All Products
Search

This Product

    Mobile Platform as a Service:Application-level access control for RAM users

    Document Center

    Mobile Platform as a Service:Application-level access control for RAM users

    Last Updated:Sep 27, 2022

    Prerequisites

    1. An Alibaba Cloud account is created. If no Alibaba Cloud accounts are created, create an Alibaba Cloud account first. For more information, see Create an Alibaba Cloud account.

    2. A Resource Access Management (RAM) user is created. If no RAM users are created, create a RAM user first. For more information, see Create a RAM user.

    Procedure

    1. Grant the RAM user the permission to log on to the Mobile PaaS (mPaaS) console.

      1. Log on to the RAM console by using your Alibaba Cloud account.

      2. In the left-side navigation pane, choose Identities > Users.

      3. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click Add Permissions in the Actions column.

      4. In the Add Permissions panel, search for the AliyunMPAASFullAccess permission in the Select Policy section, click the permission, and then click OK. Now, you have granted the RAM user the permission to log on to the mPaaS console. The RAM user can access all the apps that are created with the Alibaba Cloud account. If you do not need to implement resource isolation for the RAM user, skip the following steps.

    2. Add a policy to implement resource isolation for the RAM user.

      1. Log on to the RAM console by using your Alibaba Cloud account.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the Policies page, click Create Policy.

      4. On the Create Policy page, set the Name and Note parameters.

      5. Click the JSON tab.

        Note

        Visual configuration is not supported in mPaaS. In other words, policies created on the Visual Editor Beta tab are not supported in mPaaS.

      6. Edit the content of the policy. You can use the following sample RAM policy for accessing a specified app and RAM policy for accessing all mPaaS apps. When you use the RAM policy for accessing a specified app, you must replace the app ID in the policy with the app ID of the specified app. When you need to specify the RAM policy for multiple apps, separate the app IDs with commas (,).

        • RAM policy for accessing a specified app

          {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:FilterApp"
  ],
  "Resource": "*",
  "Effect": "Deny",
  "Condition": {
      "StringNotEquals": {
          "acs:appid": [
              "ONEXCBAD96A290957",
              "..."
          ]
      }
  }
},
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

        • RAM policy for accessing all mPaaS apps

          {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

      7. Click OK.

      8. In the left-side navigation pane, choose Identities > Users.

      9. On the Users page, find the RAM user to which you want to grant the permission to log on to the mPaaS console. Click

        Add Permissions in the Actions column.

      10. In the Add Permissions panel, search for the custom policy that you created in the preceding steps, click the policy, and then click

        OK. Now, you have added the policy to implement resource isolation for the RAM user.