This topic describes how to grant permissions on Hologres to RAM users that belong to your Alibaba Cloud account. Authorized RAM users can view, purchase, and delete Hologres instances in the Hologres console.

Background information

Resource Access Management (RAM) is a permission management system that is provided by Alibaba Cloud.

RAM is used to control the permissions of accounts.

You can create RAM users within your Alibaba Cloud account and grant them different permissions on Hologres. For example, you can grant RAM users the permissions to purchase or delete instances, upgrade or downgrade instance specifications, modify the network configurations of instances, and view instance details.

When you perform data analytics operations on a Hologres instance as a RAM user, take note of the following items:
  • If permissions on Hologres are not granted by the Alibaba Cloud account, the RAM user cannot view or manage instances in the Hologres console.
  • The RAM user can be granted the development permissions on Hologres instances. Even if the RAM user cannot manage instances in the Hologres console, the RAM user can connect to development tools to perform data analytics operations. For more information, see Grant the development permissions on a Hologres instance to RAM users.

Grant permissions on Hologres to a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. Grant permissions to the RAM user.
    In the Add Permissions panel, set the parameters that are described in the following table. Add Permissions
    Parameter Description
    Authorized Scope Valid values:
    • Alibaba Cloud Account
    • Specific Resource Group
    Principal The RAM user to which you want to grant permissions.
    Select Policy Valid values:
    • System Policy
    • Custom Policy
    Note
    • You can create custom policies based on your business requirements.
    • You can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.
    You can select System Policy or Custom Policy based on the following descriptions:
    • System Policy
      The following table describes the system policies that you can use to grant permissions on Hologres. If you attach all of these system policies to the RAM user, the RAM user can perform all operations in the Hologres console.
      Policy Description
      AliyunHologresFullAccess Grants full access permissions on Hologres.
      If you attach this policy to the RAM user, the RAM user can view the information about all instances and purchase instances in the Hologres console.
      Note To view user information on the User Management page in the Hologres console, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user.
      AliyunBSSOrderAccess Grants permissions to view, pay for, and cancel orders in the Billing Management console.

      If you attach this policy to the RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.

      AliyunRAMReadOnlyAccess Grants read-only permissions on RAM.

      If you attach this policy to the RAM user, the RAM user can view the information about the current users, groups, and permissions on the User Management page in the Hologres console.

      AliyunHologresReadOnlyAccess Grants read-only permissions on Hologres.

      If you attach this policy to the RAM user, the RAM user can view the information about all instances but cannot manage the instances in the Hologres console. For example, the RAM user cannot modify the network configurations of instances.

      Note
      • If you purchase an instance as a RAM user, both the RAM user and the Alibaba Cloud account are superusers by default.
      • If you use an Alibaba Cloud account to purchase an instance, only the Alibaba Cloud account can use the instance by default. RAM users must be authorized by the Alibaba Cloud account before they can use the instance.
    • Custom Policy
      You can click Create Policy to create a custom policy based on your business requirements. Create

      On the Create Policy page, click the JSON tab. Then, configure the custom policy in the code editor.

      For example, you can execute the following statements:
      {
          "Statement": [
              {   // Grant a RAM user the permissions to perform all operations. After the permissions are granted, you do not need to set the permissions mentioned below. 
                  "Effect": "Allow",
                  "Action": "hologram:*", // Indicates that the RAM user has the permissions to perform all operations. 
                  "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*" // Indicates that the RAM user can have access to instances in all regions. 
              },
              {   // Grant a RAM user the permissions to purchase or renew instances. 
                  "Effect": "Allow",
                  "Action": "hologram:*",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to delete instances. 
                  "Effect": "Allow",
                  "Action": "hologram:DeleteInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to purchase instances. The RAM user can purchase instances only after the required permissions are granted. 
                  "Effect": "Allow",
                  "Action": "bss:PayOrder",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to view instance details. 
                  "Effect": "Allow",
                  "Action": "hologram:DescribeInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to view the instance list. 
                  "Effect": "Allow",
                  "Action": "hologram:ListInstances",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to suspend instances. 
                  "Effect": "Allow",
                  "Action": "hologram:StopInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to resume instances. 
                  "Effect": "Allow",
                  "Action": "hologram:ResumeInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to view the monitoring metrics of instances. 
                  "Effect": "Allow",
                  "Action": "hologram:GetInstanceMetrics",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permissions to modify the network configurations of instances. 
                  "Effect": "Allow",
                  "Action": "hologram:ModifyInstanceNetworkType",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              }
          ],
          "Version": "1"
      }
      The following table describes the parameters in the syntax.
      Parameter Description
      <region> The region in which the Hologres instance resides. Example: beijing.
      <Alibaba Cloud account ID> The ID of your Alibaba Cloud account.
      * The IDs of all Hologres instances within your Alibaba Cloud account.

      You can also replace the asterisk (*) with the ID of a specific Hologres instance.

      For example, you can execute the following statement:
      acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx
  5. Click OK.
  6. Click Complete.

FAQ about RAM user permissions on Hologres

Permissions on Hologres consist of permissions that are granted in the RAM console and part of development permissions on instances. This section provides answers to frequently asked questions about permissions on Hologres.
  • Why am I unable to view the instance list and instance IDs as a RAM user?
    • Issue description

      When I logged on to the Hologres console as a RAM user and selected a valid region, I could not view the instances that I purchased. The following error message is returned: You are not authorized to view the purchased instances. Contact the relevant Alibaba Cloud account to grant the hologram:ListInstances permission on xxx/* to you in the RAM console.

    • Cause

      The current RAM user does not have permissions to view the instance list in the Hologres console.

    • Solution

      Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresReadOnlyAccess policy to the RAM user. Then, the RAM user can view the instance list.

  • Why am I unable to manage instances as a RAM user who is assigned the superuser role?
    • Issue description

      When I logged on to the Hologres console, I could not purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance from pay-as-you-go to subscription. The following error message is returned: Failed to authenticate the RAM user.

    • Cause

      The current RAM user does not have permissions to purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance. You can perform these operations by using your Alibaba Cloud account.

    • Solution

      Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresFullAccess and AliyunBSSOrderAccess policies to the RAM user. Then, the RAM user can manage instances.

FAQ about RAM user permissions on instances

  • Why am I unable to connect to and use Hologres instances as a RAM user?
    • Issue description

      The following error message is returned: role "<role_name>" does not exist.

    • Cause

      After you create Hologres instances, only the Alibaba Cloud account and the RAM user that is used to purchase Hologres instances are superusers by default who create Hologres instances. Other RAM users must be granted the permissions to create Hologres instances by superusers before the RAM users can connect to and use the Hologres instances.

    • Solution
      • On the User Management page in the HoloWeb console, add users and grant the required permissions to the users. For more information, see Manage users.
      • Connect to the instance and execute the create user "<role_name>" statement. For more information, see Overview.
  • Why am I unable to view the information on the User Management page and the Database Authorization page?
    • Issue description

      When I logged on to the Hologres console as a RAM user, I could not view the information on the User Management page and the Database Authorization page. The following error message is returned: You are not authorized to perform this operation. Contact the superuser to add your account to the current instance.

    • Cause

      The current RAM user does not have the development permissions on the instance. To view related information, you must be granted the specified development permissions on the instance.

    • Solution

      Grant the RAM user the development permissions on the instance by using your Alibaba Cloud account or as a superuser. For more information, see Grant the development permissions on a Hologres instance to RAM users.