How do I configure RAM user permissions on ApsaraDB for MongoDB - ApsaraDB for MongoDB

To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant the management permissions on ApsaraDB for MongoDB to RAM users. In this way, RAM users can manage ApsaraDB for MongoDB instances.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Grant permissions to a RAM user

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

System policies

You can use system policies to grant RAM users permissions on all ApsaraDB for MongoDB resources. ApsaraDB MongoDB provides the following system policies:

AliyunMongoDBFullAccess: grants a RAM user full management permissions on ApsaraDB for MongoDB.
AliyunMongoDBReadOnlyAccess: grants a RAM user the read-only permissions on ApsaraDB for MongoDB.

Custom policies

You can also use custom policies to grant RAM users specific operation permissions on specific instances. For information about the syntax of custom policies, see Policy structure and syntax.

Use RAM to grant permissions on ApsaraDB for MongoDB resources

You can use RAM to grant permissions only on ApsaraDB for MongoDB instances. When you use RAM to grant permissions, you can describe resources in the Resource field of the policy.

Resource type	Resource description in the policy
dbinstance	acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid

The following table describes the parameters used in the preceding resource description.

Parameter	Description
`$regionid`	The region ID. This value can be set to a wildcard asterisk (`*`).
`$dbinstanceid`	The instance ID. This value can be set to a wildcard asterisk (`*`).
`$accountid`	The ID of your Alibaba Cloud account. This value can be set to a wildcard asterisk (`*`).

Operations that you can authorize RAM users to call

In the RAM console, you can authorize RAM users to call the following operations on an ApsaraDB for MongoDB resource.

Operation	Description
CreateDBInstance	Creates an ApsaraDB for MongoDB instance.
ModifyDBInstanceSpec	Modifies the configurations of an ApsaraDB for MongoDB instance.
DeleteDBInstance	Deletes an ApsaraDB for MongoDB instance.
DescribeDBInstances	Queries an ApsaraDB for MongoDB instance.
RestartDBInstance	Restarts an ApsaraDB for MongoDB instance.
DescribeSecurityIps	Queries the whitelists of an ApsaraDB for MongoDB instance.
ModifySecurityIps	Modifies the whitelists of an ApsaraDB for MongoDB instance.
ResetAccountPassword	Resets the account password for an ApsaraDB for MongoDB instance.
DescribeBackupPolicy	Queries the backup policy of an ApsaraDB for MongoDB instance.
ModifyBackupPolicy	Modifies the backup policy of an ApsaraDB for MongoDB instance.
CreateBackup	Creates a backup for an ApsaraDB for MongoDB instance.
RestoreDBInstance	Restores the data in an ApsaraDB for MongoDB instance.
DescribeAccounts	Queries the database accounts of an ApsaraDB for MongoDB instance.
DescribeDBInstancePerformance	Queries the state of an ApsaraDB for MongoDB instance.
DescribeReplicaSetRole	Queries the primary/secondary attribute of an ApsaraDB for MongoDB instance.
ModifyDBInstanceDescription	Modifies the description of an ApsaraDB for MongoDB instance.
ModifyAccountDescription	Modifies the database accounts of an ApsaraDB for MongoDB instance.
DescribeDBInstanceAttribute	Queries the attributes of an ApsaraDB for MongoDB instance.
RenewDBInstance	Renews an ApsaraDB for MongoDB instance.
ModifyDBInstanceNetworkType	Modifies the network type of an ApsaraDB for MongoDB instance.