tracking tasks | DescribeSubscriptionInstances |
| View task details | DescribeSubscriptionInstances, DescribeSubscriptionInstanceStatus |
| Rename a task | DescribeSubscriptionInstances, ModifySubscriptionObject |
| Change tracked objects | DescribeSubscriptionInstances, DescribeSubscriptionInstanceStatus, ModifySubscriptionObject |
| Create a consumer group | DescribeSubscriptionInstances, CreateConsumerGroup |
| View consumer group information | DescribeSubscriptionInstances, DescribeConsumerGroup |
| Change the consumer group password | DescribeSubscriptionInstances, ModifyConsumerGroupPassword |
| Delete a consumer group | DescribeSubscriptionInstances, DeleteConsumerGroup |
| Change the instance login password | DescribeSubscriptionInstances, DescribeSubscriptionInstanceStatus, ModifySubscriptionObject |
| Release a task | DescribeSubscriptionInstances, DeleteSubscriptionInstance |
| Monitor a task and set an alert rule | DescribeSubscriptionInstances, DescribeSubscriptionInstanceAlert, ConfigureSubscriptionInstanceAlert |
| Configure a task | DescribeSubscriptionInstances, DescribeSubscriptionInstanceStatus, ModifySubscriptionObject |
| View task logs | DescribeSubscriptionInstances, DescribeSubscriptionInstanceStatus |
Data synchronization tasks
| Feature | Required actions |
|---|---|
| Create a data synchronization task | CreateSynchronizationJob |
| Query data synchronization tasks | DescribeSynchronizationJobs |
| View task details | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| Rename a task | DescribeSynchronizationJobs, ModifySynchronizationObject |
| View task configurations | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| View synchronized objects | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| View schema or full synchronization status | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| View task performance | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| View change records of synchronized objects | DescribeSynchronizationJobs |
| View task logs | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus |
| Configure a task | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus, ModifySynchronizationObject |
| Start a task | DescribeSynchronizationJobs, StartSynchronizationJob |
| Pause a task | DescribeSynchronizationJobs, SuspendSynchronizationJob |
| Change synchronized objects | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus, ModifySynchronizationObject |
| Release a task | DescribeSynchronizationJobs, DeleteSynchronizationJob |
| Stop a task | DescribeSynchronizationJobs, DeleteSynchronizationJob |
| Monitor a task and set an alert rule | DescribeSynchronizationJobs, DescribeSynchronizationJobAlert, ConfigureSynchronizationJobAlert |
| Change the instance login password | DescribeSynchronizationJobs, DescribeSynchronizationJobStatus, ModifySubscriptionObject |
Network settings
| Feature | Required actions |
|---|---|
| Query the CIDR blocks of DTS servers | DescribeDTSIP |
What to do next
Log on to the Alibaba Cloud Management Console by using a RAM user
FAQ
Why does the DTS console show an error instead of the instance list after I log on as a RAM user?
The RAM user likely has no permissions, or has permissions only on specific instances. When instance-level restrictions are in place, the DTS console cannot display the full instance list. Contact your RAM administrator to get the IDs of the DTS instances the RAM user can access, then search for those instances by ID in the DTS console.
