Grant permissions to a RAM user - Elasticsearch - Alibaba Cloud Documentation Center

If you purchase an Alibaba Cloud Elasticsearch cluster and other personnel (such as O&M, development, or data analytics personnel) in your organization want to use RAM users to access the cluster, you can attach policies to the RAM users based on the features that are required by the personnel. This improves system security and availability. You can also create multiple user groups and attach different policies to the user groups. This way, you can manage user permissions by user group.

Policy description

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM?

Policies are categorized into system policies and custom policies.

System policies

System policy	Description
AliyunElasticsearchReadOnlyAccess	Grants the read-only permissions on Elasticsearch or Logstash clusters. This policy can be attached to read-only users.
AliyunElasticsearchFullAccess	Grants the management permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. This policy can be attached to administrators.

Custom policies
If system policies do not meet your business requirements, you can create custom policies. For more information, see Create a custom policy.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Procedure

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.
The granted permissions then take effect. You can log on to the Elasticsearch console as the RAM user and perform authorized operations.
Note
- If the RAM user no longer requires the permissions, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.
- For more information, see Grant permissions to RAM users.