Writing RAM policy JSON by hand is error-prone and time-consuming. The EDAS permission assistant generates Resource Access Management (RAM) policy JSON from a visual interface. Select the namespaces, clusters, and applications to control, choose Allow or Deny, and the assistant builds the complete policy. Then copy the generated JSON into the RAM console to create a RAM policy.
EDAS provides eight system permission policies that cover common roles. Start with a system policy when possible, and create a custom policy only when you need permissions that no system policy matches.
Prerequisites
Before you begin, make sure that you have:
-
An Alibaba Cloud account or a RAM user with the EDAS console access
-
Access to the RAM console to create and attach policies
System permission policies
EDAS provides eight system policies. The following table summarizes which resources each policy controls and the level of access granted.
| Policy | Namespaces | Clusters | Applications | Microservices | Config management | System |
|---|---|---|---|---|---|---|
| Super Admin | Full | Full | Full | Full | Full | Full |
| App Admin | -- | Full | Full | Full | -- | -- |
| App Operator | -- | -- | Full (no create or delete) | Full | -- | Manage |
| App Browser | -- | -- | Read | Read | -- | -- |
| Resource Admin | Full | Full | -- | -- | -- | -- |
| Resource Operator | Full (no create) | Full (no create) | -- | -- | -- | -- |
| Resource Browser | Read | Read | -- | -- | -- | -- |
| Edas Browser | Read | Read | Read | Read | Read | Read logs |
Choose a system policy
-
Super Admin: Equivalent to the Alibaba Cloud account. Reserve for break-glass scenarios and use fine-grained access control instead.
-
App Admin or App Operator: Assign to teams that deploy and manage applications. Use App Operator to prevent accidental application creation or deletion.
-
App Browser: Assign to stakeholders who need visibility into application status without making changes.
-
Resource Admin or Resource Operator: Assign to infrastructure teams that manage namespaces and clusters. Use Resource Operator to prevent accidental namespace or cluster creation.
-
Resource Browser: Assign to users who only need to view infrastructure resources.
-
Edas Browser: Assign for full read-only access across EDAS, including operation logs.
View and copy a system policy
-
Log on to the EDAS console.
-
On the Permission Assistant page, view the available system permission policies.
Policies with System Strategy in the Policy Type column are system permission policies. Each system policy supports the following actions:
-
Click duplicate to open the New permission Strategy panel and create a modified copy.
-
Click view detail to open the view detail dialog box, then click copy to copy the policy JSON. Log on to the RAM console, create a RAM policy with the copied content, and attach it to a RAM user. For details, see Replace EDAS-defined permissions with RAM policies.
For the complete JSON of each system policy, see System policy JSON reference.
Create a custom permission policy
Create a custom policy when no system policy covers the exact permissions you need. The following example grants a RAM user these permissions in the China (Beijing) region:
-
View the test microservice namespace.
-
View all clusters in the test microservice namespace.
-
Full permissions on applications in the test microservice namespace, except for creating applications.
-
Log on to the EDAS console.
-
On the Permission Assistant page, click New permission Strategy.
-
In the New permission Strategy panel, enter the Name of strategy and note in the Create a new custom permission policy step.
-
Specify the effects of the custom permission policy and click next step.
ImportantImportant: A custom policy supports only one effect type per statement. Available types are Allow and Deny. If a policy contains both an Allow and a Deny statement for the same action, Deny takes precedence.
-
Add an Allow statement for the view and application permissions:
-
In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure the following settings and click yes.
-
Set Permissions for to Allow.
-
In the Operations and resource authorization section, choose on the left. Select China North 2 (Beijing) and test from the drop-down lists on the right.
-
Choose Clusters > View Cluster on the left. Select China North 2 (Beijing), test, and All Clusters from the drop-down lists on the right.
-
Select Applications on the left. Select China North 2 (Beijing) and test from the drop-down lists on the right. Selecting Applications grants all application permissions.
