Cloud Architect Design Tools (CADT) supports Resource Access Management (RAM) and Resource Management of Alibaba Cloud. Therefore, you can manage the permissions on CADT and applications and templates in CADT with ease.
Overview
On the Permission Management page of the CADT console, you can perform the following steps to manage permissions: create a RAM user, create a resource group, grant permissions to the RAM user, and add RAM authorization.
The permission management feature of CADT is available only for Alibaba Cloud accounts.
Create a RAM user: Create a RAM user and authorize the RAM user to access related resources.
Create a resource group: Create a resource group to manage Alibaba Cloud resources based on dimensions such as business department and project.
Grant permissions to a RAM user: Grant permissions to the RAM user so that the RAM user can access the related Alibaba Cloud resources.
Add RAM authorization: Grant permissions on the resource group to a principal so that the principal obtains the permissions on resources in the resource group.
In the following sections, an example is used to show you the application scenario and usage method of the permission management feature in CADT.
Example
In this example, two applications are created in CADT: app-test and app-dev. You need to grant specific permissions on the two applications to different RAM users. For example, you grant developers (the RAM user cadt-dev001) the permissions on only app-dev and testers (the RAM user cadt-test001) the permissions on only app-test.
Prerequisites
The applications app-test and app-dev are created in the CADT console. For more information, see Create a custom application. The following figure shows the created applications.
Step 1: Create RAM users
You need to create two RAM users: cadt-dev001 for developers and cadt-test001 for testers.
Log on to the CADT console by using an Alibaba Cloud account.
In the top toolbar, choose Manage > Permission Management. The Permission Management page appears.
NoteThe permission management feature of CADT is available only for Alibaba Cloud accounts.
On the Permission Management page, click Create User.
Configure the following parameters to create the RAM user cadt-dev001, and click OK, as shown in the following figure.
Create the RAM user cadt-test001 in the same way.
The following figure shows the RAM users that you created.
Step 2: Create resource groups
Create two resource groups to isolate resources: dev for the development environment and test for the test environment, which correspond to the operating environments of developers and testers.
On the Permission Management page, click Create Resource Group.
Configure the parameters to create the resource group dev, and click OK, as shown in the following figure.
Create the resource group test in the same way.
The following figure shows the resource groups that you created.
Step 3: Grant permissions on resource groups to the RAM users
After the RAM users and resource groups are created, you must grant the RAM users the permissions on cloud resources in the specific resource groups.
On the Permission Management page, click User authorization or Resource group authorization.
In this example, User authorization is used.Find the RAM user to which you want to grant permissions, such as cadt-dev001, and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the following parameters and click OK:
Authorized Scope: Specify the dev resource group, which corresponds to the RAM user cadt-dev001.
Principal: Specify cadt-dev001.
Select Policy: For information about the system policies of CADT, see System policies of CADT and usage notes. If the system policies do not meet your requirements, you can create custom policies for CADT to implement fine-grained permission management. For more information, see Create custom policies for CADT
In this example, Full permissions on CADT are granted to the RAM user cadt-dev001.
Grant permissions to the RAM user cadt-test001 in the same way.
Step 4: Grant the permissions on the CADT applications
After you grant permissions on resource groups to the RAM users, you must add the CADT applications to the corresponding resource groups. This way, the RAM user in the corresponding resource group can obtain the permissions on the corresponding CADT applications.
On the Permission Management page, find a resource group, such as the resource group dev for the development environment, and click Authorize.
In the Authorize dialog box, select My Applications or My Templates, select the application or template to which you want to grant the permissions, and then click Authorize in the Actions column, as shown in the following figure.
The following figure shows that the application app-dev is granted the permissions.
Add the application app-test to the resource group test in the same way.
Step 5: Verify the results
After you complete the preceding steps, verify that the RAM user cadt-dev001 has the permissions on only the application app-dev and that the RAM user cadt-test001 has the permissions on only the application app-test.
In the RAM console that you log on to by using your Alibaba Cloud account, obtain the logon URL on the Overview page.
Access the logon URL in a new incognito tab of the browser or by using another browser, and enter the username and password to log on. For example, log on as the RAM user cadt-dev001.
In the CADT console, you can view that the RAM user cadt-dev001 has the permissions on only the development environment, which passes the verification. Switch to the development environment.
Choose Application > My Applications. On the page that appears, you can view that only the application app-dev is available under the RAM user cadt-dev001, which passes the verification.
Repeat the preceding steps to verify the RAM user cadt-test001.
