This document describes how to create RAM users and grant them permissions - OpenSearch

To enable collaborative access to services within an enterprise without sharing the Alibaba Cloud account credentials, create multiple RAM users and assign them only the necessary permissions. This practice enhances security by reducing the risk associated with credential sharing.

Usage scenarios

The following two scenarios require creating RAM users and granting them the minimum permissions needed for business operations:

When RAM users call the search development console service via API/SDK, use AccessKey for caller identity authentication.
When RAM users use the search development console via OpenSearch, common scenarios include:
- Granting RAM users the permission to manage API Keys.
  Important
  In the OpenSearch search development console, API Keys exist in independent workspaces. If a RAM user obtains an API Key for a workspace (and the API Key is enabled), and then configures the API Key in the code that calls the service, the user can call all services under the workspace via API/SDK without needing separate authorization.
- Granting RAM users the permission to quickly experience services such as document parsing and slicing through the Experience Center.
- Granting RAM users the permission to evaluate the effectiveness of the RAG chain via evaluation task management.

Permission policies

System permission policies

System permission policies are created uniformly by Alibaba Cloud. Users can only use them and cannot modify them. The version updates of the policies are maintained by Alibaba Cloud. The OpenSearch search development console provides the following two system permission policies:

AliyunOpenSearchFullAccess: Permission to manage OpenSearch services. This permission policy includes all permissions in the permission point list. Grant this permission policy to RAM users with caution.
AliyunOpenSearchReadOnlyAccess: Grants read-only access to the OpenSearch service. This policy includes all the control API permissions (List, Describe) for read operations and all permissions within the traffic API permissions list, as detailed in the permission points list.

Custom permission policies

Create custom permission policies to achieve fine-grained permission management.

Permission point list

Control API permission list

Operation category	API	RAM Action	Resource	Description
Workspace	CreateWorkspace	searchplat:WriteWorkspace	workspaces/*	Create workspace
	UpdateWorkspace	searchplat:WriteWorkspace	workspaces/{workspaceName}	Update workspace
	GetWorkspace	searchplat:DescribeWorkspace	workspaces/{workspaceName}	Get workspace details
	ListWorkspaces	searchplat:ListWorkspaces	workspaces/*	Get workspace list
Access credentials	CreateCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Create access credentials
	DeleteCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Delete access credentials
	UpdateCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Update access credentials
	GetCredentials	searchplat:DescribeCredentials	workspaces/{workspaceName}	Get access credentials details
	ListCredentials	searchplat:DescribeCredentials	workspaces/{workspaceName}	Get access credentials list
Calculate remaining free quota	GetMeasure	searchplat:DescribeMeasure	workspaces/{workspaceName}	Get remaining free service quota for the workspace. Note When you first activate the OpenSearch search development console, the cloud account is given 100 free service calls.
Experience data	CreateExperienceData	searchplat:WriteExperienceData	workspaces/{workspaceName}	Add experience data
	DeleteExperienceData	searchplat:WriteExperienceData	workspaces/{workspaceName}	Delete experience data
	GetExperienceData	searchplat:DescribeExperienceData	workspaces/{workspaceName}	Get experience data details
	ListExperienceData	searchplat:DescribeExperienceData	workspaces/{workspaceName}	Get experience data list
Asynchronous tasks	CreateAsyncTask	searchplat:WriteAsyncTask	workspaces/{workspaceName}	Create asynchronous task
	GetAsyncTask	searchplat:DescribeAsyncTask	workspaces/{workspaceName}	Get asynchronous task details
	ListAsyncTasks	searchplat:DescribeAsyncTask	workspaces/{workspaceName}	Get asynchronous task list
Effect evaluation	CreateRagEvaluatorTask	searchplat:WriteEvaluation	workspaces/{workspaceName}	Create evaluation task
	GetRagEvaluatorTask	searchplat:DescribeEvaluation	workspaces/{workspaceName}	Get evaluation task details
	ListRagEvaluatorTasks	searchplat:DescribeEvaluation	workspaces/{workspaceName}	Get evaluation task list
	DeleteRagEvaluatorTask	searchplat:WriteEvaluation	workspaces/{workspaceName}	Delete evaluation task

Traffic API permission list

API	Action	Resource	Description
GetTextEmbedding	searchplat:GetTextEmbedding	workspaces/{workspaceName}	Word embedding service
GetTextSparseEmbedding	searchplat:GetTextSparseEmbedding	workspaces/{workspaceName}	Text sparse embedding service
CreateDocumentAnalyzeTask	searchplat:CreateDocumentAnalyzeTask	workspaces/{workspaceName}	Create asynchronous document parsing service request
DescribeDocumentAnalyzeTask	searchplat:DescribeDocumentAnalyzeTask	workspaces/{workspaceName}	Get asynchronous document parsing result service
GetDocumentAnalysis	searchplat:GetDocumentAnalysis	workspaces/{workspaceName}	Get synchronous document parsing result service
GetDocumentSplit	searchplat:GetDocumentSplit	workspaces/{workspaceName}	Document slicing service
GetDocumentRank	searchplat:GetDocumentRank	workspaces/{workspaceName}	Sorting service
GetTextGeneration	searchplat:GetTextGeneration	workspaces/{workspaceName}	Content generation large model service
GetImageAnalysis	searchplat:GetImageAnalysis	workspaces/{workspaceName}	Get synchronous image parsing result service
GetQueryAnalysis	searchplat:GetQueryAnalysis	workspaces/{workspaceName}	Query analysis service

Steps

Step 1: Create RAM user

A RAM user is a physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

A RAM user can be created by an Alibaba Cloud account. In this case, the RAM user belongs to the Alibaba Cloud account. A RAM user can also be created by a RAM user or a RAM role that has administrative rights. In this case, the RAM user belongs to the Alibaba Cloud account that creates the RAM user or the RAM role.
A RAM user does not own resources. Resource usage fees of the RAM user are billed to the Alibaba Cloud account to which the RAM user belongs. A RAM user does not receive individual bills and cannot make payments.
Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After RAM users are authorized, the RAM users can access resources that are owned by the Alibaba Cloud accounts.
RAM users have independent passwords or AccessKey pairs for logon.
An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.

For more information, see Create RAM user.

Step 2: Create custom permission policy

Refer to common minimum permission combination examples, select permission points from the permission point list to combine into a business minimum permission policy. For more information on creating custom authorization policies, see Create custom permission policy.

Step 3: Authorize RAM user

After granting RAM users the system policy or custom policy of RAM, RAM users can access Alibaba Cloud resources with the corresponding permissions in the policy. It is recommended to follow the principle of minimum permissions and grant RAM users the necessary permissions as needed. For more information on authorization, see Authorize RAM user.

Note

After setting or updating the permission configuration for RAM users, it takes effect after a 5-minute delay.

Common minimum permission combination examples

Example 1: Allow RAM users to view the workspace list, view the remaining free service quota, and call the document slicing service in the default space. The corresponding authorization policy is as follows:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "searchplat:ListWorkspaces",
            "Resource": "acs:searchplat:*:*:workspaces/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "searchplat:DescribeWorkspace",
                "searchplat:GetDocumentSplit",
                "searchplat:DescribeMeasure"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/default"
        }
    ]
}

Example 2: Allow RAM users to view the workspace list, view the remaining free service quota, manage API Keys in the default space, and call the document slicing service.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "searchplat:ListWorkspaces"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "searchplat:DescribeWorkspace",
                "searchplat:WriteCredentials",
                "searchplat:GetDocumentSplit",
                "searchplat:DescribeCredentials",
                "searchplat:DescribeMeasure"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/default"
        }
    ]
}