All Products
Search
Document Center

Hologres:Grant permissions to a RAM user

Last Updated:Feb 20, 2024

You can grant required permissions to RAM users to follow the principle of least privilege and prevent multiple users from sharing your Alibaba Cloud account or AccessKey pair. This helps reduce access security risks for enterprises. This topic describes how to grant permissions to RAM users by using your Alibaba Cloud account and describes each permission.

Background information

Resource Access Management (RAM) is a permission management system that is provided by Alibaba Cloud.

RAM is used to control the permissions of accounts.

You can create RAM users within your Alibaba Cloud account and grant them different permissions on Hologres. For example, you can grant RAM users the permissions to purchase or delete instances, upgrade or downgrade instance specifications, change the network types of instances, and view instance details.

When you develop data on a Hologres instance as a RAM user, take note of the following items:

  • If no required permissions are granted by the Alibaba Cloud account, the RAM user cannot view or manage instances in the Hologres console.

  • The RAM user can be granted the development permissions on Hologres instances by the Alibaba Cloud account. The RAM user with development permissions can connect to development tools to develop data even if the RAM user cannot manage instances in the Hologres console. For more information, see Grant the development permissions on a Hologres instance to RAM users.

Grant permissions to a RAM user

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. Grant permissions to the RAM user.

    In the Add Permissions panel, configure the parameters that are described in the following table.

    Note

    You cannot log on to and use HoloWeb by using a specified resource group.

    添加权限

    Parameter

    Description

    Authorized Scope

    Valid values:

    • Alibaba Cloud Account: The permissions granted to the RAM user take effect within the current Alibaba Cloud account.

    • Specific Resource Group: The permissions granted to the RAM user take effect in a specific resource group.

    Note

    If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    Principal

    The RAM user to which you want to grant permissions.

    Select Policy

    Valid values:

    • System Policy

    • Custom Policy

    Note
    • You can create custom policies based on your business requirements.

    • You can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.

    You can select System Policy or Custom Policy based on the following descriptions:

    • System Policy

      The following table describes the system policies that you can use to grant permissions on Hologres. If you attach one of the system policies to the RAM user, the RAM user is granted all the permissions defined in the system policy.

      Policy

      Description

      AliyunHologresFullAccess

      Grants full access permissions on Hologres.

      Note

      This policy does not include the permissions to use Hologres instances. If you want to use a Hologres instance, you must create a user in the Hologres instance as the superuser and log on to and use the Hologres instance as the created user. For more information, see FAQ about RAM user permissions on instances.

      Take note of the following items about the permissions of a RAM user to which this policy is attached:

      • The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance list, instance details, and metrics.

      • The RAM user is authorized to perform operations that involve billing. For example, you can purchase instances, upgrade or downgrade instance specifications, renew instances, stop instances, or delete instances as the RAM user.

      • The RAM user is authorized to log on to and use the HoloWeb console.

      • The RAM user is authorized to perform all operations on instances after you purchase the instances as the RAM user. In this case, both the RAM user and the Alibaba Cloud account are superusers of the instances.

      • By default, the RAM user is not authorized to perform operations on the instances that are created by using the Alibaba Cloud account. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant the development permissions on a Hologres instance to RAM users.

      • The RAM user is not authorized to query all user permissions on the User Management page in the HoloWeb console. You can attach the AliyunRAMReadOnlyAccess policy to the RAM user. This way, the RAM user is granted the ListUser permission and can query all user permissions on the User Management page.

      AliyunBSSOrderAccess

      Grants permissions to view, pay for, and cancel orders in the Billing Management console.

      If you attach this policy to a RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.

      AliyunRAMReadOnlyAccess

      Grants read-only permissions on RAM.

      If you attach this policy to a RAM user, the RAM user can view the information about all the RAM users and RAM roles of the Alibaba Cloud account to which the RAM user belongs on the User Management page in the HoloWeb console.

      AliyunHologresReadOnlyAccess

      Grants read-only permissions on Hologres.

      Take note of the following items about the permissions of a RAM user to which this policy is attached:

      • The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance details and metrics.

      • The RAM user is authorized to log on to and use the HoloWeb console.

