Use the EDAS permission assistant to create RAM policies - Enterprise Distributed Application Service

The permission assistant is a feature provided by Enterprise Distributed Application Service (EDAS) to help you create EDAS-related policies in Resource Access Management (RAM). You can use the EDAS permission assistant to create RAM policies based on EDAS-defined permission policies with efficiency.

View system permission policies

EDAS provides eight system permission policies for different roles on the Permission Assistant page in the EDAS console. You can select a system permission policy and copy its content based on the purpose of a role in the EDAS console. Then, log on to the RAM console, create a RAM policy by using the copied content, and attach the RAM policy to the RAM user that corresponds to the role. For more information, see Replace EDAS-defined permissions with RAM policies.

Log on to the EDAS console.
In the left-side navigation pane, choose System Management > Permission Assistant.
On the Permission Assistant page, view the system permission policies provided by EDAS.
In the Policy Type column, System Strategy indicates that the corresponding permission policy is a system permission policy provided by EDAS. You can perform the following operations on a system permission policy based on your requirements:
- Click duplicate on the right side to go to the New permission Strategy panel. In this panel, modify the configuration of the system permission policy to create another permission policy.
- Click view detail on the right side to open the view detail dialog box. In this dialog box, click copy to copy the content of the system permission policy. Log on to the RAM console, create a RAM policy by using the copied content, and then attach the RAM policy to a RAM user as required. For more information, see Replace EDAS-defined permissions with RAM policies.

For more information about the eight system permission policies provided by EDAS, see Overview of system permission policies provided by EDAS.

Create a custom permission policy

You can also use the EDAS permission assistant to create custom permissions policies. The following example shows how to create a custom permission policy.

For example, you want to grant the following permissions to a RAM user:

The permissions to view the test microservice namespace in the China (Beijing) region.
The permissions to view all clusters in the test microservice namespace in the China (Beijing) region.
Full permissions except for the creation permissions on the test microservice namespace.

Log on to the EDAS console.
In the left-side navigation pane, choose System Management > Permission Assistant.
On the Permission Assistant page, click New permission Strategy.
In the New permission Strategy panel, set the Name of strategy and note parameters in the Create a new custom permission policy step.
Specify the effects of the custom permission policy and click next step.
Notice
- When you create a custom permissions policy, you can specify only one effect type. Available effect types are Allow and Deny.
- You can configure multiple permission statements. If a permission policy contains two permission statements for which the Permissions for parameter is separately set to Allow and Deny, the permission statement of the Deny effect type prevails.
1. In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure statements for the allowed permissions described in the preceding section and click yes.
  1. Set the Permissions for parameter to Allow.
  2. In the left-side list of the Operations and resource authorization section, choose Namespace > View Namespace. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side.
  3. In the left-side list of the Operations and resource authorization section, choose Clusters > View Cluster. Then, select China North 2 (Beijing), test, and All Clusters from the drop-down lists on the right side.
  4. In the left-side list of the Operations and resource authorization section, select Applications. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side. If you select Applications, all permissions on applications are selected.
2. In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure a statement for the denied application creation permissions described in the preceding section and click yes.
  1. Set the Permissions for parameter to Deny.
  2. In the left-side list of the Operations and resource authorization section, choose Applications > Create Application. Then, select China North 2 (Beijing) and test from the drop-down lists on the right side.
In the Strategy to preview step, confirm the permission policy and click Finish.

The New policy authorization succeeded message appears. Click Return to list view to go to the Permission Assistant page.

Find the created custom permission policy and click view detail on the right side to open the view detail dialog box. In this dialog box, click copy to copy the content of the custom permission policy. Log on to the RAM console, create a RAM policy by using the copied content, and then attach the RAM policy to a RAM user as required. For more information, see Replace EDAS-defined permissions with RAM policies.

Overview of system permission policies provided by EDAS

Super Admin

The Super Admin permission policy is designed for super administrators. Super administrators have full permissions on EDAS and have the same scope of permissions as your Alibaba Cloud account. Do not assign the super administrator role to RAM users unless necessary. We recommend that you implement fine-grained access control. Super administrators have the following permissions:

Full permissions on microservice namespaces
Full permissions on clusters
Full permissions on applications
Full permissions on microservices
Full permissions on configuration management