RAM authorization - Database Autonomy Service - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Database Autonomy Service for RAM permission policies. The RAM code (RamCode) for Database Autonomy Service is hdm , and the supported authorization granularity is OPERATION .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Database Autonomy Service. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
hdm:UpdateAutoResourceOptimizeRulesAsync	UpdateAutoResourceOptimizeRulesAsync	none	All Resource ``	None	None
hdm:GetDasSQLLogHotData	GetDasSQLLogHotData	get	All Resource ``	None	None
hdm:DescribeQueryExplain	DescribeQueryExplain	get	All Resource ``	None	None
hdm:GetQueryOptimizeExecErrorStats	GetQueryOptimizeExecErrorStats	get	All Resource ``	None	None
hdm:GetEventSubscription	GetEventSubscription	get	All Resource ``	None	None
hdm:DescribeSqlLogTasks	DescribeSqlLogTasks	list	All Resource ``	None	None
hdm:CreateKillInstanceSessionTask	CreateKillInstanceSessionTask	create	All Resource ``	None	None
hdm:GetAsyncErrorRequestStatResult	GetAsyncErrorRequestStatResult	get	All Resource ``	None	None
hdm:DescribeTopBigKeys	DescribeTopBigKeys	get	All Resource ``	None	None
hdm:CreateCacheAnalysisJob	CreateCacheAnalysisJob	create	All Resource ``	None	None
hdm:DescribeCloudbenchTaskConfig	DescribeCloudbenchTaskConfig	get	All Resource ``	None	None
hdm:UpdateAutoThrottleRulesAsync	UpdateAutoThrottleRulesAsync	none	All Resource ``	None	None
hdm:GetHDMLastAliyunResourceSyncResult	GetHDMLastAliyunResourceSyncResult	get	All Resource ``	None	None
hdm:GetDeadlockHistogram	GetDeadlockHistogram	none	All Resource ``	None	None
hdm:DescribeSlowLogRecords	DescribeSlowLogRecords	get	All Resource ``	None	None
hdm:DescribeSqlLogRecords	DescribeSqlLogRecords	list	All Resource ``	None	None
hdm:GetInstanceGroupInspectReportList	GetInstanceGroupInspectReportList	get	All Resource ``	None	None
hdm:DescribeAutoScalingConfig	DescribeAutoScalingConfig	get	All Resource ``	None	None
hdm:CreateRequestDiagnosis	CreateRequestDiagnosis	create	All Resource ``	None	None
hdm:DeleteStopGateway	DeleteStopGateway	delete	All Resource ``	None	None
hdm:GetInstanceSqlOptimizeStatistic	GetInstanceSqlOptimizeStatistic	get	All Resource ``	None	None
hdm:GetSqlConcurrencyControlRulesHistory	GetSqlConcurrencyControlRulesHistory	get	All Resource ``	None	None
hdm:DescribeTopHotKeys	DescribeTopHotKeys	get	All Resource ``	None	None
hdm:GetInstanceInspections	GetInstanceInspections	get	All Resource ``	None	None
hdm:CreateQueryOptimizeTag	CreateQueryOptimizeTag	update	All Resource ``	None	None
hdm:DescribeHotKeys	DescribeHotKeys	get	All Resource ``	None	None
hdm:GetPfsMetricTrends	GetPfsMetricTrends	get	All Resource ``	None	None
hdm:DisableAutoThrottleRules	DisableAutoThrottleRules	none	All Resource ``	None	None
hdm:GetFullRequestSampleByInstanceId	GetFullRequestSampleByInstanceId	get	All Resource ``	None	None
hdm:ModifySecurityIPGroup	ModifySecurityIPGroup	update	All Resource ``	None	None
hdm:KillInstanceAllSession	KillInstanceAllSession	update	All Resource ``	None	None
hdm:DescribeErrorLogRecords	DescribeErrorLogRecords	none	All Resource ``	None	None
hdm:GetDeadLockHistory	GetDeadLockHistory	none	All Resource ``	None	None
hdm:GetDeadLockDetail	GetDeadLockDetail	none	All Resource ``	None	None
hdm:GetAutoIncrementUsageStatistic	GetAutoIncrementUsageStatistic	none	All Resource ``	None	None
hdm:GetAutonomousNotifyEventContent	GetAutonomousNotifyEventContent	get	All Resource ``	None	None
hdm:DescribeInstanceDasPro	DescribeInstanceDasPro	get	All Resource ``	None	None
hdm:GetDeadLockDetailList	GetDeadLockDetailList	list	All Resource ``	None	None