      • The RAM user is not authorized to perform operations that involve billing. For example, you cannot purchase instances, or upgrade or downgrade instance specifications as the RAM user.

      • The RAM user is not authorized to perform operations on instances. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions on the instances to the RAM user.

      • The list of all RAM users in the Alibaba Cloud account is not displayed in the Hologres console or HoloWeb console if you log on to the console as the RAM user. To view the list of all RAM users, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user.

      Note
      • If you purchase an instance as a RAM user, both the RAM user and the Alibaba Cloud account are superusers by default.

      • If you use an Alibaba Cloud account to purchase an instance, you can use the instance by using the Alibaba Cloud account by default. You can use the instance as a RAM user only after you use the Alibaba Cloud account to grant related permissions to the RAM user.

    • Custom Policy

      You can click Create Policy to create a custom policy based on your business requirements.

      Important

      When you configure policies for a RAM user, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user to ensure that the RAM user can access the Hologres console.

      新建

      On the Create Policy page, click the JSON tab. Then, configure the custom policy in the code editor.

      For example, you can enter the following policy configurations:

      Important

      Delete the comments from the following sample code before you run the code. Otherwise, the code cannot be run.

      {
          "Statement": [
              {  // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations.
                  "Effect": "Allow",
                  "Action": "hologram:*",// The permissions to perform all operations.
                  "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions. <The asterisk (*) cannot be replaced with an instance ID.>
              },
              {   // Grant a RAM user the permissions to purchase or renew instances.
                  "Effect": "Allow",
                  "Action": "hologram:*",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permission to delete instances.
                  "Effect": "Allow",
                  "Action": "hologram:DeleteInstance",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The RAM user must be granted this permission before it can be used to delete instances. Otherwise, when the RAM user deletes an instance, a success message is returned but the instance is not deleted.>
              },
              {   // Grant a RAM user the permission to purchase instances. The RAM user must be granted this permission before it can be used to purchase instances.
                  "Effect": "Allow",
                  "Action": "bss:PayOrder",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<Test failed.>
              },
              {   // Grant a RAM user the permission to view instance details.
                  "Effect": "Allow",
                  "Action": "hologram:GetInstance",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*" //<The asterisk (*) can be replaced with an instance ID.>
              },
              { // Grant a RAM user the permission to view the instance list.
                  "Effect": "Allow",
                  "Action": "hologram:ListInstances",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) cannot be replaced with an instance ID.>
              },
              {  // Grant a RAM user the permission to suspend instances.
                  "Effect": "Allow",
                  "Action": "hologram:StopInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to resume instances.
                  "Effect": "Allow",
                  "Action": "hologram:ResumeInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to view the metrics of instances.
                  "Effect": "Allow",
                  "Action": "hologram:GetInstanceMetrics",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) can be replaced with an instance ID.>
              },
              {  // Grant a RAM user the permission to change the network types of instances.
                  "Effect": "Allow",
                  "Action": "hologram:UpdateInstanceNetworkType",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              }.
              {  // Grant a RAM user the permission to access HoloWeb.
                  "Effect": "Allow",
                  "Action": "hologram:HoloWebAccess",
                  "Resource": "*"
              }      
          ],
          "Version": "1"
      }

      The following table describes the parameters in the syntax.

      Parameter

      Description

      <region>

      The region in which the Hologres instance resides. Example: beijing.

      <Alibaba Cloud account ID>

      The ID of your Alibaba Cloud account.

      *

      The IDs of all Hologres instances within your Alibaba Cloud account. You can also replace the asterisk (*) with the ID of a specific Hologres instance.

