This topic describes how to use Resource Access Management (RAM) policies to authorize RAM users to call specific API operations. If the provided system policies cannot meet your business requirements, you can create custom policies.
Authorization granularities
- By service: grants a RAM user the permissions on the Alibaba Cloud DNS (DNS) service. For example, the AliyunDNSFullAccess and AliyunDNSReadyOnlyAccess system policies provided by DNS are used to implement service-level authorization.
- By action: grants a RAM user the permissions to call specific DNS API operations. If you implement this type of authorization, the RAM user can perform specific operations on a type of DNS resource.
- By resource: grants a RAM user the permissions on a specific resource. Supported DNS resource types are domain, instance, and group.
DNS resource types
The following table describes the types of DNS resources supported in RAM authorization and the formats in which they can be specified.
| Resource type | Resource format in a policy | Description |
|---|---|---|
| Domain | acs:alidns:*:$accountid:domain/*
acs:alidns:*:$accountid:domain/$domainName |
Management permissions on the domain names of an Alibaba Cloud account can be granted to its RAM users. For example, an authorized RAM user can add domain names, remove domain names, create DNS records, delete DNS records, or enable the secondary DNS feature. |
| instance | acs:alidns:*:$accountid:instance/*
acs:alidns:*:$accountid:instance/$instanceid |
Management permissions on the paid DNS instances of an Alibaba Cloud account can be granted to its RAM users. For example, an authorized RAM user can query the paid DNS instances or change the domain names. |
| group | acs:alidns:*:$accountid:group/*
acs:alidns:*:$accountid:group/$groupId |
Management permissions on the domain name groups of an Alibaba Cloud account can be granted to its RAM users. For example, an authorized RAM user can create, modify, or delete domain name groups. |
The following sample policy can be used to grant full permissions on a domain name to a RAM user. The Resource parameter specifies the DNS resource type.
{
"Version": "1",
"Statement": [
{
"Action": "*",
"Resource": "acs:alidns:*:*:domain/midengd.xyz",
"Effect": "Allow"
},
{
"Action": "*",
"Resource": "acs:alidns:*:*:instance/alidns-cn-o400uxz3701",
"Effect": "Allow"
},
{
"Action": [
"alidns:DescribeSiteMonitorIspInfos",
"alidns:DescribeSiteMonitorIspCityInfos",
"alidns:DescribeSupportLines",
"alidns:DescribeDomains",
"alidns:DescribeDomainNs",
"alidns:DescribeDomainGroups"
],
"Resource": "acs:alidns:*:*:*",
"Effect": "Allow"
}
]
}Authorization for API operations
| API operation | Description | Resource format in a policy |
| AddDomain | Adds a domain name. | acs:alidns::{#accountId}:domain/* |
| DeleteDomain | Deletes a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDomains | Queries domain names. | acs:alidns::{#accountId}:domain/* |
| ModifyHichinaDomainDNS | Updates the DNS servers of a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| GetMainDomainName | Queries the top-level domain name. | acs:alidns::{#accountId}:domain/* |
| DescribeDomainLogs | Queries the operation logs of a domain name. | acs:alidns::{#accountId}:domain/* |
| UpdateDomainRemark | Modifies the description of a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDomainInfo | Queries the details of a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| RetrieveDomain | Retrieves a domain name. | acs:alidns::{#accountId}:domain/* |
| GetTxtRecordForVerify | Creates a TXT record. | acs:alidns::{#accountId}:domain/* |
| TransferDomain | Transfers one or more domain names to another Alibaba Cloud account. | acs:alidns::{#accountId}:domain/* |
| DescribeDomainNs | Queries the DNS servers of a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeTransferDomains | Queries the domain names that are transferred between the current account and another account. | acs:alidns::{#accountId}:domain/* |
| DescribeDnsProductInstances | Queries paid DNS instances. | acs:alidns::{#accountId}:instance/* |
| BindInstanceDomains | Binds a domain name to a paid DNS instance. | acs:alidns::{#accountId}:instance/{#instanceId} |
| DescribeDnsProductInstance | Queries the details of a paid DNS instance. | acs:alidns::{#accountId}:instance/{#instanceId} |
| UnbindInstanceDomains | Unbinds a domain name from a paid DNS instance. | acs:alidns::{#accountId}:instance/{#instanceId} |
| DescribeDomainGroups | Queries domain name groups. | acs:alidns::{#accountId}:group/* |
| AddDomainGroup | Creates a domain name group. | acs:alidns::{#accountId}:group/* |
| DeleteDomainGroup | Deletes a domain name group. | acs:alidns:*{#accountId}:group/{#groupId} |
| UpdateDomainGroup | Changes the name of a domain name group. | acs:alidns::{#accountId}:group/{#groupId} |
| ChangeDomainGroup | Moves a domain name to another domain name group. | acs:alidns::{#accountId}:domain/{#domainName} acs:alidns::{#accountId}:group/{#groupId} |
| AddDomainRecord | Creates a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| DeleteDomainRecord | Deletes a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| UpdateDomainRecord | Modifies a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDomainRecords | Queries DNS records. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDomainRecordInfo | Queries the details of a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeSubDomainRecords | Queries the DNS records of a subdomain. | acs:alidns::{#accountId}:domain/{#domainName} |
| DeleteSubDomainRecords | Deletes the DNS records corresponding to a host record. | acs:alidns::{#accountId}:domain/{#domainName} |
| SetDomainRecordStatus | Sets the DNS resolution status. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeRecordLogs | Queries the operation logs of a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeSupportLines | Queries resolution lines. | acs:alidns:*:$accountid:* |
| UpdateDomainRecordRemark | Modifies the description of a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| AddDomainBackup | Creates a domain name backup task. | acs:alidns::{#accountId}:domain/* |
| DescribeDomainStatistics | Obtains the real-time query volume of a top-level domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDomainStatisticsSummary | Obtains the query volume of all domain names within the current Alibaba Cloud account. | acs:alidns::{#accountId}:domain/* |
| DescribeRecordStatistics | Obtains the real-time query volume of a subdomain. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeRecordStatisticsSummary | Obtains the query volume of all subdomains of a domain name. | acs:alidns::{#accountId}:domain/{#domainName} |
| SetDNSSLBStatus | Specifies whether to enable or disable weighted round-robin. | acs:alidns::{#accountId}:domain/{#domainName} |
| UpdateDNSSLBWeight | Modifies the weight of a DNS record. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeDNSSLBSubDomains | Queries the subdomains for which weighted round-robin is enabled. | acs:alidns::{#accountId}:domain/{#domainName} |
| AddCustomLine | Adds a custom line. | acs:alidns::{#accountId}:domain/{#domainName} |
| UpdateCustomLine | Updates a custom line. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeCustomLines | Queries custom lines. | acs:alidns::{#accountId}:domain/{#domainName} |
| DescribeCustomLine | Queries the details of a custom line. | acs:alidns::{#accountId}:domain/{#domainName} |