授權信息 - CloudOps Orchestration Service

访问控制（RAM）是阿里云提供的管理用户身份与资源访问权限的服务。使用RAM可以让您避免与其他用户共享阿里云账号密钥，并可按需为用户授予最小权限。RAM中使用权限策略描述授权的具体内容。

本文为您介绍OOS为RAM权限策略定义的操作（Action）、资源（Resource）和条件（Condition）。OOS的RAM代码（RamCode）为 oos，支持的授权粒度为OOS RESOURCE。

权限策略通用结构

权限策略支持JSON格式，其通用结构如下：

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

各字段含义如下：

Effect：权限策略效果。取值：Allow（允许）、Deny（拒绝）。
Action：授予允许或拒绝权限的具体操作。具体信息，请参见操作（Action）。
Resource：受操作影响的具体对象，您可以使用资源ARN来描述指定资源。具体信息，请参见资源（Resource）。
Condition：指授权生效的条件。可选字段。具体信息，请参见条件（Condition）。
- Condition_operator：条件运算符，不同类型的条件对应不同的条件运算符。具体信息，请参见权限策略基本元素。
- Condition_key：条件关键字。
- Condition_value：条件关键字对应的值。

操作（Action）

下表是OOS定义的操作，这些操作可以在RAM权限策略语句的Action元素中使用，用来授予执行该操作的权限。下面对表中的具体项提供说明：

操作：是指具体的权限点。
API：是指操作对应的API接口。
访问级别：是指每个操作的访问级别，取值为写入（Write）、读取（Read）或列出（List）。
资源类型：是指操作中支持授权的资源类型。具体说明如下：
- 对于必选的资源类型，用前面加 * 表示。
- 对于不支持资源级授权的操作，用全部资源表示。
条件关键字：是指云产品自身定义的条件关键字。该列不体现适用于任何操作的通用条件关键字。
关联操作：是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限，操作才能成功。

