Grant permissions on Hologres to RAM users - Hologres - Alibaba Cloud Documentation Center

This topic describes how to grant permissions on Hologres to Resource Access Management (RAM) users that belong to your Alibaba Cloud account. Authorized RAM users can view, purchase, and delete Hologres instances in the Hologres console.

Background information

RAM is a permission management system that is provided by Alibaba Cloud.

RAM is used to control the permissions of accounts.

You can create RAM users within your Alibaba Cloud account and grant them different permissions on Hologres. For example, you can grant RAM users the permissions to purchase or delete instances, upgrade or downgrade instance specifications, modify the network configurations of instances, and view instance details.

When you perform data analytics operations on a Hologres instance as a RAM user, take note of the following items:

If permissions on Hologres are not granted by the Alibaba Cloud account, the RAM user cannot view or manage instances in the Hologres console.
The RAM user can be granted the development permissions on Hologres instances. Even if the RAM user cannot manage instances in the Hologres console, the RAM user can connect to development tools to perform data analytics operations. For more information, see Grant the development permissions on a Hologres instance to RAM users.

Grant permissions on Hologres to a RAM user

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.

Grant permissions to the RAM user.

In the Add Permissions panel, set the parameters that are described in the following table.


Parameter	Description
Authorized Scope	Valid values: Alibaba Cloud Account: The permissions granted to the RAM role take effect on resources within the current Alibaba Cloud account. Specific Resource Group: The permissions granted to the RAM role take effect on resource in a specific resource group. Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Principal	The RAM user to which you want to grant permissions.
Select Policy	Valid values: System Policy Custom Policy Note You can create custom policies based on your business requirements. You can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.

You can select System Policy or Custom Policy based on the following descriptions:

System Policy

The following table describes the system policies that you can use to grant permissions on Hologres. If you attach one of the system policies to the RAM user, the RAM user is granted all the permissions defined in the system policy.


Policy	Description
AliyunHologresFullAccess	Grants full access permissions on Hologres. Note This policy does not grant permissions to use Hologres instances. If you want to use a Hologres instance, you must create a user in the Hologres instance as the superuser and log on to and use the Hologres instance as the created user. For more information, see FAQ about RAM user permissions on instances. Take note of the following items about the permissions of a RAM user to which this policy is attached: The RAM user is authorized to view information about all instances in the Hologres console. The RAM user is authorized to perform operations that involve billing. For example, you can purchase instances, upgrade or downgrade instance specifications, renew instances, stop instances, or delete instances as the RAM user. The RAM user is authorized to perform all operations on instances after you purchase the instances as the RAM user. In this case, both the RAM user and the Alibaba Cloud account are superusers of the instances. By default, the RAM user is not authorized to perform operations on the instances that are created by using the Alibaba Cloud account. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant the development permissions on a Hologres instance to RAM users. By default, the RAM user is not authorized to query all user permissions on the User Management page in the HoloWeb console. You can attach the AliyunRAMReadOnlyAccess policy to the RAM user. This way, the RAM user is granted the `ListUser` permission and can query all user permissions.
AliyunBSSOrderAccess	Grants permissions to view, pay for, and cancel orders in the Billing Management console. If you attach this policy to a RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.
AliyunRAMReadOnlyAccess	Grants read-only permissions on Resource Access Management (RAM). If you attach this policy to a RAM user, the RAM user can view the information about all the RAM users and RAM roles of the Alibaba Cloud account to which the RAM user belongs on the User Management page in the HoloWeb console.
AliyunHologresReadOnlyAccess	Grants read-only permissions on Hologres. If you attach this policy to a RAM user, the RAM user can view the information about all instances in the Hologres console and can view the instance list in the HoloWeb console. The RAM user cannot perform other operations on the instances. For example, the RAM user cannot modify the network type.

Note

If you purchase an instance as a RAM user, both the RAM user and the Alibaba Cloud account are superusers by default.
If you use an Alibaba Cloud account to purchase an instance, you can use the instance by using the Alibaba Cloud account by default. You can use the instance as a RAM user only after the Alibaba Cloud account grants related permissions to the RAM user.

Custom Policy

You can click Create Policy to create a custom policy based on your business requirements. Create a policy

On the Create Policy page, click the JSON tab. Then, configure the custom policy in the code editor.

