How do I use a system policy to authorize a RAM user to manage DTS instances? - Data Transmission Service

You can grant the permissions on Data Transmission Service (DTS) to a Resource Access Management (RAM) user, and then manage DTS by using the RAM user. This allows you to differentiate permissions and improve account security.

Prerequisites

A RAM user is authorized to access the cloud resources such as ApsaraDB for RDS instances and Elastic Compute Service (ECS) instances of the current Alibaba Cloud account. When you configure a DTS task as the RAM user, DTS is allowed to access the relevant cloud resource information. For more information, see Authorize DTS to access Alibaba Cloud resources.

Usage notes

If you want to synchronize data to a MaxCompute project, you cannot configure the data synchronization task as a RAM user. You must use an Alibaba Cloud account to configure the task.
If you configure a DTS task as a RAM user and the database is connected over Database Gateway, you must grant the AliyunDGFullAccess permission to the RAM user. If you configure a DTS task as a RAM user and the database is connected over Cloud Enterprise Network (CEN), you must grant the AliyunCENFullAccess permission to the RAM user.

Permission policies

DTS supports read/write and read-only policies.

Note

You cannot grant API-level permissions to RAM users.

Read/write policy: AliyunDTSFullAccess
This policy grants the read and write permissions on DTS. If this policy is attached to a RAM user, the RAM user can purchase, configure, and manage DTS instances.
Read-only policy: AliyunDTSReadOnlyAccess
This policy grants the read permissions on DTS. If this policy is attached to a RAM user, the RAM user can view the details and configurations of all DTS tasks owned by the Alibaba Cloud account. However, the RAM user cannot perform change operations.
Note
Change operations include the purchase, configuration, and management of DTS instances.

Procedure

Log on to the RAM console by using your Alibaba Cloud account.
Create a RAM user.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column.
In the Add Permissions panel, specify the permission policies.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Specify the principal.
  The principal is the RAM user to which you want to grant permissions.
3. Select System Policy for the Select Policy parameter.
4. Enter dts in the search box to query the system policies that are related to DTS.
5. Click the policies based on your business requirements to add them to the Selected section.
  Note
  For more information, see the Permission policies section of this topic.
Click OK.
After the policies are attached to the RAM user, click Complete.

References

Log on to the Alibaba Cloud Management Console as a RAM user