操作	API	访问级别	资源类型	条件关键字	关联操作
oos:CancelExecution	CancelExecution	update	*Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:ChangeResourceGroup	ChangeResourceGroup	update	Template `acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}` StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId}` Parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName}` SecretParameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName}` OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}` PatchBaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName}` *Execution `acs:oos:{#regionId}:{#accountId}:execution/{#ExecutionId}`	oos:TLSVersion	无
oos:ContinueDeployApplicationGroup	ContinueDeployApplicationGroup	update	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:CreateApplication	CreateApplication	create	Application `acs:oos:{#regionId}:{#accountId}:application/`	oos:TLSVersion	无
oos:CreateApplicationGroup	CreateApplicationGroup	create	*ApplicationGroup `acs:oos:{#regionId}:{#accountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:CreateOpsItem	CreateOpsItem	create	OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/`	oos:TLSVersion	无
oos:CreateParameter	CreateParameter	create	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:CreatePatchBaseline	CreatePatchBaseline	create	*patchbaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}`	oos:TLSVersion	无
oos:CreateSecretParameter	CreateSecretParameter	create	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:CreateStateConfiguration	CreateStateConfiguration	create	StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/`	oos:TLSVersion	无
oos:CreateTemplate	CreateTemplate	create	Template `acs:oos:{#regionId}:{#accountId}:template/`	oos:tag oos:TLSVersion	无
oos:DeleteApplication	DeleteApplication	delete	*Application `acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}`	oos:TLSVersion	无
oos:DeleteApplicationGroup	DeleteApplicationGroup	delete	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:DeleteExecutions	DeleteExecutions	delete	*Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:DeleteOpsItems	DeleteOpsItems	delete	*OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}`	oos:tag oos:TLSVersion	无
oos:DeleteParameter	DeleteParameter	delete	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:DeletePatchBaseline	DeletePatchBaseline	delete	*PatchBaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#Name}`	oos:TLSVersion	无
oos:DeleteSecretParameter	DeleteSecretParameter	delete	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:DeleteStateConfigurations	DeleteStateConfigurations	delete	*stateconfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}`	oos:TLSVersion	无
oos:DeleteTemplate	DeleteTemplate	delete	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:DeleteTemplates	DeleteTemplates	delete	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:TLSVersion	无
oos:DeployApplicationGroup	DeployApplicationGroup	update	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:DescribeApplicationGroupBill	DescribeApplicationGroupBill	get	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#ApplicationName}/applicationgroup/{#ApplicationGroupName}`	oos:TLSVersion	无
oos:DescribeRegions	DescribeRegions	get	全部资源 ``	oos:TLSVersion	无
oos:GenerateExecutionPolicy	GenerateExecutionPolicy	get	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:TLSVersion	无
oos:GenerateOpsItem	GenerateOpsItem	create	全部资源 ``	oos:TLSVersion	无
oos:GetApplication	GetApplication	get	*Application `acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}`	oos:TLSVersion	无
oos:GetApplicationGroup	GetApplicationGroup	get	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:GetExecutionTemplate	GetExecutionTemplate	get	*Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:GetInventorySchema	GetInventorySchema	get	全部资源 ``	oos:TLSVersion	无
oos:GetOpsItem	GetOpsItem	get	*OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}`	oos:TLSVersion	无
oos:GetParameter	GetParameter	get	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:GetParameters	GetParameters	get	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:GetParametersByPath	GetParametersByPath	get	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:GetPatchBaseline	GetPatchBaseline	get	*patchbaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}`	oos:TLSVersion	无
oos:GetSecretParameter	GetSecretParameter	get	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:GetSecretParameters	GetSecretParameters	get	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:GetSecretParametersByPath	GetSecretParametersByPath	get	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:GetServiceSettings	GetServiceSettings	get	*ServiceSetting `acs:oos:{#regionId}:{#accountId}:ServiceSetting`	oos:TLSVersion	无
oos:GetTemplate	GetTemplate	get	*template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:GetTemplateParameterConstraints	GetTemplateParameterConstraints	get	*Template `acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}`	oos:TLSVersion	无
oos:ListApplicationGroups	ListApplicationGroups	list	ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/`	oos:TLSVersion	无
oos:ListApplications	ListApplications	list	Application `acs:oos:{#regionId}:{#accountId}:application/`	oos:TLSVersion	无