      Sample statement:

      acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx
      Important

      The asterisk (*) in instance/* in the following configurations cannot be replaced with a specific instance ID:

      {
          "Statement": [
              {  // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations.
                  "Effect": "Allow",
                  "Action": "hologram:*",// The permissions to perform all operations.
                  "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions.
              },
              {   // Grant a RAM user the permissions to purchase or renew instances.
                  "Effect": "Allow",
                  "Action": "hologram:*",
                  "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permission to delete instances.
                  "Effect": "Allow",
                  "Action": "hologram:DeleteInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {   // Grant a RAM user the permission to purchase instances. This permission must be granted if you want to purchase instances by using the RAM user.
                  "Effect": "Allow",
                  "Action": "bss:PayOrder",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              { // Grant a RAM user the permission to view the instance list.
                  "Effect": "Allow",
                  "Action": "hologram:ListInstances",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to suspend instances.
                  "Effect": "Allow",
                  "Action": "hologram:StopInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to resume instances.
                  "Effect": "Allow",
                  "Action": "hologram:ResumeInstance",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to view the metrics of instances.
                  "Effect": "Allow",
                  "Action": "cms:DescribeMetricList", "cms:QueryMetricList"
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              },
              {  // Grant a RAM user the permission to change the network types of instances.
                  "Effect": "Allow",
                  "Action": "hologram:UpdateInstanceNetworkType",
                  "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"
              }
          ],
          "Version": "1"
      }

    Click Next to edit policy information. In the dialog box that appears, configure the Name and Description parameters.

  5. Click OK.

  6. Click Complete.

FAQ about RAM user permissions related to operations in the Hologres console

Permissions related to operations in the Hologres console consist of permissions that are granted in the RAM console and part of development permissions on instances. This section provides answers to frequently asked questions about permissions related to operations in the Hologres console.

  • Why am I unable to view the instance list and instance IDs as a RAM user?

    • Problem description

      When a RAM user is used to log on to the Hologres console and a valid region is selected, the instances that are purchased cannot be viewed. The following error message is returned: You are not authorized to view the purchased instances. Contact the relevant Alibaba Cloud account to grant the hologram:ListInstances permission on xxx/* to you in the RAM console.

    • Cause

      The current RAM user does not have permissions to view the instance list in the Hologres console.

    • Solution

      Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresReadOnlyAccess policy to the RAM user. Then, the RAM user can view the instance list.

  • Why am I unable to manage instances as a RAM user that is assigned the superuser role?

    • Problem description

      When you log on to the Hologres console as a RAM user that is assigned the superuser role, you cannot purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance from pay-as-you-go to subscription. The following error message is returned: Failed to authenticate the RAM user.

    • Cause

      The current RAM user does not have permissions to purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance. You can perform these operations by using your Alibaba Cloud account.

    • Solution

      Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresFullAccess and AliyunBSSOrderAccess policies to the RAM user. Then, the RAM user can manage instances.

FAQ about RAM user permissions on the use of instances

  • Why am I unable to connect to and use Hologres instances as a RAM user?

    • Problem description

      The following error message is returned: role "<role_name>" does not exist.

    • Cause

      After Hologres instances are created, only the Alibaba Cloud account and the RAM user that is used to purchase Hologres instances are superusers of the instances by default. Other RAM users must be granted the permissions on the Hologres instances by superusers before the RAM users can connect to and use the Hologres instances.

    • Solution

      Note

      You can execute the select * from pg_user; statement to view the superusers of the current instance.

      • On the User Management page in the HoloWeb console, add users and grant the required permissions to the users. For more information, see Manager users.

      • Connect to the instance and execute the create user "<role_name>" statement. For more information, see Overview.

  • Why am I unable to view the information on the User Management page and the Database Authorization page?

    • Problem description

      When a RAM user is used to log on to the Hologres console, information on the User Management page and the Database Authorization page cannot be viewed, and an error message is displayed, indicating that you do not have the permissions and need to ask the superuser to grant permissions on the instance to your account.

    • Cause

      The current RAM user does not have the development permissions on the instance. To view related information, you must be granted the specified development permissions on the instance.

    • Solution

      Grant the RAM user the development permissions on the instance by using your Alibaba Cloud account or as a superuser. For more information, see Grant the development permissions on a Hologres instance to RAM users.

  • What do I do if I incorrectly delete superusers?

    • Problem description

      All superusers in an instance are incorrectly changed to common users.

      Note

      If you incorrectly change all superusers in an instance to common users, you cannot perform user management and most operations related to instances.

    • Solution

      Join the Hologres DingTalk group for technical support. For more information, see Obtain online support for Hologres.