Bastionhost connects to the Alibaba Cloud account system. By default, an Alibaba Cloud account is the super administrator of Bastionhost. You can grant different permissions to Resource Access Management (RAM) users by using the Alibaba Cloud account to meet the requirements of different roles when you use Bastionhost. The permissions include administrative rights, auditor permissions, read-only permissions, and O&M engineer permissions. This follows the principle of least privilege and helps ensure the security of Bastionhost. This topic describes how to grant different permissions to RAM users.
Background information
You can manage management permissions by granting different permissions to RAM users. The permissions include administrative rights, auditor permissions, and read-only permissions.
If a RAM user is granted the administrative rights, the RAM user can manage bastion hosts, users, and assets. The RAM user can also configure access control policies, configure system settings, and view audit information.
ImportantIf you want to use a RAM user to whom administrative rights are granted to import Alibaba Cloud assets or RAM users into Bastionhost, you must grant at least the read-only permissions on the related assets or RAM. For example, if you want to use the RAM user to import Elastic Compute Service (ECS) instances to Bastionhost, you must attach the AliyunECSReadOnlyAccess policy to the RAM user. If you want to import RAM users into Bastionhost, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user.
If you grant auditor permissions to a RAM user, the RAM user can view audit information, such as logs and videos, in the console of a bastion host.
If you grant read-only permissions to a RAM user, the RAM user can read only configuration, auditing, and system information from the console of a bastion host.
If a RAM user is granted O&M engineer permissions, the RAM user can perform O&M operations by using the asset O&M feature.
The preceding permissions restrict RAM users from performing operations in the consoles of bastion hosts. If RAM users perform client-based O&M, the preceding permissions do not take effect. Client-based O&M operations are restricted by the authorization relationship between users and assets on bastion hosts. After users are granted permissions to manage assets, the users can perform O&M operations on the assets by using clients.
An Alibaba Cloud account is granted only the management permissions and cannot be imported to Bastionhost as a Bastionhost user.
You can grant different types of permissions to a single RAM user.
Prerequisites
A RAM user is created within the Alibaba Cloud account for which a bastion host is created. For more information, see Create a RAM user.
If you want to bind a virtual multi-factor authentication (MFA) device to the RAM user, see Bind an MFA device to a RAM user. After you bind a virtual MFA device to the RAM user, Bastionhost verifies the identity of the RAM user based on the MFA settings that you configured when the RAM user logs on to the Bastionhost console.
Procedure
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the following parameters.
Select the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.
Specify the principal.
The principal is the RAM user to which you want to grant permissions.
Select one or more policies.
Click OK.
Click Complete.