All Products
Search
Document Center

File Storage NAS:Control NAS access with RAM policies

Last Updated:Jun 10, 2026

Use Resource Access Management (RAM) policies to control which users can access your NAS file systems and what operations they can perform.

Warning

When granting RAM users NAS access, follow the principle of least privilege. Overly broad permissions create security risks.

Procedure

  1. Create a RAM user.

  2. Select a permission policy for the RAM user.

    Permission policies include {type} and {type}.

    • {type}: Alibaba Cloud provides default policies for common tasks. System policies for NAS:

      • AliyunNASFullAccess (Not recommended): Grants full control over NAS file systems. Not recommended due to high-risk permissions.

      • AliyunNASReadOnlyAccess: Grants read-only access to NAS file systems.

    • {type}: Create custom policies for fine-grained access control.

      Use the JSON editor to create a custom policy based on the examples below. Create a custom permission policy.

  3. Grant permissions to the RAM user.

    Grant the RAM user the policy you selected in Step 2. Manage the permissions of a RAM user.

Example 1: Grant permissions on a file system

Grant full control over a file system

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

Note

RAM does not support granting view permissions on a single file system. To grant full control over a specific file system, first grant permissions to view all file systems, then grant permissions for operations such as modification and deletion on that file system.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "nas:*",
            "Resource": [
                  "acs:nas:*:*:filesystem/07d****294"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "nas:CreateMountTarget",
            "Resource": "acs:vpc:*:*:vswitch/*"
        },
        {
            "Effect": "Allow",
            "Action": "cms:Query*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "nas:DescribeFileSystems",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "nas:DescribeAccessGroups",
                "nas:DescribeAccessRules"
            ],
            "Resource": "acs:nas:*:*:accessgroup/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*"
        }
    ]
}

Grant permissions to modify file system attributes

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:DescribeFileSystems",
            "nas:ModifyFileSystem"
        ],
        "Resource": "acs:nas:*:*:filesystem/07d****294"
    }],
    "Version": "1"
}

Grant permissions to view all file systems

{
    "Statement": [{
        "Effect": "Allow",
        "Action": "nas:DescribeFileSystems",
        "Resource": "*"
    }],
    "Version": "1"
}

Example 2: Grant permissions on a mount target

The following policy grants full control over mount targets of file system 07d****294.

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateMountTarget",
            "nas:DescribeMountTargets",
            "nas:ModifyMountTarget",
            "nas:DeleteMountTarget"
        ],
        "Resource": [
            "acs:nas:*:*:filesystem/07d****294",
            "acs:vpc:*:*:vswitch/*"
        ]
    }],
    "Version": "1"
}

Example 3: Grant permissions on a permission group

The following policy grants full control over all permission groups.

{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateAccessGroup",
            "nas:DescribeAccessGroups",
            "nas:ModifyAccessGroup",
            "nas:DeleteAccessGroup",
            "nas:CreateAccessRule",
            "nas:DescribeAccessRules",
            "nas:ModifyAccessRule",
            "nas:DeleteAccessRule"
        ],
        "Resource": "acs:nas:*:*:accessgroup/*"
    }],
    "Version": "1"
}

Example 4: Grant permissions to view performance metrics

The following policy grants permissions to view performance metrics for any file system in the console.

{
    "Statement": [{
        "Effect": "Allow",
        "Action": "cms:Query*",
        "Resource": "*"
    }],
    "Version": "1"
}

Example 5: Grant permissions to manage the recycle bin

Grant full control over the recycle bin

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

{
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:EnableRecycleBin",
                "nas:DisableAndCleanRecycleBin ",
                "nas:UpdateRecycleBinAttribute",
                "nas:GetRecycleBinAttribute",
                "nas:CreateRecycleBinRestoreJob",
                "nas:CreateRecycleBinDeleteJob",
                "nas:CancelRecycleBinJob",
                "nas:ListRecycleBinJobs",
                "nas:ListRecycledDirectoriesAndFiles",
                "nas:ListRecentlyRecycledDirectories"
            ],
            "Resource": [
                "acs:nas:*:*:filesystem/07d****294"
            ]
        }
    ],
    "Version": "1"
}

Grant permissions to restore files from the recycle bin

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

{
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:GetRecycleBinAttribute",
                "nas:CreateRecycleBinRestoreJob",
                "nas:CancelRecycleBinJob",
                "nas:ListRecycleBinJobs",
                "nas:ListRecycledDirectoriesAndFiles",
                "nas:ListRecentlyRecycledDirectories"
            ],
            "Resource": [
                "acs:nas:*:*:filesystem/07d****294"
            ]
        }
    ],
    "Version": "1"
}

Grant permissions to delete files from the recycle bin

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

{
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:GetRecycleBinAttribute",
                "nas:CreateRecycleBinDeleteJob",
                "nas:CancelRecycleBinJob",
                "nas:ListRecycleBinJobs",
                "nas:ListRecycledDirectoriesAndFiles",
                "nas:ListRecentlyRecycledDirectories"
            ],
            "Resource": [
                "acs:nas:*:*:filesystem/07d****294"
            ]
        }
    ],
    "Version": "1"
}

Grant permissions to modify recycle bin configurations

The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.

{
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:EnableRecycleBin",
                "nas:UpdateRecycleBinAttribute",
                "nas:DisableAndCleanRecycleBin",
                "nas:GetRecycleBinAttribute"
            ],
            "Resource": [
                "acs:nas:*:*:filesystem/07d****294"
            ]
        }
    ],
    "Version": "1"
}

Appendix: Action and resource reference

To create a custom policy in the RAM console, set Configuration Mode to Script and enter the policy as JSON. Use the Action and Resource values from the following table. Basic elements of a permission policy.

API

Action

Resource

Description

File system

CreateFileSystem

nas:CreateFileSystem

acs:nas:<region>:<account-id>:filesystem/*

Creates a file system.

DeleteFileSystem

nas:DeleteFileSystem

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Deletes a file system.

ModifyFileSystem

nas:ModifyFileSystem

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Modifies file system configurations.

DescribeFileSystems

nas:DescribeFileSystems

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Queries file systems.

Mount target

CreateMountTarget

nas:CreateMountTarget

  • acs:nas:<region>:<account-id>:filesystem/<filesystemid>

  • acs:vpc:*:*:vswitch/*

Creates a mount target.

DeleteMountTarget

nas:DeleteMountTarget

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Deletes a mount target.

ModifyMountTarget

nas:ModifyMountTarget

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Modifies mount target configurations.

DescribeMountTargets

nas:DescribeMountTargets

acs:nas:<region>:<account-id>:filesystem/<filesystemid>

Queries mount targets for a file system.

Permission group

CreateAccessGroup

nas:CreateAccessGroup

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Creates a permission group.

DeleteAccessGroup

nas:DeleteAccessGroup

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Deletes a permission group.

ModifyAccessGroup

nas:ModifyAccessGroup

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Modifies a permission group.

DescribeAccessGroups

nas:DescribeAccessGroups

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Queries permission groups.

CreateAccessRule

nas:CreateAccessRule

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Creates a permission rule.

DeleteAccessRule

nas:DeleteAccessRule

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Deletes a permission rule.

ModifyAccessRule

nas:ModifyAccessRule

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Modifies a permission rule.

DescribeAccessRules

nas:DescribeAccessRules

acs:nas:<region>:<account-id>:accessgroup/<accessgroupname>

Queries permission rules.

FAQ