hdm:GetRequestDiagnosisResult	GetRequestDiagnosisResult	get	All Resource ``	None	None
hdm:CreateLatestDeadLockAnalysis	CreateLatestDeadLockAnalysis	none	All Resource ``	None	None
hdm:GetQueryOptimizeRuleList	GetQueryOptimizeRuleList	get	All Resource ``	None	None
hdm:GetQueryOptimizeSolution	GetQueryOptimizeSolution	get	All Resource ``	None	None
hdm:GetStorageAnalysisResult	GetStorageAnalysisResult	none	All Resource ``	None	None
hdm:GetQueryOptimizeShareUrl	GetQueryOptimizeShareUrl	get	All Resource ``	None	None
hdm:GetBlockingDetailList	GetBlockingDetailList	list	All Resource ``	None	None
hdm:GetPfsSqlSummaries	GetPfsSqlSummaries	get	All Resource ``	None	None
hdm:GetMongoDBCurrentOp	GetMongoDBCurrentOp		All Resource ``	None	None
hdm:GetQueryOptimizeDataTop	GetQueryOptimizeDataTop	get	All Resource ``	None	None
hdm:DescribeSecurityIPGroupRelation	DescribeSecurityIPGroupRelation	get	All Resource ``	None	None
hdm:DeleteSecurityIPGroup	DeleteSecurityIPGroup	delete	All Resource ``	None	None
hdm:DescribeAutoScalingHistory	DescribeAutoScalingHistory	get	All Resource ``	None	None
hdm:DescribeCloudbenchTask	DescribeCloudbenchTask	get	All Resource ``	None	None
hdm:GetQueryOptimizeExecErrorSample	GetQueryOptimizeExecErrorSample	get	All Resource ``	None	None
hdm:GetPfsSqlSample	GetPfsSqlSample	get	All Resource ``	None	None
hdm:GetInstanceGroupInspectReportDetail	GetInstanceGroupInspectReportDetail	get	All Resource ``	None	None
hdm:EnableDasPro	EnableDasPro	create	All Resource ``	None	None
hdm:DescribeSlowLogStatistic	DescribeSlowLogStatistic	get	All Resource ``	None	None
hdm:AddHDMInstance	AddHDMInstance	create	All Resource ``	None	None
hdm:GetInstanceMissingIndexList	GetInstanceMissingIndexList	list	All Resource ``	None	None
hdm:DisableDasPro	DisableDasPro	delete	All Resource ``	None	None
hdm:GetFullRequestStatResultByInstanceId	GetFullRequestStatResultByInstanceId	get	All Resource ``	None	None
hdm:GetDBInstanceConnectivityDiagnosis	GetDBInstanceConnectivityDiagnosis	get	All Resource ``	None	None
hdm:DisableSqlConcurrencyControl	DisableSqlConcurrencyControl	update	All Resource ``	None	None
hdm:RunCloudBenchTask	RunCloudBenchTask	get	All Resource ``	None	None
hdm:EnableSqlConcurrencyControl	EnableSqlConcurrencyControl	create	All Resource ``	None	None
hdm:CreateSqlLogTask	CreateSqlLogTask	create	All Resource ``	None	None
hdm:GetHDMAliyunResourceSyncResult	GetHDMAliyunResourceSyncResult	get	All Resource ``	None	None
hdm:GetMySQLAllSessionAsync	GetMySQLAllSessionAsync	get	All Resource ``	None	None
hdm:GetSqlOptimizeAdvice	GetSqlOptimizeAdvice	get	All Resource ``	None	None
hdm:DescribeCloudBenchTasks	DescribeCloudBenchTasks	get	All Resource ``	None	None
hdm:GetRequestDiagnosisPage	GetRequestDiagnosisPage	get	All Resource ``	None	None
hdm:DisableAllSqlConcurrencyControlRules	DisableAllSqlConcurrencyControlRules	update	All Resource ``	None	None
hdm:GetDasProServiceUsage	GetDasProServiceUsage	get	All Resource ``	None	None
hdm:DescribeHotBigKeys	DescribeHotBigKeys	get	All Resource ``	None	None
hdm:GetQueryOptimizeDataTrend	GetQueryOptimizeDataTrend	get	All Resource ``	None	None
hdm:DescribeSlowLogHistogramAsync	DescribeSlowLogHistogramAsync	get	All Resource ``	None	None
hdm:ModifySqlLogConfig	ModifySqlLogConfig	update	All Resource ``	None	None
hdm:GetAsyncErrorRequestStatByCode	GetAsyncErrorRequestStatByCode	get	All Resource ``	None	None
hdm:GetAutonomousNotifyEventsInRange	GetAutonomousNotifyEventsInRange	get	All Resource ``	None	None
hdm:GetKillInstanceSessionTaskResult	GetKillInstanceSessionTaskResult	get	All Resource ``	None	None
hdm:CreateCloudBenchTasks	CreateCloudBenchTasks	create	All Resource ``	None	None
