By default, newly created Resource Access Management (RAM) users are not granted permissions to activate Alibaba Cloud Dynamic Route for CDN (DCDN) or change the billing method of DCDN. If you want to activate DCDN or change the billing method of DCDN, you must log on to the RAM console and grant permissions to the RAM users.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is an Alibaba Cloud service that is used to manage user identities and resource access permissions. RAM supports system and custom permission policies. You can use system permission policies to grant RAM users full permissions (including service activation and configuration modification) on DCDN. You can use custom permission policies to grant RAM users permissions to activate DCDN or modify configurations, or only the permissions to activate DCDN and modify configurations.
  • System permission policies

    System permission policies are configured and provided by Alibaba Cloud. You cannot modify the system permission policies. A system permission policy grants RAM users full permissions (including service activation and configuration modification) on DCDN. Only a few steps are required to grant permissions to RAM users by using system permission policies.

  • Custom permission policies

    You can create or modify custom permission policies to enforce fine-grained permission control. For example, you can use custom permission policies to grant RAM users permissions to activate DCDN or modify configurations, or only the permissions to activate DCDN and modify configurations.

Permission scopes

The following table describes the scopes of the permissions that you can grant to a RAM user. For example, you can grant a RAM user the permissions to activate DCDN or modify configurations.
Note In this topic, configuration modification refers to the process of changing the billing method.
Permission scope Description Reference
Full permissions (including service activation and configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings, activate DCDN, and change the billing method. Example 1: Attach a system permission policy to a RAM user (including service activation and configuration modification)
Full permissions (excluding service activation) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and change the billing method. The permissions to activate DCDN are excluded. Example 2: Attach a custom permission policy to a RAM user (service activation or configuration modification)
Full permissions (excluding configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and activate DCDN. The permissions to change the billing method are excluded.
Service activation permissions Only the permissions to activate DCDN.
Configuration modification permissions Only the permissions to change the billing method.
Service activation and configuration modification permissions Only the permissions to activate DCDN and change the billing method. Example 3: Attach a custom permission policy to a RAM user (service activation and configuration modification)
Full permissions (excluding service activation and configuration modification) Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings. The permissions to activate DCDN and change the billing method are excluded. Example 4: Attach a custom permission policy to a RAM user (excluding service activation and configuration modification)

Example 1: Attach a system permission policy to a RAM user (including service activation and configuration modification)

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
    Add permissions
  4. In the Add Permissions panel, specify the required parameters.
    Add permissions
    1. In the Authorized Scope section, select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the permissions to active DCDN and modify configurations do not take effect for the RAM user.
    2. Click System Policy.
    3. Enter DCDN in the search box. The system automatically displays all permission policies that are related to DCDN.
    4. Click AliyunDCDNFullAccess to add the policy to the Selected list.
  5. Click OK.
  6. Click Complete.

Example 2: Attach a custom permission policy to a RAM user (service activation or configuration modification)

  1. Create a custom permission policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom permission policy.
      Custom policy settings
      Parameter Description
      Policy Name Enter a descriptive name for the custom permission policy. In this example, AliyunDcdntest is used.
      Note Optional. Enter a description for the custom permission policy.
      Configuration Mode Select Script.
      Policy Document Enter the content of the custom permission policy in the code editor. Examples of custom permission policies are provided for your reference. 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "dcdn:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dcdn:OpenDcdnService"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.dcdn.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "dcdn:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dcdn:ModifyDcdnService"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.dcdn.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dcdn:OpenDcdnService"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dcdn:ModifyDcdnService"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
    5. Click OK.
  2. Attach the custom permission policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, configure the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the permissions to active DCDN and modify configurations do not take effect for the RAM user.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom permission policy created in Step 1. In this example, the name of the custom permission policy is AliyunDcdntest. After the system displays the custom permission policy, click the name of the permission policy to add the custom permission policy to the Selected list.
    5. Click OK.
    6. Click Complete.

Example 3: Attach a custom permission policy to a RAM user (service activation and configuration modification)

  1. Create a custom permission policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom permission policy.
      Add permissions 01
      Parameter Description
      Policy Name Enter a descriptive name for the custom permission policy. In this example, AliyunDcdntest is used.
      Note Optional. Enter a description for the custom permission policy.
      Configuration Mode Select Script.
      Policy Document
      Enter the following policy content: 
      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dcdn:OpenDcdnService",
                 "dcdn:ModifyDcdnService"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
    5. Click OK.
  2. Attach the custom permission policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, configure the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the permissions to active DCDN and modify configurations do not take effect for the RAM user.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom permission policy created in Step 1. In this example, the name of the custom permission policy is AliyunDcdntest. After the system displays the custom permission policy, click the name of the permission policy to add the custom permission policy to the Selected list.
    5. Click OK.
    6. Click Complete.

Example 4: Attach a custom permission policy to a RAM user (excluding service activation and configuration modification)

  1. Create a custom permission policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the custom permission policy.
      Add permissions 02
      Parameter Description
      Policy Name Enter a descriptive name for the custom permission policy. In this example, AliyunDcdntest is used.
      Note Optional. Enter a description for the custom permission policy.
      Configuration Mode Select Script.
      Policy Document
      Enter the following policy content: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "dcdn:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dcdn:ModifyDcdnService",
                "dcdn:OpenDcdnService"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.dcdn.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
    5. Click OK.
  2. Attach the custom permission policy to a RAM user.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
      Add permissions
    4. In the Add Permissions panel, configure the required parameters.
      Add permissions 01
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Note If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud account that owns the RAM user. If you select Specific Resource Group, the permissions to active DCDN and modify configurations do not take effect for the RAM user.
      Principal The current RAM user is automatically selected.
      Select Policy Click Custom Policy. Enter the name of the custom permission policy created in Step 1. In this example, the name of the custom permission policy is AliyunDcdntest. After the system displays the custom permission policy, click the name of the permission policy to add the custom permission policy to the Selected list.
    5. Click OK.
    6. Click Complete.