This topic describes authorization rules of Serverless workflow. You can use the Resource Access Management (RAM) service to grant permissions to the specified groups, group members, and RAM users. You can also perform cross-service access control in the RAM console.

Background information

Note If you can access resources without obtaining authorization, skip this topic.
By default, you can use your Alibaba Cloud account or RAM user account to call Serverless workflow API operations. However, authorization is required in the following scenarios:
  • You want to allow a newly-created RAM user account to perform operations on the resources of your Alibaba Cloud account.
  • You want to access Serverless workflow resources from other Alibaba Cloud services, or access other Alibaba Cloud services from Serverless workflow.
  • You want to perform operations on Serverless workflow resources that require resource and API operation permissions to be granted by the resource owners.

When another Alibaba Cloud account attempts to access resources that belong to your Alibaba Cloud account by calling Serverless workflow API operations, Alibaba Cloud checks whether the Alibaba Cloud account has the required permissions that you authorized. Required permissions vary based on the requested Serverless workflow resources and API operations. For more information about authorization policies and access control, see What is RAM? and List of operations by function.

Custom policies

You can create a custom policy by using the RAM console or by calling the CreatePolicy operation provided by RAM. The following code provides a sample custom policy. When you create a custom policy, you must edit the policy based on the JSON template. In the policy statements, set Action and Resource to API operations and Alibaba Cloud Resource Name (ARN) values from the API operations for authorization section. For more information, see Create a custom policy and Policy elements.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "fnf:DescribeFlow",
      "Resource": "acs:fnf:*:188077086902****:flow/flow"
    }
  ]
}

API operations for authorization

The value of an Alibaba Cloud Resource Name (ARN) is used to configure a custom access policy. You can create a custom access policy and attach it to RAM users or cloud services by using the RAM service. For more information about the formats of ARNs, see Terms in the RAM documentation. The following table lists the ARN values of Serverless workflow API operations.

API operation ARN value
ListFlows acs:fnf:${region-id}:${resource-owner-id}:flow/*
CreateFlow acs:fnf:${region-id}:${resource-owner-id}:flow/*
DescribeFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
UpdateFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
DeleteFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
StartExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/*
ListExecutions acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/*
DescribeExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}
StopExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}
GetExecutionHistory acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}