All Products
Search

This Product

    ApsaraDB for MongoDB:How to grant permissions to a RAM user for ApsaraDB for MongoDB

    Document Center

    ApsaraDB for MongoDB:How to grant permissions to a RAM user for ApsaraDB for MongoDB

    Last Updated:Feb 28, 2026

    Resource Access Management (RAM) provides fine-grained access control for ApsaraDB for MongoDB. Use RAM to grant specific management permissions to RAM users and enforce the principle of least privilege.

    Note RAM controls cloud platform management operations such as creating or deleting instances. It does not control database-level access such as reading or writing data. To manage database-level access, configure users and roles within MongoDB.

    Prerequisites

    Before you begin, make sure that you have:

    • An Alibaba Cloud account with RAM administrator privileges

    • A RAM user created in the RAM console. For more information, see Create a RAM user

    Grant permissions to a RAM user

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the target RAM user and click Add Permissions in the Actions column. > Tip: To grant permissions to multiple RAM users at once, select the RAM users and click Add Permissions at the bottom of the page.

    4. In the Grant Permission panel, configure the following parameters:

      Important

      If you select Resource Group for Resource Scope, make sure that ApsaraDB for MongoDB supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

      Note The system automatically identifies high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching high-risk policies unless absolutely necessary.
      ParameterDescription
      Resource ScopeAccount: The policy takes effect on the current Alibaba Cloud account. Resource Group: The policy takes effect on a specific resource group.
      PrincipalThe RAM user to which permissions are granted. The current RAM user is selected by default.
      PolicyThe policy to attach. Select one or more system policies or custom policies.

    5. Click Grant permissions.

    6. Click Close.

    System policies

    ApsaraDB for MongoDB provides two system policies:

    PolicyTypeDescription
    AliyunMongoDBFullAccessFull accessGrants full management permissions on all ApsaraDB for MongoDB resources.
    AliyunMongoDBReadOnlyAccessRead-onlyGrants read-only permissions on ApsaraDB for MongoDB resources. Limited to Describe* operations.

    Use AliyunMongoDBFullAccess for administrators who manage instances. Use AliyunMongoDBReadOnlyAccess for users who only need to view instance information, monitoring data, or backup status.

    Custom policies

    Custom policies provide fine-grained access control over specific API operations and instances. For the full syntax reference, see Policy structure and syntax.

    Resource description format

    Specify resources in the Resource element using the following format:

    acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
    VariableDescriptionExample
    $regionidRegion ID of the instance. Use * for all regions.cn-hangzhou, *
    $accountidAlibaba Cloud account ID. Use * for all accounts.1234567890, *
    $dbinstanceidInstance ID. Use * for all instances.dds-bp1234567890, *

    Resource description examples:

    TargetResource value
    A specific instance in a specific regionacs:dds:cn-hangzhou:1234567890:dbinstance/dds-bp1234567890
    All instances in a specific regionacs:dds:cn-hangzhou:*:dbinstance/*
    All instances across all regionsacs:dds:*:*:dbinstance/*

    Authorizable API operations

    The following tables list all API operations that can be authorized through RAM.

    Instance lifecycle

    OperationDescription
    CreateDBInstanceCreates an ApsaraDB for MongoDB instance.
    ModifyDBInstanceSpecModifies the configurations of an ApsaraDB for MongoDB instance.
    DeleteDBInstanceDeletes an ApsaraDB for MongoDB instance.
    RestartDBInstanceRestarts an ApsaraDB for MongoDB instance.
    RenewDBInstanceRenews an ApsaraDB for MongoDB instance.

    Instance information

    OperationDescription
    DescribeDBInstancesQueries ApsaraDB for MongoDB instances.
    DescribeDBInstanceAttributeQueries the attributes of an ApsaraDB for MongoDB instance.
    ModifyDBInstanceDescriptionModifies the description of an ApsaraDB for MongoDB instance.
    DescribeReplicaSetRoleQueries the primary/secondary attribute of an ApsaraDB for MongoDB instance.
    DescribeDBInstancePerformanceQueries the performance metrics of an ApsaraDB for MongoDB instance.