hdm:GetAsyncErrorRequestListByCode	GetAsyncErrorRequestListByCode	get	All Resource ``	None	None
hdm:CreateDiagnosticReport	CreateDiagnosticReport	create	All Resource ``	None	None
hdm:UpdateAutoSqlOptimizeStatus	UpdateAutoSqlOptimizeStatus	update	All Resource ``	None	None
hdm:ModifySecurityIPGroupRelation	ModifySecurityIPGroupRelation	update	All Resource ``	None	None
hdm:GetAutoResourceOptimizeRules	GetAutoResourceOptimizeRules	none	All Resource ``	None	None
hdm:DeleteCloudBenchTask	DeleteCloudBenchTask	delete	All Resource ``	None	None
hdm:ModifyAutoScalingConfig	ModifyAutoScalingConfig	update	All Resource ``	None	None
hdm:DescribeSecurityIPGroup	DescribeSecurityIPGroup	get	All Resource ``	None	None
hdm:SetEventSubscription	SetEventSubscription	update	All Resource ``	None	None
hdm:CreateSecurityIPGroup	CreateSecurityIPGroup	create	All Resource ``	None	None
hdm:GetFullRequestOriginStatByInstanceId	GetFullRequestOriginStatByInstanceId	get	All Resource ``	None	None
hdm:CreateStorageAnalysisTask	CreateStorageAnalysisTask	none	All Resource ``	None	None
hdm:DisableInstanceDasConfig	DisableInstanceDasConfig	update	All Resource ``	None	None
hdm:DescribeSqlLogStatistic	DescribeSqlLogStatistic	get	All Resource ``	None	None
hdm:DescribeSqlLogTask	DescribeSqlLogTask	get	All Resource ``	None	None
hdm:DescribeCacheAnalysisJob	DescribeCacheAnalysisJob	get	All Resource ``	None	None
hdm:DisableAutoResourceOptimizeRules	DisableAutoResourceOptimizeRules	none	All Resource ``	None	None
hdm:GetQueryOptimizeDataStats	GetQueryOptimizeDataStats	get	All Resource ``	None	None
hdm:GetAutoThrottleRules	GetAutoThrottleRules	none	All Resource ``	None	None
hdm:GetQueryOptimizeTag	GetQueryOptimizeTag	get	All Resource ``	None	None
hdm:GetDasAgentSSE	GetDasAgentSSE	get	All Resource ``	None	None
hdm:GetErrorRequestSample	GetErrorRequestSample	get	All Resource ``	None	None
hdm:DescribeSqlLogConfig	DescribeSqlLogConfig	get	All Resource ``	None	None
hdm:GetRunningSqlConcurrencyControlRules	GetRunningSqlConcurrencyControlRules	get	All Resource ``	None	None
hdm:GetRedisAllSession	GetRedisAllSession	get	All Resource ``	None	None
hdm:DescribeDiagnosticReportList	DescribeDiagnosticReportList	get	All Resource ``	None	None
hdm:GetSqlConcurrencyControlKeywordsFromSqlText	GetSqlConcurrencyControlKeywordsFromSqlText	get	All Resource ``	None	None
hdm:GetPartitionsHeatmap	GetPartitionsHeatmap	get	All Resource ``	None	None
hdm:GetEndpointSwitchTask	GetEndpointSwitchTask	get	All Resource ``	None	None
hdm:DescribeCacheAnalysisJobs	DescribeCacheAnalysisJobs	get	All Resource ``	None	None

Resource

The following table lists the resources defined by Database Autonomy Service. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
DBCluster	acs:polardb:{#regionId}:{#accountId}:dbcluster/{#DbClusterId} acs:hdm:{#regionId}:{#accountId}:dbcluster/*
DBInstance	acs:rds:{#regionId}:{#accountId}:dbinstance/{#DbInstanceId} acs:drds:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId} acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId} acs:hdm:{#regionId}:{#accountId}:dbinstance/*
Instance	acs:mongodb:{#regionId}:{#accountId}:instance/{#InstanceId} acs:hdm:{#regionId}:{#accountId}:instance/*
SwitchDasPro	acs:hdm:*:{#accountId}:switchdaspro/{#InstanceId} acs:hdm::{#accountId}:switchdaspro/{#InstanceId}
InstanceMonitoringData	acs:hdm:*:{#accountId}:instancemonitoringdata/{#InstanceId}
CloudbenchTask	acs:hdm:*:{#accountId}:cloudbenchtask/{#TaskId}
PolarDBXInstance	acs:polardbx:{#RegionId}:{#accountId}:polardbxinstance/{#PolarDBXInstanceId}
HDMInstance	acs:hdm::{#accountId}:hdminstance/*

Condition

Database Autonomy Service does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: