RAM用户调用IMS API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。
用户管理鉴权列表
下表列举了用户管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ims:CreateUser | acs:ims::${AccountId}:user/* |
ims:GetUser | acs:ims::${AccountId}:user/${UserName} |
ims:UpdateUser | acs:ims::${AccountId}:user/${UserName} |
ims:DeleteUser | acs:ims::${AccountId}:user/${UserName} |
ims:ListUsers | acs:ims::${AccountId}:user/* |
ims:ListUserBasicInfos | acs:ims::${AccountId}:user/* |
ims:CreateLoginProfile | acs:ims::${AccountId}:user/${UserName} |
ims:GetLoginProfile | acs:ims::${AccountId}:user/${UserName} |
ims:UpdateLoginProfile | acs:ims::${AccountId}:user/${UserName} |
ims:DeleteLoginProfile | acs:ims::${AccountId}:user/${UserName} |
ims:CreateAccessKey | acs:ims::${AccountId}:user/${UserName} |
ims:UpdateAccessKey | acs:ims::${AccountId}:user/${UserName} |
ims:DeleteAccessKey | acs:ims::${AccountId}:user/${UserName} |
ims:ListAccessKeys | acs:ims::${AccountId}:user/${UserName} |
ims:GetAccessKeyLastUsed | acs:ims::${AccountId}:user/${UserName} |
ims:CreateVirtualMFADevice | acs:ims::${AccountId}:mfa/* |
ims:ListVirtualMFADevices | acs:ims::${AccountId}:mfa/* |
ims:DeleteVirtualMFADevice | ${SerialNumber} |
ims:DisableVirtualMFA | acs:ims::${AccountId}:user/${UserName} |
ims:BindMFADevice | acs:ims::${AccountId}:user/${UserName} |
ims:UnbindMFADevice | acs:ims::${AccountId}:user/${UserName} |
ims:GetAccountMFAInfo | acs:ims::${AccountId}:* |
ims:GetUserMFAInfo | acs:ims::${AccountId}:user/${UserName} |
ims:GetAccountSummary | acs:ims::${AccountId}:* |
用户组管理鉴权列表
下表列举了用户组管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ims:CreateGroup | acs:ims::${AccountId}:group/* |
ims:GetGroup | acs:ims::${AccountId}:group/${GroupName} |
ims:UpdateGroup | acs:ims::${AccountId}:group/${GroupName} |
ims:DeleteGroup | acs:ims::${AccountId}:group/${GroupName} |
ims:ListGroups | acs:ims::${AccountId}:group/* |
ims:AddUserToGroup |
|
ims:RemoveUserFromGroup |
|
ims:ListUsersForGroup | acs:ims::${AccountId}:group/${GroupName} |
ims:ListGroupsForUser | acs:ims::${AccountId}:user/${UserName} |
单点登录(SSO)管理鉴权列表
下表列举了单点登录(SSO)管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ims:SetUserSsoSettings | acs:ims::${AccountId}:* |
ims:GetUserSsoSettings | acs:ims::${AccountId}:* |
ims:CreateSAMLProvider | acs:ims::${AccountId}:saml-provider/* |
ims:GetSAMLProvider | acs:ims::${AccountId}:saml-provider/${SamlProviderName} |
ims:UpdateSAMLProvider | acs:ims::${AccountId}:saml-provider/${SamlProviderName} |
ims:ListSAMLProviders | acs:ims::${AccountId}:saml-provider/* |
ims:DeleteSAMLProvider | acs:ims::${AccountId}:saml-provider/${SamlProviderName} |
安全设置鉴权列表
下表列举了安全设置中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ims:SetPasswordPolicy | acs:ims::${AccountId}:* |
ims:GetPasswordPolicy | acs:ims::${AccountId}:* |
ims:SetSecurityPreference | acs:ims::${AccountId}:* |
ims:GetSecurityPreference | acs:ims::${AccountId}:* |
ims:SetDefaultDomain | acs:ims::${AccountId}:* |
ims:GetDefaultDomain | acs:ims::${AccountId}:* |
ims:GenerateCredentialReport | acs:ims::${AccountId}:* |
ims:GetCredentialReport | acs:ims::${AccountId}:* |
ims:GetAccountSecurityPracticeReport | acs:ims::${AccountId}:* |