Custom policies provide more fine-grained permission control than system policies. You can use a custom policy to control the permissions on specific instances or actions. This topic describes how to use custom policies to manage Data Transmission Service (DTS) instances.
Prerequisites
A RAM user is authorized to access the cloud resources such as ApsaraDB for RDS instances and Elastic Compute Service (ECS) instances of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to access the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.
Background information
A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.
Usage notes
If you want to synchronize data to a MaxCompute project, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.
Step 1: Create a custom policy
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
On the JSON tab, enter the content of the custom policy in the code editor.
A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the resources that a user is authorized to manage, the operations that a user is authorized to perform, and the authorization conditions. For more information, see Policy structure and syntax.
You can grant permissions on specific resources and actions.
You must replace the
DTS instance IDfield in the following code with the actual ID of your DTS instance.If the read-only permissions on a DTS instance are granted to a Resource Access Management (RAM) user, the RAM user can query task details and configurations but cannot modify the configurations. If the read and write permissions on a DTS instance are granted to a RAM user, the RAM user can configure and manage the DTS instance.
ImportantMake sure that the custom policy contains the permissions to call the DescribeBasicConfigs and DescribeDomainRegions operations.
Sample custom policies:
Example 1
{ "Statement": [ { "Effect": "Allow", "Action": "dts:Describe*", "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }Example 2
{ "Statement": [ { "Effect": "Allow", "Action": "dts:*", "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }Example 3
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSynchronizationJobStatus", "dts:DescribeSynchronizationJobs" ], "Resource": "acs:dts:*:*:instance/DTS instance ID" } ], "Version": "1" }Example 4
{ "Statement": [ { "Effect": "Allow", "Action": [ "dts:DescribeSubscriptionInstances", "dts:StartSynchronizationJob", "dts:SuspendSynchronizationJob" ], "Resource": [ "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID", "acs:dts:*:*:instance/DTS instance ID" ] } ], "Version": "1" }Example 1: The read-only permissions on a single DTS instance
Example 2: The read and write permissions on multiple DTS instances
Example 3: Permissions to view the configurations of a data synchronization task
Example 4: Permissions to start or pause multiple data synchronization tasks
Click Next to edit policy information.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Step 2: Attach the custom policy to a RAM user
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the RAM user that you want to authorize in the User Logon Name/Display Name column.
Click Add Permissions in the Actions column.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
In the Policy section, select Custom Policy from the drop-down list.
In the search box, enter the name of the custom policy that you created in Step 1.
Click the name of a custom policy to add the policy to the Selected Policy section.
Click Grant permissions.
After the permissions are granted to the user, click Close.
Scenarios of action-level authorization
The
DescribeDTSIP,DescribeSubscriptionInstances, andDescribeSynchronizationJobspermissions allow a RAM user to query available DTS instances. If a RAM user has the permissions only on specific instances, the user must query available DTS instances before the user can perform related operations.To authorize a RAM user to configure a data migration, data synchronization, or change tracking task, you must create a custom policy and attach the policy to the RAM user. For more information, see Authorize DTS to access Alibaba Cloud resources.
API operations (new version)
Feature
Action in the DTS console
Policy
Purchase an instance
Purchase a DTS instance
CreateDtsInstance
Migrate or synchronize data
Configure a data migration or synchronization task
ConfigureDtsJob
Track data changes
Configure a change tracking task
ConfigureSubscription
Start a task
Start a DTS task
StartDtsJob
Start multiple tasks at a time
Start multiple DTS tasks at a time
StartDtsJobs
Manage consumer groups
Create a consumer group for a change tracking task
CreateConsumerChannel
Query the consumer group of a change tracking task
DescribeConsumerChannel
Modify the consumer group of a change tracking task
ModifyConsumerChannel
Delete the consumer group of a change tracking task
DeleteConsumerChannel
Query tasks
Query the details of a DTS task
DescribeDtsJobDetail
Query DTS tasks and the details of each task
DescribeDtsJobs
Modify the configurations of a DTS task
Modify the configurations of a data synchronization task
ModifyDtsJob
Modify the configurations of a change tracking task
ModifySubscription
Rename a DTS task
ModifyDtsJobName
Reset a task
Reset a DTS task
ResetDtsJob
Pause a task
Pause a DTS task
SuspendDtsJob
Pause multiple tasks at a time
Pause multiple DTS tasks at a time
SuspendDtsJobs
Stop a task
Stop a DTS task
StopDtsJob
Stop multiple tasks at a time
Stop multiple DTS tasks at a time
StopDtsJobs
Release an instance
