When multiple RAM users share an Enterprise Distributed Application Service (EDAS) account, each user typically needs access to only a subset of resources. List authentication filters dropdown lists and list pages in the EDAS console so that each Resource Access Management (RAM) user sees only the resources they have read permissions on. This applies to application lists, cluster lists, and microservices namespace lists.
List authentication is enabled by default. To show all resources to all RAM users regardless of permissions, you can disable list authentication.
How it works
When a RAM user opens a list view or dropdown in the EDAS console, EDAS checks the user's RAM permissions and returns only authorized resources. The following scenarios use list authentication:
Selecting a microservices namespace and cluster when creating an application
Selecting a microservices namespace when creating a cluster
Selecting a microservices namespace when viewing a microservice
Selecting a microservices namespace in the SchedulerX module
List authentication vs. resource authorization
EDAS enforces two separate layers of access control:
Layer | Controls | Effect of disabling list authentication |
List authentication | Which resources appear in dropdown lists and list pages | All resources become visible in lists |
Resource authorization | What a RAM user can do with a specific resource | No change. A RAM user without the required permissions still cannot open a resource's details page |
Disabling list authentication removes only the list-level visibility filter. The underlying resource authorization remains in effect.
Permissions reference
The following RAM permissions control resource visibility in lists:
Resource type | RAM permission | Effect |
Microservices namespace |
| Visible in namespace lists and dropdowns |
Cluster |
| Visible in cluster lists and dropdowns |
Application |
| Visible in application lists |
If a RAM user has read permissions on a resource, that resource appears in the corresponding list.
Resource hierarchy and permission dependencies
EDAS resources follow a parent-child hierarchy:
Microservices namespace
└── Cluster
└── ApplicationPermissions do not inherit across levels. When granting permissions, account for this hierarchy:
Target resource | Also grant | Reason |
Application |
| The RAM user needs to navigate through the namespace and cluster dropdowns to reach the application |
Cluster |
| The RAM user needs to select the namespace to find the cluster |
A RAM user with edas:ReadApplication on an application but without edas:ReadNamespace on its parent namespace can still find the application. On the Applications page, select All Microservice Namespaces from the Microservice Namespace drop-down list.
Best practices
Use wildcards in RAM policies. RAM policy length is limited. Instead of listing individual resources, use wildcards to define permissions across multiple resources. The EDAS permission assistant simplifies this process. For more information, see Use the EDAS permission assistant to create RAM policies.
Use resource groups for large-scale management. If you manage a large number of clusters and applications, organize them into resource groups to simplify permission assignment. For more information, see Use resource groups to manage permissions.
Only applications and clusters can be added to resource groups. Manage microservices namespace permissions directly through RAM policies.
Disable list authentication
List authentication is enabled by default. To disable it:
Log on to the EDAS console.
In the left-side navigation pane, choose System Management > RAM User.
In the upper-right corner of the RAM User page, click Switch List Authentication Method.
In the dialog box, select No Authentication and click OK.
A delay of about 1 minute exists for disabling list authentication. After you complete step 4, wait 1 minute and then refresh the page to confirm that list authentication is disabled.
Troubleshooting
An application does not appear in the application list
Cause: The RAM user has edas:ReadApplication on the application but lacks edas:ReadNamespace on the parent microservices namespace. When a specific namespace is selected in the dropdown filter, the application is hidden because the namespace itself is not visible.
Solution: On the Applications page, select All Microservice Namespaces from the Microservice Namespace drop-down list. The application appears in the unfiltered list. To prevent this issue, grant the RAM user edas:ReadNamespace on the parent namespace.
List authentication is still active after disabling it
Cause: A delay of about 1 minute exists for disabling list authentication.
Solution: Wait 1 minute after disabling list authentication, then refresh the page.
A RAM user cannot open a resource's details page after list authentication is disabled
Cause: Disabling list authentication removes only the list-level visibility filter. Resource authorization remains in effect. If the RAM user lacks the required permissions on a resource, access to that resource's details page is denied regardless of list authentication settings.
Solution: Grant the RAM user the appropriate permissions on the resource through RAM policies.