how to configure ram logon for pds and its purpose - Drive and Photo Service

PDS for Enterprise supports logon with Resource Access Management (RAM). To allow users to log on to the drive with their RAM users, you must configure RAM logon. This topic describes how to configure RAM user logon for PDS for Enterprise.

Notes

Only super administrators or drive administrators can enable this feature.

Procedure

Step 1: Create an OAuth application

Log on to the RAM console using your Alibaba Cloud account.
In the navigation pane on the left, choose Integrations > OAuth Preview.
On the Enterprise Applications tab, click Create Application.
In the Create Application panel, set the application parameters.
1. Enter an Application Name and a Display Name.
2. Set Application Type to Web Application.
3. Set the Access Token Validity.
  The validity period of an access token ranges from 900 seconds (15 minutes) to 10,800 seconds (3 hours). The default value is 3,600 seconds.
4. Set the Refresh Token Validity.
  The validity period of a refresh token ranges from 7,200 seconds (2 hours) to 31,536,000 seconds (1 year). The default value is 2,592,000 seconds.
5. Set the Callback Address.
  Important
  Replace domainId in the example with your enterprise code.
  The callback URL format is https://domainId.api.aliyunpds.com/v2/oauth/callback.
Click Create Application.

Step 2: Add OAuth scopes

Add OAuth scopes to allow PDS for Enterprise to retrieve RAM user information.

Log on to the RAM console using your Alibaba Cloud account.
In the navigation pane on the left, choose Integrations > OAuth Preview.
On the Enterprise Applications tab, click the name of the target application.
On the OAuth Scope tab, click Add OAuth Scope.
In the Add OAuth Scope panel, select the aliuid and profile scopes.
Click OK.

Step 3: Create a key

On the details page of the target application, click Application Secret > Create Secret.
In the Create Secret dialog box, view the application secret, click Copy, and then click Close.
Important
- The application secret is visible only when it is created and cannot be retrieved later. Make sure to save the key immediately.
- You can create a maximum of two application secrets for each application.
Save the Application ID and AppSecretValue. You will need them to set parameters in Step 4.

Step 4: Enable the RAM configuration

Log on to CDE and go to the admin console.
In the navigation pane on the left, choose Dedicated Login Configuration > RAM Configuration.
On the RAM Configuration page, turn on the RAM Configuration switch.
In the Login Settings section, enter the RAM configuration parameters.
1. OAuth2.0 Client ID: Enter the Application ID that you obtained in Step 3.
2. Key: Enter the AppSecretValue that you obtained in Step 3.
Click Save.

Step 5: Configure RAM users

Log on to CDE and go to the admin console.
In the navigation pane on the left, choose Team Management, select a user, and click Edit.
In the Login Account Information area, set RAM user to the UID of the corresponding RAM user.
Note
You can view the UID of a RAM user on the Users page of the RAM console. For more information, see View RAM user information.
Click Save.

Log on with RAM

Access the Enterprise File Management logon interface.
Enter the enterprise code and click The next step.
Click RAM.
You can now log on to PDS for Enterprise using RAM.

FAQ

Error when logging on to PDS for Enterprise with a RAM user: App not exists

Error example:

{"error_description":"App not exists:4098973631995927491","error":"invalid_client"}

If this error occurs, follow these steps to check whether the OAuth2.0 Client ID is correct:

Log on to CDE and go to the admin console.
In the navigation pane on the left, choose Dedicated Login Configuration > RAM Configuration.
Check whether the OAuth2.0 Desktop ID matches the Application ID on the OAuth Application Preview page in the RAM console.

Drive and Photo Service:RAM configuration