This topic describes authorization policies of CloudOps Orchestration Service (OOS)s (OOS). You can use the Resource Access Management (RAM) service to grant permissions to the specified groups, group members, and RAM users. You can also perform cross-service access control in the RAM console.
Background
When RAM users are trying to access OOS resources by using API operations, OOS sends requests to the RAM system to confirm that resource owners have granted the relevant permissions to the users. Required permissions vary with OOS resources and API operations. For more information about fine-grained authorization policies and access control, see the RAM documentation.
If authentication is not required, skip this topic.
API operations for authorization
The following table lists API operations and the corresponding Alibaba resource name (ARN). For more information about ARN, see Terms.
API operation | OOS action | ARN |
CreateTemplate | oos:CreateTemplate | acs:oos:$regionid:$accountid:template/* |
ListTemplates | oos:ListTemplates | acs:oos:$regionid:$accountid:template/${templateName} |
UpdateTemplate | oos:UpdateTemplate | acs:oos:$regionid:$accountid:template/${templateName} |
GetTemplate | oos:GetTemplate | acs:oos:$regionid:$accountid:template/${templateName} |
DeleteTemplate | oos:DeleteTemplate | acs:oos:$regionid:$accountid:template/${templateName} |
GenerateTemplatePolicy | oos:GenerateTemplatePolicy | acs:oos:$regionid:$accountid:template/${templateName} |
StartExecution | oos:StartExecution | acs:oos:$regionid:$accountid:template/${templateName}execution/* |
ListExecutions | oos:ListExecutions | acs:oos:$regionid:$accountid:acs:oos:$regionid:$accountid:execution/${executionId} |
ListExecutionTasks | oos:ListExecutionTasks | acs:oos:$regionid:$accountid:execution/${executionId} |
CancelExecution | oos:CancelExecution | acs:oos:$regionid:$accountid:execution/${executionId} |
NotifyExecution | oos:NotifyExecution | acs:oos:$regionid:$accountid:execution/${executionId} |
DeleteExecutions | oos:DeleteExecutions | acs:oos:$regionid:$accountid:execution/${executionId} |
ListExecutionLogs | oos:ListExecutionLogs | acs:oos:$regionid:$accountid:execution/${executionId} |
GetExecutionTemplate | oos:GetExecutionTemplate | acs:oos:$regionid:$accountid:execution/${executionId} |