Release a DTS instance
DeleteDtsJob
Release multiple instances at a time
Release multiple DTS instances at a time
DeleteDtsJobs
Configure alerts for tasks
Create an alert rule for a DTS task or modify the alert rules of a DTS task
CreateJobMonitorRule
Query the alert rules of a DTS task
DescribeJobMonitorRule
Query an extract, transform, and load (ETL) task
Query the details of an ETL task
DescribeDtsEtlJobVersionInfo
Query the logs of an ETL task
DescribeEtlJobLogs
API operations (old version)
Feature
Action in the DTS console
Policy
Manage data migration tasks
Create a data migration task
CreateMigrationJob
Query data migration tasks
DescribeMigrationJobs
View the details of a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
Rename a data migration task
DescribeMigrationJobs
ModifyMigrationObject
Configure a data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
View precheck details
DescribeMigrationJobs
DescribeMigrationJobStatus
Create a similar data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
DescribeMigrationJobStatus
CreateMigrationJob
Monitor a data migration task and set an alert rule for the data migration task
DescribeMigrationJobs
DescribeMigrationJobAlert
ConfigureMigrationJobAlert
Change the password that is used to log on to an instance
DescribeMigrationJobs
DescribeMigrationJobDetail
ModifyMigrationObject
Start a data migration task
DescribeMigrationJobs
StartMigrationJob
DescribeMigrationJobDetail
Pause a data migration task
DescribeMigrationJobs
SuspendMigrationJob
View the details of a schema migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of a full data migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the details of an incremental data migration task
DescribeMigrationJobs
DescribeMigrationJobStatus
View the performance of a full data migration task or an incremental data migration task
DescribeMigrationJobs
DescribeMigrationJobDetail
View task logs
DescribeMigrationJobs
DescribeMigrationJobDetail
Manage change tracking tasks
Create a change tracking task
CreateSubscriptionInstance
Query change tracking tasks
DescribeSubscriptionInstances
View the details of a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Rename a change tracking task
DescribeSubscriptionInstances
ModifySubscriptionObject
Change the objects for change tracking
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Create a consumer group
DescribeSubscriptionInstances
CreateConsumerGroup
View the information about a consumer group
DescribeSubscriptionInstances
DescribeConsumerGroup
Change the password of a consumer group
DescribeSubscriptionInstances
ModifyConsumerGroupPassword
Delete a consumer group
DescribeSubscriptionInstances
DeleteConsumerGroup
Change the password that is used to log on to an instance
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
Release a change tracking task
DescribeSubscriptionInstances
DeleteSubscriptionInstance
Monitor a change tracking task and set an alert rule for the change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceAlert
ConfigureSubscriptionInstanceAlert
Configure a change tracking task
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
ModifySubscriptionObject
View task logs
DescribeSubscriptionInstances
DescribeSubscriptionInstanceStatus
Manage data synchronization tasks
Create a data synchronization task
CreateSynchronizationJob
Query data synchronization tasks
DescribeSynchronizationJobs
View the details of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Rename a data synchronization task
DescribeSynchronizationJobs
ModifySynchronizationObject
View the configurations of a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the status of a schema synchronization or full data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the performance of full data synchronization or incremental data synchronization
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
View the change records of the objects to be synchronized
DescribeSynchronizationJobs
View task logs
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
Configure a data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Start a data synchronization task
DescribeSynchronizationJobs
StartSynchronizationJob
Pause a data synchronization task
DescribeSynchronizationJobs
SuspendSynchronizationJob
Change the objects to be synchronized
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySynchronizationObject
Release a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Stop a data synchronization task
DescribeSynchronizationJobs
DeleteSynchronizationJob
Monitor a data synchronization task and set an alert rule for the data synchronization task
DescribeSynchronizationJobs
DescribeSynchronizationJobAlert
ConfigureSynchronizationJobAlert
Change the password that is used to log on to an instance
DescribeSynchronizationJobs
DescribeSynchronizationJobStatus
ModifySubscriptionObject
Manage network settings
Query the CIDR blocks of DTS servers
DescribeDTSIP
What to do next
Log on to the Alibaba Cloud Management Console by using a RAM user.
FAQ
Q: Why does an error message instead of the instance list appear when I log on to the DTS console as a RAM user?
A: The RAM user may have no permissions or may have permissions only on some instances. In this case, the DTS console does not display the instance list. You must contact the RAM administrator and obtain the IDs of the DTS instances that the RAM user has permissions to manage. Then, you can search for DTS instances by using their IDs in the DTS console.