Use RAM to grant different permissions to O&M engineers based on their responsibilities.
Background
An enterprise runs multiple Alibaba Cloud services with the following O&M requirements:
-
Different engineers manage different Alibaba Cloud services.
-
Each engineer requires specific permissions to access and manage cloud resources.
Solution
Create RAM users and attach different policies to each user based on their O&M role.
|
O&M engineer |
Policy |
Description |
|
Cloud platform administrators |
AdministratorAccess |
Permissions to manage all Alibaba Cloud resources. |
|
Cloud resource administrators |
PowerUserAccess |
Permissions to access all Alibaba Cloud services and resources. This policy does not grant permissions to:
|
|
VM O&M engineers |
AliyunECSFullAccess |
Permissions to manage Elastic Compute Service (ECS). |
|
AliyunESSFullAccess |
Permissions to manage Auto Scaling (ESS). |
|
|
AliyunSLBFullAccess |
Permissions to manage Server Load Balancer (SLB). |
|
|
AliyunNASFullAccess |
Permissions to manage File Storage NAS (NAS). |
|
|
AliyunOSSFullAccess |
Permissions to manage Object Storage Service (OSS). |
|
|
AliyunOTSFullAccess |
Permissions to manage Tablestore (OTS). |
|
|
Network O&M engineers |
AliyunCDNFullAccess |
Permissions to manage Alibaba Cloud CDN (CDN). |
|
AliyunCENFullAccess |
Permissions to manage Cloud Enterprise Network (CEN). |
|
|
AliyunCommonBandwidthPackageFullAccess |
Permissions to manage Internet Shared Bandwidth. |
|
|
AliyunEIPFullAccess |
Permissions to manage Elastic IP Address (EIP). |
|
|
AliyunExpressConnectFullAccess |
Permissions to manage Express Connect. |
|
|
AliyunNATGatewayFullAccess |
Permissions to manage NAT Gateway (NAT). |
|
|
AliyunSmartAccessGatewayFullAccess |
Permissions to manage Smart Access Gateway. |
|
|
AliyunVPCFullAccess |
Permissions to manage Virtual Private Cloud (VPC). |
|
|
AliyunVPNGatewayFullAccess |
Permissions to manage VPN Gateway. |
|
|
Database O&M engineers |
AliyunRDSFullAccess |
Permissions to manage ApsaraDB RDS. |
|
AliyunDTSFullAccess |
Permissions to manage Data Transmission Service (DTS). |
|
|
Security O&M engineers |
AliyunYundunFullAccess |
Permissions to manage all Alibaba Cloud Security services. |
|
Monitoring O&M engineers |
AliyunActionTrailFullAccess |
Permissions to manage ActionTrail. |
|
AliyunARMSFullAccess |
Permissions to manage Application Real-Time Monitoring Service (ARMS). |
|
|
AliyunCloudMonitorFullAccess |
Permissions to manage CloudMonitor. |
|
|
ReadOnlyAccess |
Read-only access to all Alibaba Cloud resources. |
|
|
AliyunSupportFullAccess |
Permissions to manage Ticket Management. |
Procedure
The following example grants the RAM user alice@secloud.onaliyun.com database O&M permissions for ApsaraDB RDS and DTS.
-
Log on to the RAM console with your Alibaba Cloud account.
-
Create a RAM user named
alice@secloud.onaliyun.com.For more information, see Create a RAM user.
-
Attach the
AliyunRDSFullAccessandAliyunDTSFullAccesspolicies to the RAM useralice@secloud.onaliyun.com.For more information, see Manage RAM user permissions.
Repeat these steps for other RAM users with the policies listed in the preceding table.