All Products
Search

This Product

    Serverless App Engine:Permission Management

    Document Center

    Serverless App Engine:Permission Management

    Last Updated:Apr 11, 2025

    Serverless App Engine (SAE) implements permission management through Alibaba Cloud Resource Access Management (RAM). The permission management feature allows you to isolate and control access to resource data, ensuring data security. This topic describes the application scenarios and function implementation of SAE permission management using the daily business operations of an enterprise as an example.

    Feature overview

    • If you need to systematically understand SAE permission management, you can learn about the permission features related to SAE step by step through the application scenario examples in this topic. For more information, see Background information and Business Scenario.

    • If you are familiar with the permission management feature, you can find relevant information in the following topics as needed:

      • Permission policies and examples: describes the basic concepts of permission policies, the permission policies supported by SAE, and permission policy examples.

      • SAE permission assistant: describes how to generate permission statements through the SAE permission assistant tool to simplify custom policy settings.

      • Grant permissions to RAM users: describes how to create RAM users and grant permissions to them as needed.

      • Grant permissions to RAM roles: describes how to create RAM roles and grant permissions to them, allowing access to authorized resources using security tokens with role identity.

      • Contact management: describes how to set permission rules for specified contacts, send notifications, and more.

      • Operation approval: describes how to set approval processes for important features of the SAE platform to implement fine-grained control over operation permissions.

      • Service-linked role: describes how SAE obtains access permissions to other cloud resources through service-linked roles.

    Background information

    Applications hosted on SAE may include multiple services or subsystems, which may be developed and maintained by different teams or members. SAE provides an enterprise-level permission management system through an account system and a series of permission management operations. This helps you isolate and control access to applications, resources, and data to ensure security.

    Enterprise A purchased SAE service through Alibaba Cloud account A (primary account). Initially, multiple employees within the enterprise shared this account. As the business grew, more employees were added, and sharing a single account made it difficult to clearly divide responsibilities and posed security risks. To resolve these issues, Enterprise A used the features of RAM to grant different permissions to different employees and split bills among different departments.

    dg_use_ram_before_and_after

    Business scenario

    Scenario 1

    Enterprise A wants to identify the responsibilities of its employees and grant permissions to them.

    To identify the responsibilities of its employees, Enterprise A can use Alibaba Cloud account A to create multiple RAM users and grant different permissions to these users. Then, the employees can use the RAM users to access different resources. Enterprise A purchased resources to host its applications on SAE. Therefore, Enterprise A must first understand the permission policies and authorization configuration examples of SAE in RAM. RAM supports the following policies:

    • System policies are created and updated by Alibaba Cloud. You can use these policies but you cannot modify them.

    • Custom policy: You can create, update, and delete custom policies and maintain their updates.

    In some scenarios, SAE needs to obtain access permissions to other cloud services to complete certain functions. For example, if you want to obtain information about resources such as virtual private clouds (VPCs) when you create an application, you can use the service-linked AliyunServiceRoleForSAE role to obtain required permissions to access related services such as VPC.

    For more information, see Permission policies and examples and Service-linked role.

    Scenario 2

    Enterprise A wants to grant fine-grained permissions to its employees.

    After learning about permission policies, Enterprise A believes it can first set system permissions for employees, which are general common permissions, such as read permissions for SAE resources. If the system policies do not meet business requirements, Enterprise A can create custom policies to implement fine-grained access control.

    When configuring custom policies, the SAE permission assistant can simplify the initial script editing work. Enterprise A can copy the automatically generated, complete script to the RAM console, create the corresponding custom policy, and grant it to RAM users. This effectively avoids errors that might occur when operating directly in the RAM console.

    For more information, see SAE permission assistant.

    Scenario 3

    Enterprise A wants to create RAM users for its employees and grant permissions to the RAM users.

    After learning about permission policies, Enterprise A attempts to create RAM users and grant required permissions to these users for different employees.

    For more information, see Grant permissions to RAM users.

    Scenario 4

    Enterprise A wants to share workloads with a partner enterprise. In this case, Enterprise A must create RAM users and grant permissions to the RAM users across accounts.

    Enterprise A has established a good partnership with Enterprise B as the business grew, and wants to authorize Enterprise B to manage part of its business. Requirements of Enterprise A:

    • Enterprise A wants to focus on its business systems and only act as the resource owner of SAE. Enterprise A wants to authorize Enterprise B to manage some services, such as application publishing, application management, automatic elasticity, one-click start and stop of applications, and application monitoring.

    • Each time an employee joins or leaves Enterprise B, Enterprise A does not need to change permission settings. Enterprise B can further assign the resource access permissions of Enterprise A to the RAM users of Enterprise B, and can finely control the access and operation permissions of its employees or applications to resources.

    • If the contract between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.

    For more information, see Grant permissions to RAM roles.

    Scenario 5

    Enterprise A wants to manage each access approval process.

    Enterprise A has deployed multiple namespaces within Alibaba Cloud Account A, including the test environment, development environment, staging environment, and online environment. Enterprise A wants to strictly control access to the resources in the online environment. Unauthorized developers are denied access to the resources in the online environment. This prevents environment crashes. Enterprise A can configure access approval processes and receive approval notifications to perform fine-grained access control on operation permissions.

    For more information, see Operation approval and Contact management.