SchedulerX allows you to use Resource Access Management (RAM) to grant permissions to multiple users and user groups at a time. RAM provides fine-grained permission management, which allows you to grant permissions based on the principle of least privilege. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with other users and effectively reduces security risks. This topic describes how to grant RAM users the permissions to perform specific operations.
Background information
You can attach two types of RAM policies that define permissions on ScheudlerX to RAM users for quick permission authorization. The effective scopes of the two types of RAM policies are different. You can attach the RAM policies based on your business requirements. If you want to grant permissions to RAM users in a more fine-grained manner, you can create custom RAM policies. For more information, see the "Sample custom policies" section of this topic.
Grant RAM users the permissions to create resources
By default, a RAM user does not have the permissions to create, view, or manage resources in SchedulerX. You can grant a RAM user the permissions to create resources. By default, all resources created by the RAM user can be read and written by the RAM user.
Procedure:
Log on to the RAM console.
Create a custom policy. For more information, see Create custom policies. The following sample code provides an example of a custom RAM policy. You can run the following code to grant a RAM user or user group the permissions to create namespaces and instance groups in the namespaces. A RAM user has the access permissions only to instance groups created by the RAM user. If a RAM user needs the access permissions to instance groups and resources created by another RAM user, you must create and attach a custom policy to the RAM user. For more information, see the "Sample custom policies" section of this topic.
{ "Version": "1", "Statement": [ { "Action": ["edas:CreateSchedulerxNamespace*", "edas:CreateSchedulerxAppGroup*"], "Effect": "Allow", "Resource": "acs:edas:*:*:*" } ] }Optional. Create a RAM user or user group. For more information, see Create a RAM user or Create a RAM user group. If a RAM user or user group exists, you can skip this step.
Attach the custom policy created in Step 2 to a single RAM user. For more information, see Grant permissions to a RAM user.
Attach the custom policy created in Step 2 to a user group and add RAM users to the user group.
Attach the policy to the user group. For more information, see Grant permissions to a RAM user group.
Add RAM users to the user group. For more information, see the "Method 2: Add a RAM user to a RAM user group on the Groups page" section of the Add a RAM user to a RAM user group topic.
Create resources as an administrator and grant permissions to RAM users
In most cases, only the O&M personnel of software projects have the permissions to create resources. The development personnel have only the read and management permissions. You can create an administrator role for the O&M personnel to grant them the permissions to manage all resources in SchedulerX. Then, the administrator can create namespaces and instance groups. If RAM users want to access the namespaces and instance groups, the administrator creates policies that define the access permissions to the namespaces and instance groups and attaches the policies to the RAM users.
Procedure:
Log on to the RAM console.
Create a custom policy. For more information, see Create custom policies. The following sample code provides an example of a custom RAM policy. You can run the code to grant a RAM user or user group the administrator permissions on SchedulerX. Then, the RAM user or user group can manage all resources in SchedulerX.
{ "Statement": [ { "Action": "edas:*Schedulerx*", "Effect": "Allow", "Resource": [ "acs:edas:*:*:*" ] } ], "Version": "1" }Optional. Create a RAM user or user group. For more information, see Create a RAM user or Create a RAM user group. If a RAM user or user group exists, you can skip this step.
Attach the custom policy created in Step 2 to a single RAM user. For more information, see Grant permissions to a RAM user.
Attach the custom policy created in Step 2 to a user group and add RAM users to the user group.
Attach the policy to the user group. For more information, see Grant permissions to a RAM user group.
Add RAM users to the user group. For more information, see the "Method 2: Add a RAM user to a RAM user group on the Groups page" section of the Add a RAM user to a RAM user group topic.
SchedulerX permissions
By default, an Alibaba Cloud account has the permissions to manage all resources within the account. We recommend that you use RAM to grant specific permissions to different users. SchedulerX allows you to attach a policy to multiple RAM users or user groups at a time. This way, you do not need to grant permissions to users one by one. The following table describes the shared system policies supported by SchedulerX.
