EDAS-defined permissions are not recommended. Use Resource Access Management (RAM) policies instead. For migration steps, see Replace EDAS-defined permissions with RAM policies.
To facilitate the management of permissions on Enterprise Distributed Application Service (EDAS) and other services, EDAS-defined permissions can be replaced by RAM permission policies. RAM policies are the recommended approach. If your sub-accounts still use EDAS-defined permissions, follow the procedures below to manage them during migration.
How the permission model works
EDAS-defined permissions use a role-based model with three components. You combine these to control what a user can do and which resources they can access.
Component | Description | Example |
Role | A named set of operation permissions. Created in the EDAS console. | A role that grants deploy and restart permissions. |
User | A RAM user or sub-account that the role is assigned to. | A developer sub-account. |
Scope | The specific applications or resource groups the user can access. | A specific application or a resource group. |
A user needs both a role (what they can do) and a scope (what they can access) to perform operations. For example, a user who is authorized for an application but has no assigned role can access the application but cannot manage it.
Which permission system applies
Account type | Permission system | Action required |
RAM users | RAM policies | No action. EDAS-defined permissions do not apply. |
Sub-accounts with AliyunEDASFullAccess | RAM policies | No action. EDAS-defined permissions do not apply. |
Sub-accounts without AliyunEDASFullAccess | EDAS-defined permissions | Migrate to RAM users. See Replace EDAS-defined permissions with RAM policies. |
Create a role
Roles define what operations a user can perform. As the Alibaba Cloud account owner, create roles and assign them to users.
Log on to the EDAS console.
In the left-side navigation pane, choose System Management > Roles.
On the Roles page, click Create Role in the upper-right corner.
In the Create Role dialog box, enter a name for the role, select permissions in the left-side Optional Permissions list, and click Add >> to move them to the right-side Selected Permissions list. Click OK.
After creation, the role appears on the Roles page. To manage it, click View Permissions, Manage Permissions, or Delete in the Actions column.
Assign roles to a user
After creating roles, assign them to users to grant operation permissions.
Log on to the EDAS console.
In the left-side navigation pane, choose System Management > RAM User.
Find the target RAM user and click Manage Roles in the Actions column.
In the Manage Roles dialog box, select roles from the left-side Unselected list and click > to add them to the right-side Selected list. Click OK.
The assigned roles appear in the Role column on the RAM User page.
Authorize access to applications
Role assignment and application authorization work together: a role defines what operations a user can perform, while application authorization controls which applications the user can access.
A user who is authorized for an application but has no assigned role can view the application but cannot perform operations such as starting or deleting it.
Log on to the EDAS console.
In the left-side navigation pane, choose System Management > RAM User.
Find the target RAM user and click Applications Authorized in the Actions column.
In the Applications Authorized dialog box, select applications from the left-side Unselected list and click > to add them to the right-side Selected list. Click OK.
Authorized applications appear in the Applications Authorized column on the RAM User page.
Authorize access to resource groups
Resource groups let you scope permissions to a collection of related resources rather than individual applications.
Log on to the EDAS console.
In the left-side navigation pane, choose System Management > RAM User.
Find the target RAM user and click Resource Group Authorized in the Actions column.
In the Resource Group Authorized dialog box, select resource groups from the left-side Unselected list and click > to add them to the right-side Selected list. Click OK.
Authorized resource groups appear in the Resource Group Authorized column on the RAM User page.
Migrate to RAM policies
EDAS-defined permissions can be replaced by RAM permission policies. We recommend that you migrate all sub-accounts that use EDAS-defined permissions to RAM users. For migration steps, see Replace EDAS-defined permissions with RAM policies.