Allow a RAM user to log on to the DataWorks console only from a specific IP address - DataWorks

This topic describes how to allow a RAM user to log on to the DataWorks console only from a specific local IP address.

Prerequisites

A RAM user is created and granted the required permission. For more information, see Prepare a RAM user. The AliyunDataWorksFullAccess policy defines default permissions, and you cannot change the policy. You must create a custom policy and attach the policy to the RAM user.

Create a custom policy.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.
Configure the custom policy in the code editor.
The following code provides an example of the document of the custom policy. In the policy, set the acs:SourceIP parameter to the IP address that you want to use to access DataWorks. You can specify multiple IP addresses. For more information about the parameters in the policy, see Policy elements.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dataworks:*"
            ],
            "Resource": [
                "acs:dataworks:*:*:*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "10.0.0.0",
                        "192.168.0.0"
                    ]
                }
            }
        }
    ]
}
```
Note
If you want to allow a RAM user to log on to the DataWorks console only from a specific IP address, you must configure "Effect": "Deny" in the custom policy that you want to attach to the RAM user. For more information about the structure and syntax of a policy, see Policy structure and syntax.
Optional. Perform advanced optimization on the policy document.
You can perform advanced optimization on the policy document. To perform advanced optimization, click Optional advanced optimize. In the Optional advanced optimize message, click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
Click OK. In the Create Policy dialog box, configure the Name and Description parameters.
Click OK.

Attach the custom policy to the RAM user

In the left-side navigation pane of the RAM console, choose Identities > Users. On the Users page, find the RAM user and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to attach the policy to the RAM users at a time.
In the Grant Permission panel, select Custom Policy from the drop-down list. Then, select the name of the custom policy that you want to attach to the RAM user in the Policy Name column.
Note
- The system automatically sets the Selected Principal parameter to the created RAM user.
- To remove a policy, you can click the × icon for the policy in the Selected Policy list on the right side of the panel.

Click Grant permissions and click Close.