All Products
Search
Document Center

Cloud Architect Design Tools:Create custom policies for CADT

Last Updated:Nov 28, 2024

This topic describes how to create a custom policy for Cloud Architect Design Tools (CADT). Custom policies provide more fine-grained access control than system policies.

Prerequisites

You have a basic knowledge of the structure and syntax that are used to create or update policies in Resource Access Management (RAM) before you create a custom policy. For more information, see Policy structure and syntax.

Overview of custom policies

CADT provides the following three templates for common custom policies. You can use the templates to configure custom policies for RAM users based on your business requirements.

Custom policy

Description

Sample configuration script

Read-only permissions

Grants read-only permissions to manage CADT.

Configuration script for granting read-only permissions

Import permissions

Grants the permissions to detect and import resources in CADT.

Configuration script for granting import permissions

Management permissions

Grants full permissions to manage CADT.

Configuration script for granting management permissions

Note

The sample configuration scripts contain the permissions on multiple Alibaba Cloud services. You can configure permissions on specific Alibaba Cloud services based on your business requirements.

Procedure

Create a RAM user

  1. Log on to the RAM console.

  2. Create a test user named cadt-user. For more information, see Create a RAM user.Image 2

Create a custom policy

  1. Create a custom policy with the read-only permissions.1

  2. On the Create Policy page, click the JSON tab and copy the configuration script for granting the read-only permissions to the editor. Then, click Next to edit policy information.

    Note

    The JSON script contains the read-only permissions on multiple Alibaba Cloud services. You can configure the read-only permissions on specific Alibaba Cloud services based on your business requirements.

    image

  3. Specify the name of the policy and click OK. In this example, the name cadt-read-only is used.image

  4. Repeat the preceding steps to create the cadt-import custom policy with the import permissions and the cadt-deploy custom policy with the management permissions.Image 4

Verify permissions

Verify read-only permissions

The read-only permissions allow a RAM user to access CADT applications and Alibaba Cloud resources in read-only mode. For example, a RAM user with the read-only permissions can view applications and architectures, IP addresses and hostnames of Elastic Compute Service (ECS) instances, and endpoints of RDS databases in CADT for routine development and testing.

  1. Log on to the CADT console by using an Alibaba Cloud account and deploy an application named cadt-test that consists of an ECS instance and an elastic IP address (EIP). This application is for test purposes.image

  2. Attach the cadt-read-only policy to the cadt-user RAM user. The following figure shows an example on how to attach a custom policy to a RAM user.Image 5

  3. Click the logon URL on the Overview page and log on to the CADT console as the cadt-user RAM user.Image 6Image 7

  4. On the My Applications page of the CADT console, view all applications created by your Alibaba Cloud account, including the application cadt-test.image

  5. View resource details, such as the details about the ECS instance.imageimage

  6. Verify that the RAM user can create applications, design architectures, and configure parameters, but does not have permissions to save or deploy applications.image

Verify import permissions

A RAM user with the import permissions can detect resources in Alibaba Cloud and deploy architectures. The RAM user can also create applications, configure resources, import existing resources, verify resources, view resource prices, and view cost analysis reports in CADT. The RAM user cannot deploy resources in CADT.

  1. Use your Alibaba Cloud account to remove the read-only permissions of the cadt-user RAM user and attach the cadt-import policy to the RAM user.Image 19

  2. Verify the permissions of the RAM user in CADT:

    1. The RAM user can detect resources.imageimage

    2. The RAM user can create applications, configure parameters, and save applications.image

    3. The RAM user can verify resources.image

    4. The RAM user can view resource prices and cost analysis reports.image

    5. The RAM user cannot deploy resources.image

    6. The RAM user can import existing resources.image

Verify management permissions

In addition to the operations allowed by the import permissions, the management permissions allow a RAM user to deploy resources in CADT. To prevent resources from being accidentally deleted, the user is not allowed to use the Release All Resources feature. However, the RAM user can delete resources individually in an architecture to meet routine O&M requirements.

  1. Use your Alibaba Cloud account to remove other permissions of the cadt-user RAM user and attach the cadt-deploy policy to the RAM user.Image 30

  2. Verify that the RAM user can deploy resources in addition to performing the operations allowed by the import permissions.imageimage

  3. Verify that the RAM user cannot release all resources with a few clicks.image

  4. Verify that the RAM user can delete resources individually in an architecture.

    imageimageAfter the To be deleted icon is added next to a resource, the RAM user must save the configuration and re-deploy the application to delete the resource.imageimage