-
-
-
Add a Deny statement to block application creation:
-
In the Create a new custom permission policy step, click New permission statement. In the Add authorization statement panel, configure the following settings and click yes.
-
Set Permissions for to Deny.
-
In the Operations and resource authorization section, choose on the left. Select China North 2 (Beijing) and test from the drop-down lists on the right.
-
-
-
In the Strategy to preview step, confirm the policy and click Finish.
After you see the "New policy authorization succeeded" message, click Return to list view to go back to the Permission Assistant page.
Apply the policy to a RAM user
Find the custom policy on the Permission Assistant page and click view detail. In the view detail dialog box, click copy to copy the policy JSON. Log on to the RAM console, create a RAM policy with the copied content, and attach it to a RAM user. For details, see Replace EDAS-defined permissions with RAM policies.
RAM policy structure reference
Each policy generated by the permission assistant uses the following JSON structure:
| Field | Type | Description |
|---|---|---|
Version |
String | Policy version. Always "1". |
Statement |
Array | One or more permission statements. Each statement defines an effect, a set of actions, and the target resources. |
Effect |
String | "Allow" or "Deny". When both exist for the same action, Deny takes precedence. |
Action |
String[] | EDAS API actions. Use a wildcard (*) prefix to match all operations on a resource type, for example edas:*Application matches edas:CreateApplication, edas:ReadApplication, and all other application actions. |
Resource |
String[] | Alibaba Cloud Resource Names (ARNs) that the statement applies to. |
EDAS resource ARN format
ARNs follow this pattern:
acs:edas:<region>:<account-id>:<resource-path>| ARN pattern | Scope |
|---|---|
acs:edas:*:*:namespace/* |
All namespaces in all regions |
acs:edas:*:*:namespace/*/cluster/* |
All clusters across all namespaces |
acs:edas:*:*:namespace/*/application/* |
All applications across all namespaces |
acs:edas:*:*:* |
All EDAS resources |
Use * in the region and account ID fields to match all regions and accounts.
System policy JSON reference
Super Admin
Full permissions on namespaces, clusters, applications, microservices, and configuration management.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Namespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Cluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Application"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Service"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ManageSystem",
"edas:ManageOperation",
"edas:ReadOperationLog"
],
"Resource": [
"acs:edas:*:*:*"
]
}
]
}App Admin
Full permissions on applications and microservices, full access to clusters.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Application"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Service"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadCluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
}
]
}App Operator
Full permissions on applications except creation and deletion, full permissions on microservices, and the edas:ManageOperation permission. A Deny statement explicitly blocks edas:CreateApplication.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Application"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Service"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ManageOperation"
],
"Resource": [
"acs:edas:*:*:*"
]
},
{
"Effect": "Deny",
"Action": [
"edas:CreateApplication"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
}
]
}App Browser
Read-only access to applications and microservices.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:ReadApplication"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadService"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
}
]
}Resource Admin
Full permissions on namespaces and clusters.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Namespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Cluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
}
]
}Resource Operator
Full permissions on namespaces and clusters, except creation. Deny statements explicitly block edas:CreateNamespace and edas:CreateCluster.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Namespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:*Cluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
},
{
"Effect": "Deny",
"Action": [
"edas:CreateNamespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Deny",
"Action": [
"edas:CreateCluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
}
]
}Resource Browser
Read-only access to namespaces and clusters.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:ReadNamespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadCluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
}
]
}Edas Browser
Read-only access to all EDAS resources: namespaces, clusters, applications, microservices, configurations, and operation logs.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:ReadNamespace"
],
"Resource": [
"acs:edas:*:*:namespace/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadCluster"
],
"Resource": [
"acs:edas:*:*:namespace/*/cluster/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadApplication"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadService"
],
"Resource": [
"acs:edas:*:*:namespace/*/application/*"
]
},
{
"Effect": "Allow",
"Action": [
"edas:ReadOperationLog"
],
"Resource": [
"acs:edas:*:*:*"
]
}
]
}