    Security and access control

    OperationDescription
    DescribeSecurityIpsQueries the whitelists of an ApsaraDB for MongoDB instance.
    ModifySecurityIpsModifies the whitelists of an ApsaraDB for MongoDB instance.

    Account management

    OperationDescription
    DescribeAccountsQueries the database accounts of an ApsaraDB for MongoDB instance.
    ResetAccountPasswordResets the account password for an ApsaraDB for MongoDB instance.
    ModifyAccountDescriptionModifies the description of a database account on an ApsaraDB for MongoDB instance.

    Backup and restore

    OperationDescription
    DescribeBackupPolicyQueries the backup policy of an ApsaraDB for MongoDB instance.
    ModifyBackupPolicyModifies the backup policy of an ApsaraDB for MongoDB instance.
    CreateBackupCreates a backup for an ApsaraDB for MongoDB instance.
    RestoreDBInstanceRestores the data of an ApsaraDB for MongoDB instance.

    Network configuration

    OperationDescription
    ModifyDBInstanceNetworkTypeModifies the network type of an ApsaraDB for MongoDB instance.

    Custom policy examples

    Copy and modify the following JSON policies to match your requirements.

    Example 1: Read-only access to a specific instance

    Grant read-only access to a single instance. Replace the region ID, account ID, and instance ID with your actual values.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dds:DescribeDBInstances",
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeDBInstancePerformance",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeSecurityIps",
        "dds:DescribeAccounts",
        "dds:DescribeBackupPolicy"
      ],
      "Resource": "acs:dds:cn-hangzhou:1234567890:dbinstance/dds-bp1234567890"
    }
  ]
}

    Example 2: Backup management only

    Allow a RAM user to manage backups without granting access to instance configuration or security settings.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dds:DescribeBackupPolicy",
        "dds:ModifyBackupPolicy",
        "dds:CreateBackup",
        "dds:RestoreDBInstance",
        "dds:DescribeDBInstances"
      ],
      "Resource": "acs:dds:*:*:dbinstance/*"
    }
  ]
}
    Note dds:DescribeDBInstances is included so that the RAM user can list instances in the console and navigate to the backup settings.

    Example 3: Full access in a specific region

    Grant full management permissions on all ApsaraDB for MongoDB instances in the China (Hangzhou) region only.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dds:*",
      "Resource": "acs:dds:cn-hangzhou:*:dbinstance/*"
    }
  ]
}

    Core concepts

    ConceptDescription
    RAM userAn identity created under your Alibaba Cloud account. Each RAM user has its own credentials and can be granted specific permissions to manage ApsaraDB for MongoDB instances through the console or API.
    System policyA predefined policy created and maintained by Alibaba Cloud. System policies cannot be modified.
    Custom policyA user-defined policy for fine-grained access to specific operations or instances. You can create, update, and delete custom policies based on your requirements.
    Resource scopeThe boundary within which a policy takes effect. Permissions can apply to the entire Alibaba Cloud account or to a specific resource group.

    Best practices

    • Start with system policies. Use AliyunMongoDBFullAccess or AliyunMongoDBReadOnlyAccess for most scenarios. Create custom policies only when finer control is required.

    • Apply least-privilege access. Grant only the minimum permissions a RAM user needs. For example, a monitoring user needs only Describe* operations, not Modify* or Delete* operations.

    • Restrict resources by instance. Use the resource description format to limit permissions to specific instances rather than granting access to all instances with a wildcard (*).

    • Separate duties. Assign different custom policies to different RAM users based on their roles. For example, separate backup operators from instance administrators.

    • Review permissions regularly. Audit RAM user permissions periodically and revoke permissions that are no longer needed.

    • Avoid high-risk policies. Do not attach AdministratorAccess or AliyunRAMFullAccess unless the RAM user requires broad access across all Alibaba Cloud services.

    References