All Products
Search

This Product

    Mobile Platform as a Service:Component-level access control for RAM users

    Document Center

    Mobile Platform as a Service:Component-level access control for RAM users

    Last Updated:Sep 27, 2022

    This topic describes how to configure component-level access control for Resource Access Management (RAM) users. Component-level access control is classified into the following categories:

    Prerequisites

    1. An Alibaba Cloud account is created. If no Alibaba Cloud accounts are created, create an Alibaba Cloud account first. For more information, see Create an Alibaba Cloud account.

    2. A RAM user is created. If no RAM users are created, create a RAM user first. For more information, see Create a RAM user.

    Authorize access to all components

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click Add Permissions in the Actions column.

    4. In the Add Permissions panel, search for the AliyunMPAASFullAccess permission in the Select Policy section, click the permission, and then click OK. Now, you have granted the RAM user the permission to log on to the mPaaS console. The RAM user can access all the apps that are created with the Alibaba Cloud account and use all the components.

    Authorize access to all components and one or more specified apps

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, set the Name and Note parameters.

    5. Click the JSON tab.

    6. Edit the content of the policy. For more information, see the following example. When you use the RAM policy for accessing a specified app, you must replace the app ID in the policy with the app ID of the specified app. When you need to specify the RAM policy for multiple apps, separate the app IDs with commas (,). 

      {
 "Version": "1",
 "Statement": [
    {
         "Action": [
             "mpaas:GetOnexMethod"
         ],
         "Resource": "*",
         "Effect": "Allow"
     },
     {
         "Action": [
             "mpaas:*"
         ],
         "Resource": "*",
         "Effect": "Allow",
         "Condition": {
             "StringEquals": {
                 "mpaas:AppId": [
                     "ONEXCBAD96A290957",
                     "..."
                 ]
             }
         }
     }
 ]
}

    7. Click OK.

    8. In the left-side navigation pane, choose Identities > Users.

    9. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click Add Permissions in the Actions column.

    10. In the Add Permissions panel, search for the custom policy that you created in the preceding steps, click the policy, and then click OK.

      Note

      Visual configuration is not supported in mPaaS. In other words, policies created on the Visual Editor Beta tab are not supported in mPaaS.

    Authorize access to a specified component and grant the permissions to create a workspace, create an app, and delete an app

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, set the Name and Note parameters.

    5. Click the JSON tab.

    6. Edit the content of the policy. For more information, see the following example. 

       {
     "Version":"1",
     "Statement":[
       {
             "Action": [
                 "mpaas:GetOnexMethod"
             ],
             "Resource": "*",
             "Effect": "Allow"
         },

         {
             "Action":[
                 "mpaas:*"
             ],
             "Resource":"*",
             "Effect":"Allow",
             "Condition":{
                 "StringEquals":{
                     "mpaas:ComponentId":[
                         "mAppCenter",
                         "mds"
                     ],
                   "mpaas:AppId":[
                         "ONEXCBAD96A290957",
                         "13FF079171113",
                         "..."
                     ]
                 }
             }
         }
     ]
 }
      Note

      In mpaas:ComponentId, mAppCenter is a value and must be specified. The value is followed by the component that you need to access. The following table lists the mappings between the values and the components in mpaas:ComponentId.

      mpaas:ComponentId

      Component

      mas

      Mobile Analysis Service (MAS)

      mcdp

      Mobile Content Delivery Platform (MCDP)

      mds

      Mobile Delivery Service (MDS)

      mgs

      Mobile Gateway Service (MGS)

      mps

      Message Push Service (MPS)

      mss

      Mobile Sync Service (MSS)

      msa

      Mobile Security Armor (MSA)

      mrtc

      Mobile Real-Time Communication (MRTC)

    7. Click OK.

    8. In the left-side navigation pane, choose Identities > Users.

    9. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click Add Permissions in the Actions column.

    10. In the Add Permissions panel, search for the custom policy that you created in the preceding steps, click the policy, and then click OK. Now, you have added the policy to implement resource isolation for the RAM user.

    Notice

    In the RAM policy, the access to apps is defined by using mpaas:AppId. Therefore, even if the RAM user can create an app, the RAM user cannot see the created app before the RAM user is authorized to access the app.

    Authorize access to a specified component but grant no permissions to create a workspace, create an app, and delete an app

    A RAM user can be authorized to access both workspaces and apps only when no permissions to create a workspace, create an app, or delete an app are specified.

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, set the Name and Note parameters.

    5. Click the JSON tab.

    6. Edit the content of the policy. For more information, see the following example. 

      {
 "Version": "1",
 "Statement": [
     {
         "Action": [
             "mpaas:GetOnexMethod"
         ],
         "Resource": "*",
         "Effect": "Allow"
     },
     {
         "Action": [
             "mpaas:*"
         ],
         "Resource": [
             "acs:mpaas:*:*:component/workspace/test/app/ONEXPRE40DB571051148",
             "acs:mpaas:*:*:component/workspace/default/app/ONEXPRE40DB571051148"
         ],
         "Effect": "Allow",
         "Condition": {
             "StringEquals": {
                 "mpaas:ComponentId": [
                     "mAppCenter",
                     "mds"
                 ]
             }
         }
     }
 ]
}
      Note

      • In the FilterWorkspace action, the value of the Resource parameter is in the format of acs:mpaas:*:*:component/workspace/${workspaceId}. In addition, ${workspaceId} is the ID of the workspace that you need to authorize the RAM user to access.

      • In the mpaas:* action, the value of the Resource parameter is in the format of acs:mpaas:*:*:component/workspace/${workspaceId}/app/${appId}. In addition, ${workspaceId} is the ID of the workspace that you need to authorize the RAM user to access, and ${appId} is the ID of the app that you need to authorize the RAM user to access. If you need to authorize the RAM user to access all the apps, assign the value * to the appId.

    7. Click OK.

    8. In the left-side navigation pane, choose Identities > Users.

    9. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click Add Permissions in the Actions column.

    10. In the Add Permissions panel, search for the custom policy that you created in the preceding steps, click the policy, and then click OK. Now, you have added the policy to implement resource isolation for the RAM user.