How do I manage cloud computers by using resource-level policies? - Elastic Desktop Service

In scenarios in which multiple end users simultaneously access resources in Elastic Desktop Service (EDS), you can create multiple Resource Access Management (RAM) users and grant permissions to the RAM users based on their roles. This way, different RAM users can access and manage different resources. This can improve management efficiency and reduce the risk of data leaks. This topic describes how to use resource authentication to control the permissions of RAM users. This allows RAM users to have different access and operation permissions on different cloud computer resources.

Prerequisites

RAM users are created. For more information about how to create a RAM user, see Create a RAM user.

Background information

Alibaba Cloud provides policy-based access control. You can configure policies for RAM users by role. You can create custom resource-level policies and attach one or more policies to RAM users or user groups. For more information about policies, see Policy overview.
RAM supports authorization by operation. Resource-level authentication allows you to manage cloud computer resources in a more flexible manner. For more information about RAM, see What is RAM?

Available regions

The following table describes the regions in which you can use resource-level policies to manage the permissions of RAM users.

Region	Region ID
China (Hangzhou)	cn-hangzhou
China (Shanghai)	cn-shanghai
China (Shenzhen)	cn-shenzhen
China (Beijing)	cn-beijing
Singapore	ap-southeast-1
Japan (Tokyo)	ap-northeast-1
Philippines (Manila)	ap-southeast-6

Scenarios

The following table describes how to attach resource-level policies to RAM users in different scenarios.

Scenario

Policy

Scenario 1: Create cloud computers and configure resource-level policies for authentication. Create two cloud computers.

Name of Cloud Computer 1: desktop 1
Name of Cloud Computer 2: desktop 2

RAM users can perform operations on specific resources of desktop 1. The RAM users cannot perform operations on desktop 2.

Scenario 2: Configure resource-level policies and create cloud computers.

RAM users can create cloud computers only in the specified region, such as the China (Hangzhou) region.

Scenario 1

Create two cloud computers. For more information, see Create cloud computers.
You can name the two cloud computers as desktop 1 and desktop 2.

Create a custom policy. For more information, see Create custom policies.

The custom policy in this section allows RAM users to view, modify, and delete resources of desktop 1 in the EDS console or by calling the EDS API.

The following sample code provides a policy example:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecd:*",
      "Resource": "acs:ecd:cn-shanghai:128985087662****:ecddesktop/ecd-akk6qnr7cc9yq****"
    },
    {
      "Effect": "Deny",
      "Action": "ecd:*",
      "Resource": "acs:ecd:cn-shanghai:128985087662****:ecddesktop/ecd-3d3y5w4vd56a8****"
    },
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": [
        "acs:ecd:*:*:officesite/*",
        "acs:ecd:*:*:ecdpolicy/*",
        "acs:ecd:*:*:ecdimage/*",
        "acs:ecd:*:*:ecdbundle/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecd:DescribeRegions"
      ],
      "Resource": "*"
    }
  ]
}

Attach the custom policy to the RAM user whose access permissions on EDS resources you want to manage. For more information, see Grant permissions to a RAM user.
View, modify, or delete desktop1 and desktop2 in the ECS console or by calling the EDS API.
The RAM user can view, modify, or delete resources of only desktop1. When the RAM user performs the operations on desktop 2, the following message appears. In this case, the custom policy takes effect.

Scenario 2

Log on to the RAM console.

Create a custom policy. For more information, see Create custom policies.

The custom policy that is created in this section allows RAM users to manage cloud computers only in the China (Shanghai) region. That is, RAM users can only create, view, or delete resources of cloud computers that are deployed in the China (Shanghai) region by using the EDS console or calling the EDS API.

The following sample code provides a policy example:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecd:*",
            "Resource": "acs:ecd:cn-shanghai:128985087662****:*"
        },
        {
            "Effect": "Deny",
            "Action": "ecd:*",
            "Resource": "acs:ess:cn-hangzhou:128985087662****:*"
        },
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": [
                "acs:ecd:*:*:officesite/*",
                "acs:ecd:*:*:ecdpolicy/*",
                "acs:ecd:*:*:ecdimage/*",
                "acs:ecd:*:*:ecdbundle/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecd:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}

Attach the custom policy to the RAM user whose access permissions on EDS resources you want to manage. For more information, see Grant permissions to a RAM user.
Create a cloud computer in the EDS console or by calling the EDS API.
The RAM user can create, view, or delete resources of cloud computers in the China (Shanghai) region. If the RAM user performs the operations on cloud computers in the China (Hangzhou) region, the following message appears. In this case, the custom policy takes effect.