To facilitate the management of permissions on Enterprise Distributed Application Service (EDAS) and other services, EDAS-defined permissions can be replaced by permission policies of Resource Access Management (RAM). Before all EDAS-defined permissions are replaced by RAM permission policies, you can still use EDAS-defined permissions to manage EDAS.
Background information
EDAS supports both EDAS-defined permissions and RAM policies. Sub-accounts and RAM users are managed by using the following rules:
- Access of RAM users is controlled by RAM policies, instead of EDAS-defined permissions.
- For sub-accounts:
- Access of sub-accounts that are granted the AliyunEDASFullAccess permission is controlled by RAM policies, instead of EDAS-defined permissions.
- We recommend that you switch sub-accounts that are regulated by EDAS-defined permissions to RAM users. For more information, see Replace EDAS-defined permissions with RAM policies. If you do not switch sub-accounts to RAM users, you can continue to use EDAS-defined permissions to control access of the sub-accounts.
Creates a role
An Alibaba Cloud account can grant RAM users operation permissions by assigning RAM roles to RAM users.
Log on to the EDAS console.
In the left-side navigation pane, choose .
On the Roles page, click Create Role in the upper-right corner.
In the Create Role dialog box, enter a name for the role, select permissions in the left-side Optional Permissions list and click Add >> to add the selected roles to the right-side Selected Permissions list. Then, click OK.
The roles that you have created are listed on the Roles page.
You can click View Permissions, Manage Permissions, or Delete in the Actions column to manage a role.
Assign roles to a RAM user
To grant permissions to a RAM user, you must assign the corresponding roles to the RAM user.
Log on to the EDAS console.
In the left-side navigation pane, choose .
Find the RAM user that you want to manage and click Manage Roles in the Actions column.
In the Manage Roles dialog box, select roles from the left-side Unselected list and click > to add the selected roles to the right-side Selected list. Then, click OK.
On the RAM User page, roles assigned to the RAM user are displayed in the Role column.
To manage the roles, click Manage Roles in the Actions column and repeat the preceding steps.
Grant a RAM user permissions on an application
After you grant a RAM user permissions on an application, the RAM user has permissions to access the application. To allow the RAM user to perform operations such as start or delete the application, you must assign the required roles to the RAM user. Otherwise, the RAM user can only access the application but cannot manage the application.
Log on to the EDAS console.
In the left-side navigation pane, choose .
Find the RAM user that you want to manage and click Applications Authorized in the Actions column.
In the Applications Authorized dialog box, select applications from the left-side Unselected list and click > to add the selected applications to the right-side Selected list. Then, click OK.
On the RAM User page, applications on which the RAM user has permissions are displayed in the Applications Authorized column.
To manage applications on which a RAM user has permissions, click Applications Authorized in the Actions column and repeat the preceding steps.
Grant a RAM user permissions on a resource group
Log on to the EDAS console.
In the left-side navigation pane, choose .
On the RAM User page, find the RAM user that you want to manage and click Resource Group Authorized in the Actions column.
In the Resource Group Authorized dialog box, select resource groups from the left-side Unselected list and click > to add the selected resource groups to the right-side Selected list. Then, click OK.
On the RAM User page, resource groups on which the RAM user has permissions are displayed in the Resource Group Authorized column.
To manage resource groups on which a RAM user has permissions, click Resource Group Authorized in the Actions column and repeat the preceding steps.