The permission assistant of Function Compute simplifies the process of creating permission policies. This helps you create permission policies and attach the policies to RAM users as needed. This topic describes how to create a permission policy in the Function Compute console and then create and attach a custom policy to a RAM user in the Resource Access Management (RAM) console.

Background information

The permission assistant can be used to create permission policies. You can use the permission assistant to manage permissions on Function Compute in a visualized way and generate the corresponding policy syntax in the Function Compute console. Then, you can create a custom policy in the RAM console by replacing the policy syntax with the one generated in the Function Compute console. After that, you can attach the custom policy to the RAM user as needed.

Usage notes

  • If Function Compute releases a new feature, you must generate the policy syntax again and modify the syntax of the custom policy that is attached to a RAM user in the RAM console. Otherwise, the RAM user does not have the permissions to use the new feature of Function Compute.
  • The permission assistant can be used to manage permissions on Function Compute resources by service, function, layer, and domain name. If you want to grant fine-grained permissions on Function Compute resources or permissions to access other Alibaba Cloud services to RAM users, see Create a custom policy.

Prerequisites

Step 1: Create a permission policy in the Function Compute console

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, choose More Features > Permission Assistant.
  3. On the Permission Assistant page, click Create Policy.
  4. In the Configure Policy step of the Create Policy wizard, set the parameters and click Next.
    create-policy
    1. In the Basic Configurations section, set the parameters that are described in the following table.
      Parameter Description
      Name The name of the permission policy.
      Remarks The description of the permission policy.
    2. Optional: In the Permissions on Function Compute section, set the parameters as needed.
      1. Click Add Resources and select the region ID, service, and function from the Region, Service, and Function drop-down lists.
        Note To create a permission policy for resources in all regions, select All Regions from the Region drop-down list.
      2. In the Permission Module section, select the required modules and set the permissions on the modules in the Permission Module and Permission columns. produce-access
        Note You can grant permissions on Function Compute resources to RAM users by service, function, layer, and domain name.
      3. Optional: Click Add Conditions. Set the Keyword, Qualifier, and Value parameters to add restrictions on the permissions.
        Keyword Qualifier Value
        Requested At
        • DataEquals
        • DataNotEquals
        • DataLessThan
        • DataLessThanEquals
        • DataGreaterThan
        • DataGreaterThanEquals
        		 The point in time when a request is sent. Specify the time in the ISO 8601 format. Example: 2021-11-11T23:59:59Z. After you set the Qualifier parameter, the system enters the current time in the Value field by default.
        Secure Channel Bool Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
        • true: A secure channel is used to send the request.
        • false: A secure channel is not used to send the request.
        Client IP Address
        • IpAddress
        • NotIpAddress
        		 The IP address of the client. Example: 10.0.XX.XX.
        Multi-factor Authentication Bool Specifies whether multi-factor authentication (MFA) is used during user logon. MFA refers to using more than two methods for logon authentication.
        • true: MFA is used during user logon.
        • false: MFA is not used during user logon.
    3. Optional: In the Permissions on Cloud Services section, select the required Alibaba Cloud services and set the permissions on the services in the Permission Module and Permission columns.
      aliyun-access
      Note If you want to grant Function Compute the permissions to access other Alibaba Cloud services, see Grant Function Compute permissions to access other Alibaba Cloud services.
  5. In the Preview Policy step, check the generated rules and click Next.
    In the Policy section, you can click Compress, Format, or Copy to manage the generated policy syntax as needed. The copied policy syntax is used to create a custom policy in the RAM console. For more information, see Step 2: Create a custom policy in the RAM console.
  6. In the Apply to RAM step, read the instructions on how to create a custom policy in the RAM console, and click Completed.

Step 2: Create a custom policy in the RAM console

When you create a custom policy in the RAM console, you must use the policy syntax that you copy in the Function Compute console. For more information, see Step 1: Create a permission policy in the Function Compute console.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next to edit policy information.
    For more information about the syntax and structure of policies, see Policy structure and syntax.
  6. Specify the Name and Description fields.
  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Step 3: Attach the custom policy to a RAM user in the RAM console

After you create a custom policy, you can attach the policy to a RAM user based on your business requirements in the RAM console. This section describes how to attach a custom policy to a RAM user on the Grants page in the RAM console. For more information, see Grant permissions to the RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. On the Grant Permission page, grant permissions to a RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

References

In addition to the Function Compute console, you can use the permission assistant by calling API operations or by using SDKs. For more information, see SDKs.