Grant permissions to a RAM user - Getting Started| Alibaba Cloud Documentation Center

This topic shows you how to use your Alibaba Cloud account to authorize a RAM user to connect to and use Hologres.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
An AccessKey pair is created for the RAM user. For more information, see Create an AccessKey pair for a RAM user.

Grant Hologres permissions to a RAM user

After you grant relevant Hologres permissions to a RAM user in the Resource Access Management (RAM) console by using your Alibaba Cloud account, you can log on to the Hologres console and view, purchase, or delete instances as the RAM user. You can log on to the RAM console, find a RAM user, and then attach policies to the RAM user. If you need to grant the RAM user all permissions to view instance information in the Hologres console, attach the AliyunHologresFullAccess and AliyunRAMReadOnlyAccess policies.

Log on to the RAM console by using your Alibaba Cloud account.
Select the RAM user to which you want to grant permissions.
1. In the left-side navigation pane, click Users under Identities.
2. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

Grant permissions to the RAM user.

In the Add Permissions panel, set the parameters as required.


Parameter	Description
Authorization	Valid values: Alibaba Cloud account all resources Specified Resource Group
Principal	The RAM user to which you want to grant permissions.
Select Policy	Valid values: System Policy Custom Policy Note You can create custom policies based on your business needs. You can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.

You can select System Policy or Custom Policy based on the following descriptions:

System Policy

The following table describes the system policies that you can use to grant permissions on Hologres. If you attach all of these system policies to the RAM user, the RAM user is authorized to perform all operations in the Hologres console.


Policy	Description
AliyunHologresFullAccess	Grants full access permissions on Hologres. If you attach this policy to the RAM user, the RAM user can view the information about all instances and purchase instances in the Hologres console. Note To view user information on the Users tab of an instance details page in the Hologres console, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user.
AliyunBSSOrderAccess	Grants permissions to view, pay for, and cancel orders in the Billing Management console. If you attach this policy to the RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.
AliyunRAMReadOnlyAccess	Grants read-only permissions on RAM. If you attach this policy to the RAM user, the RAM user can view the information about the current users, groups, and permissions on the Users tab of an instance details page in the Hologres console.
AliyunHologresReadOnlyAccess	Grants read-only permissions on Hologres. If you attach this policy to the RAM user, the RAM user can view the information about all instances but cannot manage the instances in the Hologres console. For example, the RAM user cannot modify the network configurations of instances.

Note

If you use a RAM user to purchase an instance, the RAM user and the Alibaba Cloud account are superusers by default.
If you use an Alibaba Cloud account to purchase an instance, only the Alibaba Cloud account can use the instance by default. RAM users must be authorized by the Alibaba Cloud account before they can use the instance.

Custom Policy

You can click Create Policy to create a custom policy based on your business needs. Create

On the Create Custom Policy page, you can set the configuration mode to Script. Then, edit the script of the policy.

Sample statements:

{
    "Statement": [
        {   // Grant a RAM user the permissions to perform all operations. After the permissions are granted, the other permissions are not required.
            "Effect": "Allow",
            "Action": "hologram:*", // Indicates that the RAM user has the permissions to perform all operations.
            "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*" // Indicates that the RAM user has access to instances in all regions.
        },
        {   // Grant a RAM user the permissions to purchase or renew instances.
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to delete instances.
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to purchase instances. The RAM user can purchase instances only after the permissions are granted.
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to view instance details.
            "Effect": "Allow",
            "Action": "hologram:DescribeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to view the instance list.
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to suspend instances.
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to resume instances.
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to view the monitoring metrics of instances.
            "Effect": "Allow",
            "Action": "hologram:GetInstanceMetrics",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        },
        {   // Grant a RAM user the permissions to modify the network configurations of instances.
            "Effect": "Allow",
            "Action": "hologram:ModifyInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
        }
    ],
    "Version": "1"
}

The following table describes the parameters in the syntax.


Parameter	Description
<region>	The region of the Hologres instance. Example: beijing.
<Alibaba Cloud account ID>	The ID of your Alibaba Cloud account.
*	The IDs of all Hologres instances within your Alibaba Cloud account. You can also replace the asterisk (*) with the ID of a specific Hologres instance.

Sample statement:

acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx

Click OK.

Grant the development permissions on a Hologres instance to a RAM user

Before you can perform data analytics operations on a Hologres instance as a RAM user, you must use your Alibaba Cloud account to grant the development permissions on the Hologres instance to the RAM user. You can log on to the Hologres console, go to the HoloWeb console, add a user on the User Management page, and then grant permissions to the user. This section describes how to use the simple permission model (SPM) to grant the development permissions on a Hologres instance to a RAM user.

Note You can execute SQL statements to grant permissions to a RAM user by using different permission models. For more information, see the following topics:

Log on to the Alibaba Cloud international site (alibabacloud.com) by using your Alibaba Cloud account.
Go to the Hologres console. Click the name of the instance that you want to manage. The instance details page appears.
In the left-side pane of the instance details page, click Users.
On the User Management page, click Add New User.

In the Add New User dialog box, set the parameters that are described in the following table.


Parameter	Description
Select Organization Members	The RAM user that you want to add to the instance.
Select Member Role	The role to be assigned to the RAM user. Valid values: Examples of the Super Administrator (SuperUser): A superuser has all permissions on the instance. Ordinary User: By default, a regular user has no permissions on the instance. A regular user can log on to a Hologres instance and perform allowed data analytics operations only after the regular user is granted the required development permissions.

Optional:If the RAM user is assigned the regular user role, perform the following steps to grant the required permissions to the RAM user:

In the left-side pane of the instance details page, click Databases.
On the Database Authorization page, find the database that you want to manage and click Authorize User in the Operation column.

Note If no database is created in the Hologres instance, click Create Database in the upper-right corner to create a database.
On the permission management page of the database, click Grant Permissions.

In the Grant Permissions dialog box, set the parameters that are described in the following table.


Parameter	Description
User Account	The RAM user to which you want to grant permissions.
User Group	Admin: Users in this group are the owners of the current database and are authorized to manage the database and users in the four user groups. Developer: Users in this group are authorized to read and write data in the current database, and create, delete, or modify objects in the database by executing DDL statements. Writer: Users in this group are authorized to read and write data in the current database. Viewer: Users in this group are authorized to read data in the current database.

Click OK.

Click OK.

What to do next

After you grant the RAM user the required permissions, you can connect to the instance that you want to manage and perform data analytics operations on the instance as the RAM user. You can use HoloWeb to perform data analytics operations in the Hologres console. For more information, see HoloWeb quick start.