For example, you can execute the following statements:

{
    "Statement": [
        {  // Grant a RAM user the permissions to perform all operations. If you configure this statement, you do not need to configure the following statements.
            "Effect": "Allow",
            "Action": "hologram:*",// The permissions to perform all operations.
            "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*" // All instances in all regions. <The asterisk (*) cannot be replaced with an instance ID.>
        },
        {   // Grant a RAM user the permissions to purchase or renew instances.
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to delete instances.
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"//<The RAM user must be authorized before the RAM user can delete instances. Otherwise, the RAM user cannot delete instances though a success message is returned.>
        },
        {   // Grant a RAM user the permissions to purchase instances. The RAM user must be authorized before the RAM user can purchase instances.
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"//<Connection failed.>
        },
        {   // Grant a RAM user the permissions to view instance details.
            "Effect": "Allow",
            "Action": "hologram:GetInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" //<The asterisk (*) can be replaced with an instance ID.>
        },
        { // Grant a RAM user the permissions to view the instance list.
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) cannot be replaced with an instance ID.>
        },
        {  // Grant a RAM user the permissions to suspend instances.
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to resume instances.
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to view the monitoring metrics of instances.
            "Effect": "Allow",
            "Action": "hologram:GetInstanceMetrics",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) can be replaced with an instance ID.>
        },
        {  // Grant a RAM user the permissions to modify the network configurations of instances.
            "Effect": "Allow",
            "Action": "hologram:UpdateInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        }
    ],
    "Version": "1"
}

The following table describes the parameters in the syntax.


Parameter	Description
<region>	The region in which the Hologres instance resides. Example: beijing.
<Alibaba Cloud account ID>	The ID of your Alibaba Cloud account.
*	The IDs of all Hologres instances within your Alibaba Cloud account. You can also replace the asterisk (*) with the ID of a specific Hologres instance.

Sample statement:

acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx

Note The asterisk (*) in instance/* in the following statements cannot be replaced with a specific instance ID:

{
    "Statement": [
        {  // Grant a RAM user the permissions to perform all operations. If you configure this statement, you do not need to configure the following statements.
            "Effect": "Allow",
            "Action": "hologram:*",// The permissions to perform all operations.
            "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// All instances in all regions.
        },
        {   // Grant a RAM user the permissions to purchase or renew instances.
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to delete instances.
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to purchase instances. This statement must be executed if the RAM user wants to purchase instances.
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        { // Grant a RAM user the permissions to view the instance list.
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to suspend instances.
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to resume instances.
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to view the metrics of instances.
            "Effect": "Allow",
            "Action": "hologram:GetInstanceMetrics",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {  // Grant a RAM user the permissions to modify the network configurations of instances.
            "Effect": "Allow",
            "Action": "hologram:UpdateInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        }
    ],
    "Version": "1"
}

Click Next to edit policy information. In the dialog box that appears, configure the Name and Description parameters.

Click OK.
Click Complete.

FAQ about RAM user permissions on Hologres

Permissions on Hologres consist of permissions that are granted in the RAM console and part of development permissions on instances. This section provides answers to frequently asked questions about permissions on Hologres.

Why am I unable to view the instance list and instance IDs as a RAM user?
- Problem description
  When I logged on to the Hologres console as a RAM user and selected a valid region, I could not view the instances that I purchased. The following error message is returned: You are not authorized to view the purchased instances. Contact the relevant Alibaba Cloud account to grant the hologram:ListInstances permission on xxx/* to you in the RAM console.
- Cause
  The current RAM user does not have permissions to view the instance list in the Hologres console.
- Solution
  Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresReadOnlyAccess policy to the RAM user. Then, the RAM user can view the instance list.
Why am I unable to manage instances as a RAM user that is assigned the superuser role?
- Problem description
  When I logged on to the Hologres console as a RAM user that is assigned the superuser role, I could not purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance from pay-as-you-go to subscription. The following error message is returned: Failed to authenticate the RAM user.
- Cause
  The current RAM user does not have permissions to purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance. You can perform these operations by using your Alibaba Cloud account.
- Solution
  Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresFullAccess and AliyunBSSOrderAccess policies to the RAM user. Then, the RAM user can manage instances.

FAQ about RAM user permissions on instances

Why am I unable to connect to and use Hologres instances as a RAM user?
- Problem description
  The following error message is returned: role "<role_name>" does not exist.
- Cause
  After you create Hologres instances, only the Alibaba Cloud account and the RAM user that is used to purchase Hologres instances are superusers by default who create Hologres instances. Other RAM users must be granted the permissions to create Hologres instances by superusers before the RAM users can connect to and use the Hologres instances.
- Solution
  Note You can execute the select * from pg_user; statement to view the superusers of the current instance.
  - On the User Management page in the HoloWeb console, add users and grant the required permissions to the users. For more information, see Manage users.
  - Connect to the instance and execute the create user "<role_name>" statement. For more information, see Overview.
Why am I unable to view the information on the User Management page and the Database Authorization page?
- Problem description
  When I log on to the Hologres console as a RAM user, I cannot view information on the User Management page and the Database Authorization page, and an error message is displayed, indicating that you do not have the permission and need to ask the superuser to grant permissions on the instance to your account.
- Cause
  The current RAM user does not have the development permissions on the instance. To view related information, you must be granted the specified development permissions on the instance.
- Solution
  Grant the RAM user the development permissions on the instance by using your Alibaba Cloud account or as a superuser. For more information, see Grant the development permissions on a Hologres instance to RAM users.