All Products
Search
Document Center

How Does a RAM User Assign RBAC Roles to Other RAM Users?

Last Updated: May 10, 2021

Overview

By default, a RAM user cannot assign role-based access control (RBAC) roles to other RAM users. This document describes how a RAM user assigns RBAC roles to other RAM users.

Details

To allow a RAM user to assign RBAC roles to other RAM users, you must first assign the predefined RBAC administrator role or cluster-admin role to the RAM user so that the RAM user can manage the corresponding cluster or namespace. In addition, you must attach a policy that contains the following permissions to the RAM user:

  • Permissions to view other RAM users that belong to the current Alibaba Cloud account.
  • Permissions to attach policies to other RAM users.
  • Permissions to view configurations of RBAC roles.
  • Permissions to assign RBAC roles to other RAM users.

Perform the following steps:

  1. Log on to the Resource Access Management (RAM) console. Grant the required permissions to a RAM user by attaching a policy, as shown in the following code. For more information, see Create a custom RAM policy.
    {
        "Statement": [{
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "cs:GetUserPermissions",
                    "cs:GetSubUsers",
                    "cs:GrantPermission"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:AttachPolicyToUser",
                    "ram:AttachPolicy"
                ],
                "Effect": "Allow",
    "Resource":  [
                    "acs:ram:*:*:policy/xxxxxx",
                    "acs:*:*:*:user/*"
                ]
            }
        ],
        "Version": "1"
    }	
    Note: Replace xxxxxx with the name of the policy that you want to allow the RAM user to attach to other RAM users. If you replace xxxxxx with an asterisk (*), the RAM user is authorized to attach all policies to other RAM users.
  2. After the preceding policy is attached to the RAM user, the RAM user is authorized to assign RBAC roles to other RAM users and grant them limited permissions. For more information about how to assign RBAC roles to other RAM users, see Assign RBAC roles to a RAM user.

Applicable scope

  • Container Service for Kubernetes (ACK)