oos:ListExecutionLogs	ListExecutionLogs	get	*execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:ListExecutionRiskyTasks	ListExecutionRiskyTasks	get	*template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:ListExecutions	ListExecutions	list	Execution `acs:oos:{#regionId}:{#accountId}:execution/` *Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:ListInstancePackageStates	ListInstancePackageStates	list	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateNames}`	oos:tag oos:TLSVersion	无
oos:ListInstancePatchStates	ListInstancePatchStates	list	全部资源 ``	oos:TLSVersion	无
oos:ListInstancePatches	ListInstancePatches	list	全部资源 ``	oos:TLSVersion	无
oos:ListInventoryEntries	ListInventoryEntries	get	全部资源 ``	oos:TLSVersion	无
oos:ListOpsItems	ListOpsItems	list	OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/`	oos:TLSVersion	无
oos:ListParameterVersions	ListParameterVersions	list	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:ListParameters	ListParameters	list	Parameter `acs:oos:{#regionId}:{#accountId}:parameter/`	oos:TLSVersion	无
oos:ListPatchBaselines	ListPatchBaselines	list	*PatchBaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName}`	oos:TLSVersion	无
oos:ListResourceExecutionStatus	ListResourceExecutionStatus	get	*execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:ListSecretParameterVersions	ListSecretParameterVersions	list	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:ListSecretParameters	ListSecretParameters	list	SecretParameter `acs:oos:{#regionId}:{#accountId}:secretparameter/`	oos:TLSVersion	无
oos:ListStateConfigurations	ListStateConfigurations	get	StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/` *StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId}`	oos:TLSVersion	无
oos:ListTagKeys	ListTagKeys	get	全部资源 ``	oos:TLSVersion	无
oos:ListTagResources	ListTagResources	get	Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}` Template `acs:oos:{#regionId}:{#accountId}:template/{#TemplateName}` StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId}` Parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName}` SecretParameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName}` OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}` PatchBaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName}` Execution `acs:oos:{#regionId}:{#accountId}:execution/` Template `acs:oos:{#regionId}:{#accountId}:template/` OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/` SecretParameter `acs:oos:{#regionId}:{#accountId}:secretparameter/` PatchBaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/` StateConfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/` Parameter `acs:oos:{#regionId}:{#accountId}:parameter/*`	oos:tag oos:TLSVersion	无
oos:ListTagValues	ListTagValues	get	全部资源 ``	oos:TLSVersion	无
oos:ListTaskExecutions	ListTaskExecutions	get	*Execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:ListTemplateVersions	ListTemplateVersions	list	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:TLSVersion	无
oos:ListTemplates	ListTemplates	get	Template `acs:oos:{#regionId}:{#accountId}:template/*` Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:NotifyExecution	NotifyExecution	update	*execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:tag oos:TLSVersion	无
oos:RegisterDefaultPatchBaseline	RegisterDefaultPatchBaseline	update	*patchbaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}`	oos:TLSVersion	无
oos:SearchInventory	SearchInventory	get	全部资源 ``	oos:TLSVersion	无
oos:SetServiceSettings	SetServiceSettings	update	*ServiceSetting `acs:oos:{#regionId}:{#accountId}:ServiceSetting`	oos:TLSVersion	无
oos:StartExecution	StartExecution	update	Execution `acs:oos:{#regionId}:{#accountId}:execution/`	oos:tag oos:IsOOSAssumeRole oos:TLSVersion	无
oos:TagResources	TagResources	update	execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}` template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:TriggerExecution	TriggerExecution	update	*execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:TLSVersion	无
oos:UntagResources	UntagResources	update	execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}` template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:UpdateApplication	UpdateApplication	update	*Application `acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName}`	oos:TLSVersion	无
oos:UpdateApplicationGroup	UpdateApplicationGroup	update	*ApplicationGroup `acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName}`	oos:TLSVersion	无
oos:UpdateExecution	UpdateExecution	update	*execution `acs:oos:{#regionId}:{#accountId}:execution/{#executionId}`	oos:TLSVersion	无
oos:UpdateInstancePackageState	UpdateInstancePackageState	update	*Template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:UpdateOpsItem	UpdateOpsItem	update	*OpsItem `acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId}`	oos:TLSVersion	无
oos:UpdateParameter	UpdateParameter	update	*parameter `acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}`	oos:TLSVersion	无
oos:UpdatePatchBaseline	UpdatePatchBaseline	update	*patchbaseline `acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}`	oos:TLSVersion	无
oos:UpdateSecretParameter	UpdateSecretParameter	update	*secretparameter `acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}`	oos:TLSVersion	无
oos:UpdateStateConfiguration	UpdateStateConfiguration	update	*stateconfiguration `acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}`	oos:TLSVersion	无
oos:UpdateTemplate	UpdateTemplate	update	*template `acs:oos:{#regionId}:{#accountId}:template/{#templateName}`	oos:tag oos:TLSVersion	无
oos:ValidateTemplateContent	ValidateTemplateContent	get	全部资源 ``	oos:TLSVersion	无

