How to grant permissions to a RAM user - Intelligent Media Management

The permission management mechanisms of Alibaba Cloud include Resource Access Management (RAM) and Security Token Service (STS). You can access Intelligent Media Management (IMM) as a RAM user with intended permissions or using temporary access credentials that are provided by STS. RAM and STS make permission management and access control more flexible and secure.

Background information

One of the core benefits of RAM and STS is that they help improve account security by allowing temporary access to data within an Alibaba Cloud account without exposing the AccessKey pair of the account. An attacker that has the AccessKey pair of an Alibaba Cloud account has access to all resources within the account and can cause significant security consequences.

RAM
- RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM lets you create and manage multiple identities for an Alibaba Cloud account, and grant permissions to a single identity or a group of identities. This way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM?
- RAM provides a long-term permission management mechanism by creating RAM users and granting them different permissions. This way, if an AccessKey pair of a RAM user is leaked, only limited information is leaked. RAM users generally remain valid for a long period of time. The AccessKey pairs of RAM users must be kept confidential.
STS
- STS lets you manage temporary access to your Alibaba Cloud resources. You can use STS to grant temporary access tokens with custom validity periods and access permissions to RAM entities such as RAM users and RAM roles. For more information, see What is STS?
- In contrast to the long-term permission management mechanism provided by RAM, STS provides temporary access authorization using a temporary AccessKey pair and token to allow temporary access to IMM. STS grants strict access permissions that remain valid within a limited period of time. Therefore, even if access credentials are leaked, your system is not severely affected.

Grant permissions to a RAM user

To improve data security and permission control, we recommend that you use the IMM service as a RAM user.

Create a RAM user. For more information, see Create a RAM user.
Grant permissions to the RAM user as needed. For more information, see Grant permissions to a RAM user.
- If you want to manage the IMM service, such as creating projects, attach the AliyunIMMFullAccess policy to the RAM user.
- If you need only the read-only permissions on the IMM service to view information such as projects, attach the AliyunIMMReadOnlyAccess policy to the RAM user.
Enable multi-factor authentication (MFA) for the RAM user. For more information, see Bind an MFA device to a RAM user.

Grant temporary access

Create a temporary role and grant permissions to the role.
1. Create a RAM role for a trusted Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
2. Create a custom policy. For more information, see Create custom policies.
  Note
  To implement fine-grained permission control, you can customize the permissions of a policy. For more information, see Custom policies for IMM
3. Grant permissions to the temporary role. For more information, see Grant permissions to a RAM role.
Grant temporary access permissions.
1. Create a custom policy. For more information, see Create custom policies.
2. Grant permissions to the temporary role that the RAM user assumes. For more information, see Grant permissions to a RAM user.
Obtain temporary access credentials from STS. For more information, see AssumeRole.
Use temporary permissions to read and write data.
You can use the temporary permissions to call the SDKs for different programming languages to access IMM. The following sample code provides an example on how to use IMM SDK for Java to create an IAcsClient object based on the AccessKey ID, AccessKey secret, and token obtained from STS:
```
DefaultProfile profile = DefaultProfile.getProfile("cn-shanghai", stsAccessKeyId, stsAccessKeySecret, stsToken);
IAcsClient client = new DefaultAcsClient(profile);
```

Configure a custom RAM policy

You can use custom RAM policies to control user permissions. The following table describes the main components of a RAM policy.

Parameter	Description
Effect	The effect on a requested action. Valid values: Allow: allows the action. Deny: denies the action.
Action	The API operation that Intelligent Media Management provides. The format is `imm:<action>`, for example, `imm:CreateOfficeConversionTask`. For more information about the list of Actions, see List of operations by function.
Resource	Currently, Intelligent Media Management has only one type of resource: project. The format is `acs:imm:<region-id>:<uid>:project/<project>` or `acs:imm:<region-id>:<uid>:project/<project>/dataset/<dataset>`, for example, `acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj` or `acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-photos/dataset/dataset1`. The following table describes the parameters. `region-id`: the region ID, for example, `cn-shanghai` or `cn-beijing`. `uid`: the account ID. You can view the account ID on the Overview page of the Account Center. `project`: the project name that is specified when you create a project. You can view the project name in the Intelligent Media Management console. Note For project-related operations such as CreateProject and ListProjects, if no corresponding resource is operated, you must set Resource to `*`. `dataset`: the name of the dataset that is specified when you create a dataset. You can call the ListDatasets operation to view the name.

For more information, see Create custom policies.

Examples

Grant full access

You can use a RAM policy to grant full access to IMM. The following sample code grants full access to IMM:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "imm:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Grant access using wildcard characters

RAM policies support the wildcard character (*), which you can use for batch authorization.

The following sample code allows a user to call read operations on projects whose names start with imm-test-doc in all regions.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["imm:List*", "imm:Get*"],
            "Resource": "acs:imm:*:150910xxxxxxxxxx:project/imm-test-doc*"
        }
    ],
    "Version": "1"
}

Grant specific access permissions on specific projects

The following sample code grants the permissions to:

Call the ListProjects operation.
Call the CreateOfficeConversionTask operation to convert the format of documents in the imm-test-doc-proj project in the China (Shanghai) region.

Call the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations on data in the imm-test-media-proj project in the China (Shanghai) region.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["imm:ListProjects"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:CreateOfficeConversionTask"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj"
        }
    ],
    "Version": "1"
}

Grant specific access permissions on specific datasets

The following sample code grants the permissions to:

Call the ListDatasets operation.
Call the IndexFileMeta operation on the dataset1 dataset of the imm-test-media-proj project in the China (Shanghai) region.
Call the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations on the dataset1 dataset of the imm-test-media-proj project in the China (Shanghai) region.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["imm:ListDatasets"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:IndexFileMeta"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj/dataset/dataset1"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj/dataset/dataset1"
        }
    ],
    "Version": "1"
}