To manage permissions on Alibaba Cloud services including Enterprise Distributed Application Service (EDAS) in the same access control system, you can replace EDAS-defined permissions with the policies of Resource Access Management (RAM). This topic describes how to replace EDAS-defined permissions with RAM policies.

Background information

For information about the structure and syntax of RAM policies, see Policy structure and syntax.
Parameter Description
Effect Specifies whether the statement results in an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action The operation that is allowed or not allowed for the resource. You can specify one or more operations. Set the value to the name of the operation for the resource. Format: <service-name>:<action-name>.
  • service-name: the name of an Alibaba Cloud service.
  • action-name: the name of the operation for the service.
Resource The object that the statement covers. Syntax: acs:<service-name>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
Condition Optional. The condition that is required for the policy to take effect. A condition block consists of one or more condition clauses. A condition clause consists of a key, an operator, and a value.

Step 1: Create a policy for EDAS

You can use one of the following methods to create or query a policy for EDAS:

Method 1: Query the library of sample policies

You can query RAM policies and EDAS-defined permissions in the library. For more information, see RAM policies.

Method 2: Use the permission assistant to create a policy

The scenario in the following example involves only basic operations. For more information, see Use the EDAS permission assistant to create RAM policies.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > Permission Assistant.
  3. On the Permission Assistant page, click New permission Strategy.
  4. In the New permission Strategy panel, set the parameters.
    1. In the Create a new custom permission policy step, set the parameters and click next step.
      Parameter Description
      Name of strategy Enter a custom name for the policy.
      note Enter remarks for the policy.
      New permission statement
      1. Click New permission statement. You can add one or more statements.
      2. In the Add authorization statement panel, set the Permissions for and Operations and resource authorization parameters. Then, click yes.
        Notice When you create a policy, you can select only one of the following effects: Allow and Deny.
      3. In the Create a new custom permission policy step, click duplicate, edit, or delete in the opration column to copy, modify, or delete a statement as required.
    2. In the Strategy to preview step, preview the policy. Click copy in the upper-right corner and click Finish in the lower-left corner.
      The following message appears: New policy authorization succeeded. You can click Return to list view to view and manage the created policy.
  5. Find the created policy and click view detail. In the view detail message, click copy to copy the created policy.

Method 3: Replace an EDAS-defined permission with a RAM policy

If you have specified the sub-accounts that are authorized to manage EDAS resources in the EDAS console, you can replace the EDAS-defined permissions with RAM policies in the EDAS console.

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > RAM User.
  3. On the RAM User page, select the sub-account that is granted EDAS-defined permissions and click Create RAM Permission Policy in the RAM Authorization column.
  4. In the RAM Permission Policy message, copy the policy and click OK.

Step 2: Create a policy in RAM

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, set the parameters and click OK.
    Create Policy
    Parameter Description
    Policy Name Enter a name for the policy. The name can contain letters, digits, and hyphens (-).
    Note Optional. Enter remarks for the policy.
    Configuration Mode In this example, select Script. In the Policy Document field, paste the policy copied in Step 1: Create a policy for EDAS.

Step 3: Create a RAM user and attach the policy to the RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select Console Access, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password as Console Password, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select OpenAPI Access, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user cannot use an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.
  7. On the Users page, find the created RAM user and click Add Permissions in the Actions column.
  8. In the Add Permissions panel, attach the policy created in Step 2 to the RAM user and click OK.
    Add Permissions
    Parameter Description
    Authorized Scope Valid values: Alibaba Cloud Account and Specific Resource Group. Select an authorized scope based on your business requirements.
    Principal By default, the current RAM user is selected.
    Select Policy Click the Custom Policy tab. Enter the policy name in the search box to search for the policy. Then, click the policy name in the Authorization Policy Name column.

Step 4: Replace the EDAS-defined permission with the RAM policy for the RAM user in the EDAS console

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose System Management > RAM User.
  3. On the RAM User page, find the sub-account that you want to manage and click Switch to RAM User in the RAM Authorization column.
    Note
    • After the sub-account is switched to the RAM user, the Switch to RAM User button in the RAM Authorization column is dimmed.
    • After a sub-account is switched to a RAM user, you cannot switch the RAM user back to the sub-account. The RAM user cannot use EDAS-defined permissions.

    When you switch a sub-account to a RAM user, EDAS checks whether the RAM user is granted the permissions on EDAS.

    • If the RAM user is granted the permissions on EDAS, click OK in the message that appears to switch the sub-account to the RAM user.
    • If the RAM user is not granted the permissions on EDAS, you must first grant the permissions to the RAM user in the RAM console.