Use Resource Access Management (RAM) policies to control which users can access your NAS file systems and what operations they can perform.
When granting RAM users NAS access, follow the principle of least privilege. Overly broad permissions create security risks.
Procedure
-
Select a permission policy for the RAM user.
Permission policies include {type} and {type}.
-
{type}: Alibaba Cloud provides default policies for common tasks. System policies for NAS:
-
AliyunNASFullAccess (Not recommended): Grants full control over NAS file systems. Not recommended due to high-risk permissions.
-
AliyunNASReadOnlyAccess: Grants read-only access to NAS file systems.
-
-
{type}: Create custom policies for fine-grained access control.
Use the JSON editor to create a custom policy based on the examples below. Create a custom permission policy.
-
-
Grant permissions to the RAM user.
Grant the RAM user the policy you selected in Step 2. Manage the permissions of a RAM user.
Example 1: Grant permissions on a file system
Grant full control over a file system
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
RAM does not support granting view permissions on a single file system. To grant full control over a specific file system, first grant permissions to view all file systems, then grant permissions for operations such as modification and deletion on that file system.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "nas:*",
"Resource": [
"acs:nas:*:*:filesystem/07d****294"
]
},
{
"Effect": "Allow",
"Action": "nas:CreateMountTarget",
"Resource": "acs:vpc:*:*:vswitch/*"
},
{
"Effect": "Allow",
"Action": "cms:Query*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "nas:DescribeFileSystems",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"nas:DescribeAccessGroups",
"nas:DescribeAccessRules"
],
"Resource": "acs:nas:*:*:accessgroup/*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*"
}
]
}
Grant permissions to modify file system attributes
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:DescribeFileSystems",
"nas:ModifyFileSystem"
],
"Resource": "acs:nas:*:*:filesystem/07d****294"
}],
"Version": "1"
}
Grant permissions to view all file systems
{
"Statement": [{
"Effect": "Allow",
"Action": "nas:DescribeFileSystems",
"Resource": "*"
}],
"Version": "1"
}
Example 2: Grant permissions on a mount target
The following policy grants full control over mount targets of file system 07d****294.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:DeleteMountTarget"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294",
"acs:vpc:*:*:vswitch/*"
]
}],
"Version": "1"
}
Example 3: Grant permissions on a permission group
The following policy grants full control over all permission groups.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:DeleteAccessGroup",
"nas:CreateAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:DeleteAccessRule"
],
"Resource": "acs:nas:*:*:accessgroup/*"
}],
"Version": "1"
}
Example 4: Grant permissions to view performance metrics
The following policy grants permissions to view performance metrics for any file system in the console.
{
"Statement": [{
"Effect": "Allow",
"Action": "cms:Query*",
"Resource": "*"
}],
"Version": "1"
}
Example 5: Grant permissions to manage the recycle bin
Grant full control over the recycle bin
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:EnableRecycleBin",
"nas:DisableAndCleanRecycleBin ",
"nas:UpdateRecycleBinAttribute",
"nas:GetRecycleBinAttribute",
"nas:CreateRecycleBinRestoreJob",
"nas:CreateRecycleBinDeleteJob",
"nas:CancelRecycleBinJob",
"nas:ListRecycleBinJobs",
"nas:ListRecycledDirectoriesAndFiles",
"nas:ListRecentlyRecycledDirectories"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294"
]
}
],
"Version": "1"
}
Grant permissions to restore files from the recycle bin
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:GetRecycleBinAttribute",
"nas:CreateRecycleBinRestoreJob",
"nas:CancelRecycleBinJob",
"nas:ListRecycleBinJobs",
"nas:ListRecycledDirectoriesAndFiles",
"nas:ListRecentlyRecycledDirectories"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294"
]
}
],
"Version": "1"
}
Grant permissions to delete files from the recycle bin
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:GetRecycleBinAttribute",
"nas:CreateRecycleBinDeleteJob",
"nas:CancelRecycleBinJob",
"nas:ListRecycleBinJobs",
"nas:ListRecycledDirectoriesAndFiles",
"nas:ListRecentlyRecycledDirectories"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294"
]
}
],
"Version": "1"
}
Grant permissions to modify recycle bin configurations
The following policy uses file system 07d****294 as an example. Replace it with your actual file system ID.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:EnableRecycleBin",
"nas:UpdateRecycleBinAttribute",
"nas:DisableAndCleanRecycleBin",
"nas:GetRecycleBinAttribute"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294"
]
}
],
"Version": "1"
}
Appendix: Action and resource reference
To create a custom policy in the RAM console, set Configuration Mode to Script and enter the policy as JSON. Use the Action and Resource values from the following table. Basic elements of a permission policy.
|
API |
Action |
Resource |
Description |
|
|
File system |
CreateFileSystem |
nas:CreateFileSystem |
acs:nas:<region>:<account-id>:filesystem/* |
Creates a file system. |
|
DeleteFileSystem |
nas:DeleteFileSystem |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Deletes a file system. |
|
|
ModifyFileSystem |
nas:ModifyFileSystem |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Modifies file system configurations. |
|
|
DescribeFileSystems |
nas:DescribeFileSystems |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Queries file systems. |
|
|
Mount target |
CreateMountTarget |
nas:CreateMountTarget |
|
Creates a mount target. |
|
DeleteMountTarget |
nas:DeleteMountTarget |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Deletes a mount target. |
|
|
ModifyMountTarget |
nas:ModifyMountTarget |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Modifies mount target configurations. |
|
|
DescribeMountTargets |
nas:DescribeMountTargets |
acs:nas:<region>:<account-id>:filesystem/<filesystemid> |
Queries mount targets for a file system. |
|
|
Permission group |
CreateAccessGroup |
nas:CreateAccessGroup |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Creates a permission group. |
|
DeleteAccessGroup |
nas:DeleteAccessGroup |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Deletes a permission group. |
|
|
ModifyAccessGroup |
nas:ModifyAccessGroup |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Modifies a permission group. |
|
|
DescribeAccessGroups |
nas:DescribeAccessGroups |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Queries permission groups. |
|
|
CreateAccessRule |
nas:CreateAccessRule |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Creates a permission rule. |
|
|
DeleteAccessRule |
nas:DeleteAccessRule |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Deletes a permission rule. |
|
|
ModifyAccessRule |
nas:ModifyAccessRule |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Modifies a permission rule. |
|
|
DescribeAccessRules |
nas:DescribeAccessRules |
acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> |
Queries permission rules. |
|