Authorize a RAM user to manage DTS instances by using a system policy - Data Transmission Service

Grant Data Transmission Service (DTS) management permissions to a Resource Access Management (RAM) user to enforce least-privilege access and improve Alibaba Cloud account security.

Prerequisites

Before you begin, make sure that:

The RAM user is authorized to access the cloud resources of the current Alibaba Cloud account used in your DTS tasks, such as ApsaraDB for RDS instances and Elastic Compute Service (ECS) instances. This allows DTS to access the relevant cloud resource information when you configure a DTS task as the RAM user. For details, see Authorize DTS to access Alibaba Cloud resources.

Constraints

Keep the following constraints in mind before you configure DTS tasks as a RAM user:

API-level permissions: DTS does not support granting API-level permissions to RAM users. Only the system policies listed below are available.
MaxCompute: To synchronize data to a MaxCompute project, use an Alibaba Cloud account to configure the data synchronization task. RAM users cannot configure this type of task.
Database Gateway: If the RAM user connects to a database over Database Gateway, grant the AliyunDGFullAccess policy to the RAM user.
Cloud Enterprise Network (CEN): If the RAM user connects to a database over CEN, grant the AliyunCENFullAccess policy to the RAM user.

System policies

DTS provides two system policies for RAM user authorization.

Policy	Access level	What the RAM user can do
AliyunDTSFullAccess	Read and write	Purchase, configure, and manage DTS instances
AliyunDTSReadOnlyAccess	Read-only	View the details and configurations of all DTS tasks owned by the Alibaba Cloud account. The RAM user cannot purchase, configure, or manage DTS instances.

Grant a system policy to a RAM user

Log on to the RAM console using your Alibaba Cloud account.
Create a RAM user if you have not done so already.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the following settings.
1. Select an authorization scope:
  - Alibaba Cloud Account: The policy takes effect across the current Alibaba Cloud account.
  - Specific Resource Group: The policy takes effect within a specific resource group. Make sure the cloud service supports resource groups before selecting this option. For details, see Services that work with Resource Group. For an example of resource group-scoped authorization, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Confirm the principal. The principal is the RAM user you selected.
3. Set the Select Policy parameter to System Policy.
4. Enter dts in the search box to filter DTS-related policies.
5. Select the policies to add. They appear in the Selected section. For guidance on which policy to select, see the System policies section.
Click OK.
Click Complete.

What's next

Log on to the Alibaba Cloud Management Console as a RAM user