All Products
Search
Document Center

Tablestore:Access control overview

Last Updated:Jan 15, 2024

Tablestore allows you to use Resource Access Management (RAM) policies, control policies, network access control lists (ACLs), and instance policies to control access to Tablestore resources.

Access control methods

The following access control methods are supported by Tablestore: RAM policies, control policies, network ACLs, and instance policies. You can use multiple access control methods in combination based on your needs.

  • The RAM Policy feature provided by RAM allows you to manage your users such as employees, systems, and applications in a centralized manner and control their access to cloud resources.

  • The Control Policy feature provided by the Resource Directory service of Resource Management allows you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner.

  • The Network ACL feature provided by Tablestore allows you to restrict the types of networks from which users can access a Tablestore instance.

  • The Instance Policy feature provided by Tablestore allows you to restrict the access sources of a Tablestore instance.

Usage notes

The following table describes the functionality and applicable scenarios of different access control methods.

Access control method

Applicable scenario

Service

Intended user

Usage note

RAM Policy

Manage the permissions and temporary access permissions of the RAM users under an Alibaba Cloud account.

RAM

You want to grant permissions to a RAM user and use Tablestore as the RAM user, or you want to access Tablestore by using temporary access tokens. For more information, see Use a RAM policy to grant permissions to a RAM user.

  • Grant the same permissions to different RAM users under the same Alibaba Cloud account.

  • Grant the same permissions on all Tablestore resources or multiple Tablestore instances.

  • Specify the conditions that are required for a policy to take effect. For example, restrict the IP addresses, protocols, and TLS versions that a client can use to access Tablestore resources and the time when users can access Tablestore resources.

  • Grant temporary access permissions on Tablestore resources.

Control Policy

Manage the security policies for Alibaba Cloud accounts of different departments in an enterprise in a centralized manner. The Control Policy feature does not grant permissions but only denies access.

Resource Management

You have multiple Alibaba Cloud accounts for your enterprise and want to manage the permissions of these accounts in a centralized manner. For more information, see Use a custom access control policy to define the permission boundaries of enterprise users.

  • Restrict the TLS versions that can be used to access Tablestore.

  • Restrict users to create only Tablestore instances that do not support public access.

Network ACL

Control the network access to a Tablestore instance under an Alibaba Cloud account.

Tablestore

You want to restrict the types of networks or sources from which users can access the resources of a Tablestore instance. For more information, see the Network ACL.

  • Specify whether users can use the Tablestore console to access the resources of a Tablestore instance.

  • Specify the types of networks that users can use to access an Tablestore instance.

Instance Policy

Grant fine-grained permissions on API operations on a Tablestore instance under an Alibaba Cloud account.

Tablestore

You want to restrict the access sources of the resources of a Tablestore instance. For more information, see Use instance policies to restrict the access sources of an instance.

Restrict the access sources of a Tablestore instance, including the IP addresses, networks, and TLS versions that users can use to access the instance.

Permission validation rules

If you configure a RAM policy, a control policy, a network ACL and an instance policy to control the access of RAM users to a Tablestore instance, a RAM user is considered to have the permissions to perform a specific operation on the instance based on the following rules:

  1. The control policy allows the operation.

  2. The instance policy or RAM policy allows the operation.

    If the instance policy or RAM policy allows and denies the operation, the operation is denied. In this case, the RAM user does not have the permissions to perform the operation.