System policy | Description |
AliyunEDASFullAccess | Provides the permissions to manage Enterprise Distributed Application Service (EDAS) resources. |
The following sample code provides an example of a custom RAM policy that contains the Action and Resource elements. You can create a custom policy based on the rules that are defined by SchedulerX.
Principal structure
{
"Statement": [
{
"Action": "edas:*", // The actions that are allowed. For information about how to configure the Action element, see the "Action" section of this topic.
"Effect": "Allow",
"Resource": "*" // The resources that can be accessed. For information about how to configure the Resource element, see the "Resource" section of this topic.
}
],
"Version": "1",
}Action
SchedulerX defines the Action element in the following structure:
edas:${type}Schedulerx*${type}: The valid values of the ${type} parameter are Read, Manage, Delete, and Create. The following table lists the valid values and describes the operations related to each value.
Valid value | Operation |
Create | Create namespaces, applications, jobs, and workflows. |
Manage |
|
Delete | Delete namespaces, instance groups, jobs, and workflows. |
Read | Query instance groups, jobs, job instances, workflows, and online instances. |
Resource
SchedulerX defines the Resource element in the following structure:
acs:edas:${regionid}:${accountid}:namespace/${namespace_id}/${resourceType}/${resourceId}Parameter | Description |
| The region in which the resource that you want to access is deployed. If you want to use the default setting, enter an asterisk ( |
| The Alibaba Cloud account to which the resource you want to access belongs. If you want to use the default setting, enter an asterisk ( |
| The ID of the namespace to which the resource you want to access belongs.
|
| The type of the resource that you want to access. A value of JobGroup specifies a job group in SchedulerX. Jobs are grouped by application. |
| The ID of the resource that you want to access. If you set the To obtain the value of the
|
icon that appears on the right to copy the namespace ID, and then replace 
icon that appears on the right to copy the namespace ID, and then replace 
Sample custom policies
Grant RAM users the management permissions on all resources
The RAM users that have the management permissions on SchedulerX can perform all operations on all resources in SchedulerX. Sample policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Schedulerx*"
],
"Resource": [
"acs:edas:*:*:*"
]
}
]
}Grant RAM users the read-only permissions on all resources
The RAM users that have the read-only permissions on SchedulerX can query all resources in SchedulerX. Sample policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:ReadSchedulerx*"
],
"Resource": [
"acs:edas:*:*:*"
]
}
]
}Grant RAM users the management permissions on specified namespaces
The following sample code provides an example of a custom RAM policy that defines the management permissions on application and job resources in specified namespaces. The IDs of the specified namespaces must be obtained from the Microservices Namespace page of the EDAS console. In this example, the specified namespaces are ID-01 and ID-02. RAM users who have this custom policy can manage and schedule all resources in the specified namespaces. You can also modify the settings of the Action element to limit the access permissions to the preceding resources. For example, if you set the Action element to edas:ReadSchedulerx, the RAM users to which this custom policy is attached can only query resources in the specified namespaces.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Schedulerx*"
],
"Resource": [
"acs:edas:*:*:namespace/Namespace ID-01/*",
"acs:edas:*:*:namespace/Namespace ID-02/*"
]
}
]
}
Grant RAM users the management permissions on specified applications
The following sample code provides an example of a custom RAM policy that defines the management permissions on specific applications. The Resource element specifies the IDs of the applications whose management permissions you want to grant to RAM users. You can also include an asterisk (*) in the Resource element to grant the management permissions on multiple applications to RAM users at a time. For example, if you include TestGroup* in the Resource element of a custom policy, the custom policy defines the management permissions on all applications that are prefixed with TestGroup in the specified namespace.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"edas:*Schedulerx*"
],
"Resource": [
"acs:edas:*:*:namespace/Namespace ID-01/JobGroup/TestGroup*",
"acs:edas:*:*:namespace/Namespace ID-02/JobGroup/AppGroup"
]
}
]
}