To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on domain names to RAM users. Then, the authorized RAM users can manage domain names. This topic describes how to authorize a RAM user to manage domain names.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Usage notes
RAM is a resource access control service provided by Alibaba Cloud. You can use RAM to authorize a RAM user to manage your domain names. By default, system policies and custom policies are supported. The AliyunDomainFullAccess system policy is provided for Alibaba Cloud Domain Names. You can create a custom policy to perform finer-grained access control if the system policy cannot meet your business requirements.
This topic describes two custom policies, which are used to grant a RAM user the read-only permissions on all domain names and the management permissions on a single domain name. For more information about how to create other custom policies, see Create custom policies.
Grant the read and write permissions to a RAM user by attaching a system policy
You can attach the AliyunDomainFullAccess system policy to a RAM user in the RAM console to authorize the RAM user to manage domain names. This system policy grants the highest-level permissions. The authorized RAM user can manage all domain names within the Alibaba Cloud account.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane of the RAM console, choose .
On the Users page, find the RAM user to which you want to grant permissions in the User Logon Name/Display Name column. Click Add Permissions in the Actions column.
In the Grant Permission panel, configure the parameters.
Set the Resource Scope parameter to Account.
NoteThe system automatically enters the authorized principal in the Principal field.
Select System Policy.
Enter domain in the search box. The system policies related to domain names are displayed in the list.
Click AliyunDomainFullAccess to add the policy to the Selected Policy section.
Click Grant permissions.
Grant the read-only permissions to a RAM user by creating a custom policy
You can create a custom policy in the RAM console to grant the read-only permissions to a RAM user. The authorized RAM user can view domain names within the Alibaba Cloud account but cannot manage these domain names.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following script in the code editor. Click OK.
{ "Version": "1", "Statement": [ { "Action": [ "domain:Query*" ], "Resource": "acs:domain:*:*:*", "Effect": "Allow" } ] }
In the dialog box that appears, set Policy Name and Description (optional).
For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.
Click OK.
You can use one of the following methods to view the created custom policy:
Method 1: On the Policies page, select Custom Policy from the Policy Type drop-down list and find the created custom policy.
Method 2: In the Grant Permission panel, select Custom Policy from the drop-down list in the Policy section and find the created custom policy.
Authorize a RAM user to manage a single domain name by creating a custom policy
You can create a custom policy in the RAM console to authorize a RAM user to manage a single domain name. For example, you can authorize a RAM user to manage the example.com domain name. Perform the following steps:
Only some of the operations on a domain name can be authorized. For more information about the authorization rules of each operation, see Authentication rules for the Domains API.
After you attach the custom policy to a RAM user, the RAM user can log on to the Alibaba Cloud Domain Names console to view all the domain names within the Alibaba Cloud account. However, the RAM user can manage only the domain name specified in the custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following script in the code editor and replace
example.comwith the domain name that you want to authorize the RAM user to manage. Then, click OK.{ "Version": "1", "Statement": [ { "Action": [ "domain:DnsModification", "domain:SecuritySetting", "domain:RealNameVerificationOperation", "domain:DnsHostModification", "domain:CreateOrderActivate", "domain:CreateOrderRenew", "domain:CreateOrderRedeem", "domain:CreateOrderTransfer", "domain:DomainTransferInOperation", "domain:DomainTransferOutOperation", "domain:QualificationAuditOperation", "domain:EnsSetting", "domain:DnsSecSetting", "domain:SaveArtExtension", "domain:CreateOrderPendingDelete" ], "Resource": "acs:domain:*:*:domain/example.com", "Effect": "Allow" }, { "Action": [ "domain:Query*" ], "Resource": "acs:domain:*:*:*", "Effect": "Allow" } ] }
In the dialog box that appears, set Policy Name and Description (optional).
For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.
Click OK.
You can use one of the following methods to view the created custom policy:
Method 1: On the Policies page, select Custom Policy from the Policy Type drop-down list and find the created custom policy.
Method 2: In the Grant Permission panel, select Custom Policy from the drop-down list in the Policy section and find the created custom policy.
What to do next
Log on to the Alibaba Cloud Domain Names console as the authorized RAM user. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.