By default, you can use an Alibaba Cloud account to manage all Elastic Desktop Service (EDS) cloud desktops that belong to this account. If you want to manage cloud desktops as a RAM user, you must grant the required permissions to the RAM user. This topic describes how to grant permissions to a RAM user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

Resource Access Management (RAM) is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. You can use RAM to create multiple identities such as RAM users within an Alibaba Cloud account and grant different permissions to a single identity or a group of identities. This way, different RAM users can access different resources.

By default, a RAM user has no permissions. After you create a RAM user, you must attach policies to the RAM user before the RAM user can perform related operations. By default, you can attach the following policies:
  • AliyunECDFullAccess: RAM users to which the policy is attached can manage all cloud desktop resources.
  • AliyunECDReadOnlyAccess: RAM users to which the policy is attached can only query cloud desktop resources.
  • AliyunECDRamUserAccess: RAM users to which the policy is attached can use cloud desktops on a client, including the operations to query, connect, restart, start, and stop cloud desktops.
Note If the preceding policies cannot meet your business requirements, you can create a custom policy and attach the policy to the RAM user. For information about how to create a custom policy, see Create a custom policy.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, configure the parameters to attach policies to the RAM user.
    The following table describes the parameters.
    Parameter Description
    Authorized Scope The scope in which you want the permissions to take effect. The resource group feature is unavailable in EDS. Therefore, you must select Alibaba Cloud Account.
    Principal The RAM user to which you want to grant permissions. The RAM user that you selected is automatically filled in the Principal field. You can also specify another RAM user.
    Select Policy The policies that you want to attach to the RAM user. Select the following policies based on your business requirements.
    • If the RAM user wants to manage cloud desktop resources, select AliyunECDFullAccess.
    • If the RAM user wants only to query cloud desktop resources, select AliyunECIReadOnlyAccess.
    • If the RAM user wants to use cloud desktops on a client, select AliyunECDRamUserAccess.
      Note If you use a RAM directory of an earlier version, a RAM user can log on to a client only by using the workspace of the RAM directory type. When a regular user uses the RAM user to log on to the client, you must grant permissions to the RAM user. If you use a RAM directory of the latest version, you do not need to grant permissions to convenience users when Active Directory (AD) is not connected.
  5. Click OK.
  6. Confirm the authorized scope and the policies and click Complete.

Result

  • If you attach the AliyunECDFullAccess policy to the RAM user, the RAM user can perform all operations on cloud desktops by using the EDS console or by calling EDS API operations.
  • If you attach the AliyunECDReadOnlyAccess policy to the RAM user, the RAM user can query cloud desktops by using the EDS console or by calling EDS API operations.
  • If you attach the AliyunECDRamUserAccess policy to the RAM user and a RAM directory exists (a workspace of the RAM directory type is used), the RAM user can use cloud desktops on a client.