Replace EDAS-defined permissions with RAM policies
Last Updated: May 19, 2022
To manage permissions on Alibaba Cloud services including Enterprise Distributed Application
Service (EDAS) in the same access control system, you can replace EDAS-defined permissions
with the policies of Resource Access Management (RAM). This topic describes how to
replace EDAS-defined permissions with RAM policies.
Specifies whether the statement results in an explicit allow or an explicit deny.
Valid values: Allow and Deny.
Action
The operation that is allowed or not allowed for the resource. You can specify one
or more operations. Set the value to the name of the operation for the resource. Format:
<service-name>:<action-name>.
service-name: the name of an Alibaba Cloud service.
action-name: the name of the operation for the service.
Resource
The object that the statement covers. Syntax: acs:<service-name>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
Condition
Optional. The condition that is required for the policy to take effect. A condition
block consists of one or more condition clauses. A condition clause consists of a
key, an operator, and a value.
Step 1: Create a policy for EDAS
You can use one of the following methods to create or query a policy for EDAS:
Method 1: Query the library of sample policies
You can query RAM policies and EDAS-defined permissions in the library. For more information,
see RAM policies.
Method 2: Use the permission assistant to create a policy
In the left-side navigation pane, choose System Management > Permission Assistant.
On the Permission Assistant page, click New permission Strategy.
In the New permission Strategy panel, set the parameters.
In the Create a new custom permission policy step, set the parameters and click next step.
Parameter
Description
Name of strategy
Enter a custom name for the policy.
note
Enter remarks for the policy.
New permission statement
Click New permission statement. You can add one or more statements.
In the Add authorization statement panel, set the Permissions for and Operations and resource authorization parameters. Then, click yes.
Notice When you create a policy, you can select only one of the following effects: Allow and Deny.
In the Create a new custom permission policy step, click duplicate, edit, or delete in the opration column to copy, modify, or delete a statement as required.
In the Strategy to preview step, preview the policy. Click copy in the upper-right corner and click Finish in the lower-left corner.
The following message appears: New policy authorization succeeded. You can click Return to list view to view and manage the created policy.
Find the created policy and click view detail. In the view detail message, click copy to copy the created policy.
Method 3: Replace an EDAS-defined permission with a RAM policy
If you have specified the sub-accounts that are authorized to manage EDAS resources
in the EDAS console, you can replace the EDAS-defined permissions with RAM policies
in the EDAS console.
In the left-side navigation pane, choose System Management > RAM User.
On the RAM User page, select the sub-account that is granted EDAS-defined permissions and click Create RAM Permission Policy in the RAM Authorization column.
In the RAM Permission Policy message, copy the policy and click OK.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
On the Create User page, specify Logon Name and Display Name in the User Account Information section.
Note You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode.
Console Access: If you select Console Access, you must complete the logon security settings. These
settings specify whether to use a system-generated or custom logon password, whether
the password must be reset upon the next logon, and whether to enable multi-factor
authentication (MFA).
Note If you select Custom Logon Password as Console Password, you must specify a password.
The password must meet the complexity requirements. For more information about the
complexity requirements, see Configure a password policy for RAM users.
OpenAPI Access: If you select OpenAPI Access, an AccessKey pair is automatically created for the
RAM user. The RAM user can call API operations or use other development tools to access
Alibaba Cloud resources.
Note To ensure the security of your Alibaba Cloud account, we recommend that you select
only one access mode for the RAM user. This way, the RAM user cannot use an AccessKey
pair to access Alibaba Cloud resources after the RAM user leaves the organization.
Click OK.
On the Users page, find the created RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, attach the policy created in Step 2 to the RAM user and click OK.
Parameter
Description
Authorized Scope
Valid values: Alibaba Cloud Account and Specific Resource Group. Select an authorized scope based on your business requirements.
Principal
By default, the current RAM user is selected.
Select Policy
Click the Custom Policy tab. Enter the policy name in the search box to search for the policy. Then, click
the policy name in the Authorization Policy Name column.
Step 4: Replace the EDAS-defined permission with the RAM policy for the RAM user in
the EDAS console
In the left-side navigation pane, choose System Management > RAM User.
On the RAM User page, find the sub-account that you want to manage and click Switch to RAM User in the RAM Authorization column.
Note
After the sub-account is switched to the RAM user, the Switch to RAM User button in
the RAM Authorization column is dimmed.
After a sub-account is switched to a RAM user, you cannot switch the RAM user back
to the sub-account. The RAM user cannot use EDAS-defined permissions.
When you switch a sub-account to a RAM user, EDAS checks whether the RAM user is granted
the permissions on EDAS.
If the RAM user is granted the permissions on EDAS, click OK in the message that appears to switch the sub-account to the RAM user.
If the RAM user is not granted the permissions on EDAS, you must first grant the permissions
to the RAM user in the RAM console.