By default, you can use an Alibaba Cloud account to manage all Elastic Desktop Service
(EDS) cloud desktops that belong to this account. If you want to manage cloud desktops
as a RAM user, you must grant the required permissions to the RAM user. This topic
describes how to grant permissions to a RAM user.
Background information
Resource Access Management (RAM) is a service provided by Alibaba Cloud that allows
you to manage user identities and resource access permissions. You can use RAM to
create multiple identities such as RAM users within an Alibaba Cloud account and grant
different permissions to a single identity or a group of identities. This way, different
RAM users can access different resources.
By default, a RAM user has no permissions. After you create a RAM user, you must attach
policies to the RAM user before the RAM user can perform related operations. By default,
you can attach the following policies:
- AliyunECDFullAccess: RAM users to which the policy is attached can manage all cloud
desktop resources.
- AliyunECDReadOnlyAccess: RAM users to which the policy is attached can only query
cloud desktop resources.
- AliyunECDRamUserAccess: RAM users to which the policy is attached can use cloud desktops
on a client, including the operations to query, connect, restart, start, and stop
cloud desktops.
Note If the preceding policies cannot meet your business requirements, you can create a
custom policy and attach the policy to the RAM user. For information about how to
create a custom policy, see
Create a custom policy.
Procedure
- Log on to the RAM console by using an Alibaba Cloud account.
- In the left-side navigation pane, choose .
- Find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column.
- In the Add Permissions panel, configure the parameters to attach policies to the RAM user.
The following table describes the parameters.
| Parameter |
Description |
| Authorized Scope |
The scope in which you want the permissions to take effect. The resource group feature
is unavailable in EDS. Therefore, you must select Alibaba Cloud Account.
|
| Principal |
The RAM user to which you want to grant permissions. The RAM user that you selected
is automatically filled in the Principal field. You can also specify another RAM user.
|
| Select Policy |
The policies that you want to attach to the RAM user. Select the following policies
based on your business requirements.
- If the RAM user wants to manage cloud desktop resources, select AliyunECDFullAccess.
- If the RAM user wants only to query cloud desktop resources, select AliyunECIReadOnlyAccess.
- If the RAM user wants to use cloud desktops on a client, select AliyunECDRamUserAccess.
Note If you use a RAM directory of an earlier version, a RAM user can log on to a client
only by using the workspace of the RAM directory type. When a regular user uses the
RAM user to log on to the client, you must grant permissions to the RAM user. If you
use a RAM directory of the latest version, you do not need to grant permissions to
convenience users when Active Directory (AD) is not connected.
|
- Click OK.
- Confirm the authorized scope and the policies and click Complete.
Result
- If you attach the AliyunECDFullAccess policy to the RAM user, the RAM user can perform
all operations on cloud desktops by using the EDS console or by calling EDS API operations.
- If you attach the AliyunECDReadOnlyAccess policy to the RAM user, the RAM user can
query cloud desktops by using the EDS console or by calling EDS API operations.
- If you attach the AliyunECDRamUserAccess policy to the RAM user and a RAM directory
exists (a workspace of the RAM directory type is used), the RAM user can use cloud
desktops on a client.