All Products
Search

This Product

    Logic Composer:Grant permissions to a RAM identity

    Document Center

    Logic Composer:Grant permissions to a RAM identity

    Last Updated:Feb 20, 2024

    Logic Composer uses roles to which you grant permissions to perform related operations. To grant permissions to RAM users and RAM roles, you can follow the instructions provided in this topic.

    Background information

    When you run a workflow, Logic Composer assumes the role to which you grant permissions and accesses the corresponding resources by calling the API operation. If you use an Alibaba Cloud account to grant permissions to the role that Logic Composer assumes, you can follow the instructions in the Logic Composer console. If a RAM identity is used to edit a workflow and perform operations on Alibaba Cloud services, you must grant permissions to the RAM identity in advance. For more information about terms such as RAM users and RAM roles, see Terms.

    Permissions of a RAM identity can be divided into the following scenarios:

    • The RAM identity does not have permissions on RAM.

    • The RAM identity has read-only permissions on RAM.

    • The RAM identity has all permissions on RAM.

    The following sections describe operations in those three scenarios. The operations involve two roles:

    • Administrator: the administrator of the Alibaba Cloud account or a RAM identity that has permissions on RAM.

    • Developer: a RAM user or role that has permissions on Logic Composer and needs to edit workflows and perform operations on Alibaba Cloud services. In the procedures of this topic, a RAM user is used in the examples. The procedures are also applicable when a RAM role is used.

    When a RAM user does not have permissions on RAM

    Procedure for an administrator

    1. Log on to the RAM console.

    2. On the Roles page in the RAM console, you can view your roles. If you have not created a RAM role, create a RAM role first. For more information, see Create a RAM role for a trusted Alibaba Cloud service. Note: You must set the trusted service to Logic Composer. You can set the role name based on your needs. This example uses AliyunLogicComposerDefaultRole as the role name.

    3. Grant permissions to the RAM role you created in step 2. You can communicate with the developer in advance to confirm the required permissions in the workflow. For more information, see Grant permissions to a RAM role.

    4. On the Policies page in the RAM console, you can view your permission policies. If you have not created a custom policy, create a custom policy first. For more information, see Create custom policies. To grant permissions to the RAM user, you must add the following permissions:

    {    
  "Statement": [       
        {            
              "Action": "ram:PassRole",            
              "Resource": "acs:ram::<your uid>:role/<role name>",   
              "Effect": "Allow",
              "Condition": {                
                    "StringEquals": {                    
                           "acs:Service": "composer.aliyuncs.com"                
                     }            
               }        
         }    
  ],    
  "Version": "1"
}

    You can View the information about a RAM role and copy ARN on the page to obtain the resource information.

    5. On the Overview page in the RAM console, find the RAM user that corresponds to the developer and assign the policy created in step 4 to the RAM user. For more information, see Grant permissions to the RAM user.

    6. Copy the name of the role created in step 2 and inform the developer.

    Procedure for a developer

    1. In the authorization panel that appears, enter the role name provided by the administrator. This example uses AliyunLogicComposerDefaultRole as the role name.

    When a RAM user has read-only permissions on RAM

    Procedure for an administrator

    1. Log on to the RAM console.

    2. On the Roles page in the RAM console, you can view your roles. If you have not created a RAM role, create a RAM role first. For more information, see Create a RAM role for a trusted Alibaba Cloud service. Note: You must set the trusted service to Logic Composer. You can set the role name based on your needs. This example uses AliyunLogicComposerDefaultRole as the role name.

    3. Grant permissions to the RAM role you created in step 2. You can communicate with the developer in advance to confirm the required permissions in the workflow. For more information, see Grant permissions to a RAM role.

    Procedure for a developer

    1. The RAM user selects the role created in step 2 in the authorization panel of a workflow. This example uses AliyunLogicComposerDefaultRole as the role name. Note: A RAM user that has read-only permissions on RAM cannot grant permissions. Instead, only a RAM user with the required permissions or an Alibaba Cloud account can grant permissions.

    When a RAM user has read and write permissions on RAM

    Procedure for an administrator

    You do not need to perform any operations.

    Procedure for a developer

    In the authorization panel of a workflow, follow the instructions to grant permissions.