Create permissions using SAE permission assistant and grant them to RAM users - Serverless App Engine

Serverless App Engine (SAE) offers a permission assistant feature designed to streamline the setup of SAE-related RAM policies. This topic explains how to rapidly generate policy statements with the SAE permission assistant and finalize the policy configuration within the RAM console.

Prerequisites

Create a RAM user

Background information

SAE Permission Assistant is a tool designed to create RAM policies. It enables you to visualize and configure SAE permissions with precision for application and task operations, generating the necessary policy statements within the SAE console. This method helps prevent errors that can arise from manually editing policy statements in the RAM console. You can then establish a custom policy in the RAM console, update the policy document with the generated statement, and assign the appropriate permissions to the RAM user requiring SAE permissions.

Both Alibaba Cloud accounts (primary accounts) and RAM users (sub-accounts) can use the SAE permission assistant in the console to create policy drafts. However, the policy only becomes effective with restrictive capabilities once it is deployed to the RAM console.

Step 1: Create a policy in the SAE console

In the left-side navigation pane of the SAE console, select Enterprise Features > Permission Management. Then, on the Permission Assistant page, click Create Policy.

In the Create Policy panel's Policy Configuration wizard, complete the following operations and click Next.

Enter the Policy Name and Description.

Configuration Item	Description
Policy Name	The custom name of the policy. It must start with a letter and can contain numbers, letters, underscores (_), and hyphens (-), not exceeding 36 characters.
Description	The description of the policy.

Click Add Policy Statement. In the Add Policy Statement panel, complete the following operations and click Confirm.

Configuration Item

Description

Authorized Resource

Select resource dimensions from the drop-down list.

Region: Supports single selection.
Namespace: Supports single selection.
Application or Task: Supports multiple selections.

Authorized Operation

Select the permissions to be granted in the Optional Permissions check box and view the selected permissions in the Selected Permissions preview box. The limitations of authorized operations are as follows:

The Search Operation text box supports fuzzy search and is case-sensitive.
The Selected Permissions check box displays the System Default Read Permissions by default.
Read and write operations are interactive. Therefore, when selecting read and write permissions, the system automatically determines and selects the relevant permissions for you. For example, when you select Application > Publish Change under write permissions, the system automatically selects the related read permissions.

You can view the added policy statements in the Policy Configuration wizard and perform operations such as View Permissions, Clone, Edit, or Delete as needed.

Note

If you need to set permissions for resources in multiple namespaces, add multiple policy statements.
If you need to copy existing policy statements or edit and add new ones based on them, click Clone to enter the Clone Policy Statement panel, edit as needed, and add policy statements.

In the Policy Preview wizard, review the generated policy statements and click Complete.

You can click One-click Copy. The copied RAM authorization statement will be used in Step 2: Create a Custom Policy in the RAM Console.
The console panel will return to the Permission Assistant page, where you can view the newly created policy and perform operations such as View Permissions, One-click Copy RAM Authorization Statement, Edit, or Delete as needed.
Important
- The policies created by the SAE permission assistant apply solely to SAE resources and are limited to a maximum of 20 statements.
- When SAE introduces new features, you must regenerate the RAM policy statements to ensure that RAM users under the existing policy have permissions for these new features.

Step 2: Create a custom policy in the RAM console

When creating a custom policy in the RAM console, modify the policy document to include the policy statements generated in Step 1: Create a Policy in the SAE Console.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy content.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.
The system performs the following operations during the advanced optimization:
- Split resources or conditions that are incompatible with actions.
- Narrow down resources.
- Deduplicate or merge policy statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, configure the Name and Description parameters and click OK.

Step 3: Grant permissions to RAM users in the RAM console

After successfully creating a custom policy, grant permissions to the RAM users who require them in the RAM console. This section describes how to grant permissions to a RAM user on the Users page. For more methods, see Grant Permissions to RAM Users.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.