Web Application Firewall:RAM authorization

Resource Access Management (RAM) is a Alibaba Cloud service for centrally managing user identities and resource access permissions. It enables secure resource permission delegation by issuing distinct AccessKey pairs to each RAM user. Access policies enforce least-privilege principles, ensuring users only obtain permissions explicitly defined for their operational needs. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Web Application Firewall .

General structure of a RAM policy

RAM policies use JSON format with the following structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}        

The supported authorization granularity of placeholder-${productName} is placeholder-${ramLevel}.

Action

The table below lists the available actions for placeholder-${productName}. You can specify these actions in a RAM policy to grant permissions to perform an operation.

The table's columns are detailed below:

• Action: The values that you can use in the Action element of a RAM policy statement.

  Format: {#ramcode}:{#action-name}

  • {#ramcode}: The code used in RAM to indicate an Alibaba Cloud service. The RAM code for placeholder-${productName} is placeholder-${ramCodes?join("、")}.

  • {#action-name}: The name of API operations defined by placeholder-${productName}.

• API: The API that you can call to perform the action.

• Access level: The predefined level of access granted for the operation. Valid values: Create, List, Get, Update, and Delete.

• Rsource type: The resource types that support authorization to perform this action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

  • For operations where resource-level permissions are unavailable, it is shown as All Resources. You need to use an asterisk (*) in the Resource element of the policy.

  • For operations with resource-level permissions, required resource types are marked with an asterisk (*). You must specify the corresponding resource ARN in the Resource element of the policy. For details on the ARN format, see Resource.

• Condition key: The condition keys defined by placeholder-${productName}, which can be used in the Condition element of the policy. The key allows for granular control, applying to either actions alone or actions associated with specific resources. For more information about the Condition element, see Condition.

• Dependent action: Dependent actions required to run the action. The requester must have permissions for all dependent actions.

Resource

The table below lists the resources available for placeholder-${productName}. You can specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by Alibaba Cloud Resource Names (ARNs). Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

• acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.

• {#ramcode}: The code used in RAM to indicate an Alibaba Cloud service. The code for placeholder-${productName} is placeholder-${ramCodes?join("、")}.

• {#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).

• {#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).

• {#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Condition

The table below lists the conditions available for placeholder-${productName}. You can also use Alibaba Cloud's condition keys for placeholder-${productName}. These keys must be specified in the Condition element of RAM policy statements to define granular authorization rules.

• Condition_operator: Specifies the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition_operator for valid combinations.

• Condition_key: The format of a condition key specific to an Alibaba Cloud service is {#ramcode}:{#condition-key}. You need to define a date type (such as string, number, and time) for each condition key. The data type determines the available condition operators for comparing request and policy values. In the condition key, you can specify the condition values in the Condition_value element of the policy.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see:

• Create a custom policy

• Grant permissions to a RAM user

• Grant permissions to a RAM user group

• Grant permissions to a RAM role