All Products
Search

This Product

    Server Migration Center:Use tags to implement fine-grained access control

    Document Center

    Server Migration Center:Use tags to implement fine-grained access control

    Last Updated:Dec 16, 2024

    After you attach tags to your Server Migration Center (SMC) resources, you can use the tags to categorize and control access to the resources. This topic describes how to use tags to control the permissions of Resource Access Management (RAM) users and Security Token Service (STS) roles so that different users can be granted different access and operation permissions on cloud resources.

    Prerequisites

    A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

    Background information

    Tags are used to identify and categorize cloud resources. RAM manages the access and operation permissions of RAM users on cloud resources based on permission policies. You can use tags as conditions in RAM policies to implement fine-grained access control on resources.

    The following figure shows how to use tags to manage the access and operation permissions of RAM users on cloud resources. The process is called tag-based authentication.786

    Note

    You can attach tags to SMC resources such as migration sources and migration tasks. You can attach tags to migration sources only after they are created. For more information, see Use tags to manage migration sources and migration jobs.

    Scenarios

    The scenarios in this topic are used to describe how to perform tag-based authentication.

    For example, you need to grant a RAM user the permissions only on the SMC resources to which the smc:test tag is bound, as shown in the following figure.saasd

    Scenarios:

    • Scenario 1: You can create migration tasks only if the smc:test tag is attached to the tasks.

    • Scenario 2: You can modify, delete, and attach tags only to the resources to which the smc:test tag is attached.

    Step 1: Create a custom policy and attach the policy to the RAM user

    In this step, a custom policy is created in the RAM console. You can also call the CreatePolicy operation to create a custom policy. For more information, see Configure the policy.

    1. Use your Alibaba Cloud account to log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Configure the policy.

      A policy contains a set of permissions. Each policy includes a version number and one or more individual statements. Each statement includes the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Policy elements and Policy structure and syntax.

      1. Modify the policy as needed and click OK.

        You can configure multiple tag-based conditions for cloud resources in the Condition element of the custom policy to restrict operation permissions. The following table describes supported tag-based authentication conditions.

        Tag-based authentication condition

        Description

        acs:RequestTag

        Specifies that a specific tag must be included in each API request.

        If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used. Otherwise, the authentication fails.

        acs:ResourceTag

        Specifies that a specific tag must be attached to the specified resource.

        If an API request does not include a resource ID, you cannot use the acs:ResourceTag condition. Otherwise, the authentication fails.

        Note

        When you configure a policy, you can use the acs:RequestTag or acs:ResourceTag condition based on whether you need to specify the resource ID and whether tags can be included in the API request. For more information, see Tag-based authentication of requests to different API operations. 

        {
    "Statement": [
        {
            "Action": "smc:CreateReplicationJob",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "smc:*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
          "Action": [
                "*:TagResources",
                "*:UntagResources"  
             ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

        The preceding policy can provide access control for the following scenarios.

        Scenario

        Policy

        Scenario 1: You can create migration tasks only if the smc:test tag is attached to the tasks. 

        {
    "Statement": [
        {
            "Action": "smc:CreateReplicationJob",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

        Scenario 2: You can modify and delete only the resources to which the smc:test tag is attached. 

        {
    "Statement": [
        {
            "Action": "smc:*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
          "Action": [
                "*:TagResources",
                "*:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

      2. In the Create Policy dialog box, enter the name and description of the policy, and then click OK.

    6. Attach the policy to the RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. Attach the policy to the RAM user.

        For more information, see Grant permissions to a RAM user.

    Step 2: Check whether the policy is in effect

    1. Log on to the SMC console or OpenAPI Explorer as a RAM user.

      In this step, the SMC console is used.

    2. Check whether the policy is in effect.

      Perform the following operations:

      • Create a migration task:

        • You can create a migration task for a migration source to which you attach the smc:test tag.

        • You cannot create a migration task for a migration source to which you do not attach the smc:test tag. You are prompted that you do not have the permission to create the migration task. 2556

      • Delete a migration source:

        • You can delete a migration source to which you attach the smc:test tag.

        • You cannot delete a migration source to which you do not attach the smc:test tag. You are prompted that you do not have the permission to create the migration task. 566

    Tag-based authentication of requests to different API operations

    After policies that contain tag-based conditions are attached to a RAM user, requests made by the RAM user to API operations are authenticated based on the tags specified in the policy conditions. The following table describes various cases in which requests to different API operations are authenticated based on tags.

    API operation

    Authentication description

    CreateReplicationJob

    You do not need to specify the resource ID in a request. The request is matched against the acs:RequestTag policy condition.

    • If the request contains no tags from the policy condition, the authentication fails.

    • If the request contains tags that match or include the tags from the policy condition, the authentication succeeds.

    ModifyReplicationJobAttribute

    You must specify the resource ID in a request. The request is matched against the acs:ResourceTag policy condition.

    • If the tags attached to the resource do not match the tags specified in the policy condition, the authentication fails.

    • If the tags attached to the resource match the tags specified in the policy condition, the authentication succeeds.

    • If you update tags for the resource and the request contains the new tag of the resource, the authentication succeeds only when the tag matches the tags specified in the policy condition. Otherwise, the authentication fails.

    StartReplicationJob, StopReplicationJob, and DeleteSourceServer

    You must specify the resource ID in a request. The request is matched against the acs:ResourceTag policy condition.

    • If the tags of the resource do not match the tags specified in the policy condition, the authentication fails.

    • If the tags of the resource match the tags specified in the policy condition, the authentication succeeds.