资源（Resource）

下表是OOS定义的资源，这些资源可以在RAM权限策略语句的Resource元素中使用，用来授予对该资源执行具体操作的权限。其中，资源ARN是资源在阿里云上的唯一标识。具体说明如下：

{#}为变量标识，需要您替换为实际值。例如：{#ramcode}需要您替换为实际的云服务RAM代码。
*表示全部。例如：
- {#resourceType}为*时：表示全部资源。
- {#regionId}为*时：表示全部地域。
- {#accountId}为*时：表示全部阿里云账号。

资源类型	资源ARN
Application	acs:oos:{#regionId}:{#accountId}:application/{#ApplicationName} acs:oos:{#regionId}:{#accountId}:application/*
ApplicationGroup	acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/{#applicationGroupName} acs:oos:{#regionId}:{#AccountId}:application/{#applicationName}/applicationgroup/*
DeployRevision	acs:oos:{#regionId}:{#accountId}:application/{#DeployRevisionId}
Execution	acs:oos:{#regionId}:{#accountId}:execution/{#executionId} acs:oos:{#regionId}:{#accountId}:execution/*
OpsItem	acs:oos:{#regionId}:{#accountId}:opsitem/{#OpsItemId} acs:oos:{#regionId}:{#accountId}:opsitem/*
OpsItemConfiguration	acs:oos:{#regionId}:{#accountId}:OpsItemConfiguration/* acs:oos:{#regionId}:{#accountId}:opsitemconfiguration/{#ConfigurationId}
Parameter	acs:oos:{#regionId}:{#accountId}:parameter/* acs:oos:{#regionId}:{#accountId}:parameter/{#ParameterName}
PatchBaseline	acs:oos:{#regionId}:{#accountId}:patchbaseline/{#PatchBaselineName} acs:oos:{#regionId}:{#accountId}:patchbaseline/{#Name} acs:oos:{#regionId}:{#accountId}:patchbaseline/*
SecretParameter	acs:oos:{#regionId}:{#accountId}:secretparameter/* acs:oos:{#regionId}:{#accountId}:secretparameter/{#SecretParameterName}
ServiceSetting	acs:oos:{#regionId}:{#accountId}:ServiceSetting
StateConfiguration	acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#StateConfigurationId} acs:oos:{#regionId}:{#accountId}:stateconfiguration/*
TaskExecution	acs:oos:{#regionId}:{#accountId}:taskexecution/*
Template	acs:oos:{#regionId}:{#accountId}:template/{#TemplateName} acs:oos:{#regionId}:{#accountId}:template/* acs:oos:{#regionId}:{#accountId}:template/{#templateNames}
execution	acs:oos:{#regionId}:{#accountId}:execution/{#executionId}
parameter	acs:oos:{#regionId}:{#accountId}:parameter/{#parameterName}
patchbaseline	acs:oos:{#regionId}:{#accountId}:patchbaseline/{#patchbaselineName}
secretparameter	acs:oos:{#regionId}:{#accountId}:secretparameter/{#secretparameterName}
stateconfiguration	acs:oos:{#regionId}:{#accountId}:stateconfiguration/{#stateconfigurationId}
tags	acs:oos:{#regionId}:{#accountId}:tags/*
template	acs:oos:{#regionId}:{#accountId}:template/{#templateName}

条件（Condition）

下表是OOS定义的产品级条件关键字，这些条件关键字可以在RAM权限策略语句的Condition元素中使用，用来描述授予权限的条件。以下仅列举产品级的条件关键字，阿里云定义的OOS也同样适用通用条件关键字。

其中，数据类型决定了您可以使用哪些条件运算符将请求中的值与权限策略语句中的值进行比较。您必须使用与数据类型匹配的条件运算符，否则无法匹配策略语句，授权行为无效。数据类型与条件运算符的对应关系，请参见条件操作类型。

条件关键字	描述	类型
oos:IsOOSAssumeRole	Whether the OOS StartExecution is called by AssumeRole	Boolean
oos:TLSVersion	TLS version used for OOS OpenAPI calls	String
oos:tag	OOS tag information, it is used in combination with tag key, oos:tag/<tag-key>. Example: Assuming the tag is team:dev, the condition key and its value are \\\\"oos:tag/team\\\\": \\\\"dev\\\\"	String

CloudOps Orchestration Service：授權信息

权限策略通用结构

操作（Action）

资源（Resource）

条件（Condition）

相关操作