Tablestore allows you to use Resource Access Management (RAM) policies, control policies, network access control lists (ACLs), and instance policies to control access to Tablestore resources.
Access control methods
The following access control methods are supported by Tablestore: RAM policies, control policies, network ACLs, and instance policies. You can use multiple access control methods in combination based on your needs.
The RAM Policy feature provided by RAM allows you to manage your users such as employees, systems, and applications in a centralized manner and control their access to cloud resources.
The Control Policy feature provided by the Resource Directory service of Resource Management allows you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner.
The Network ACL feature provided by Tablestore allows you to restrict the types of networks from which users can access a Tablestore instance.
The Instance Policy feature provided by Tablestore allows you to restrict the access sources of a Tablestore instance.
Usage notes
The following table describes the functionality and applicable scenarios of different access control methods.
Access control method | Applicable scenario | Service | Intended user | Usage note |
Manage the permissions and temporary access permissions of the RAM users under an Alibaba Cloud account. | RAM | You want to grant permissions to a RAM user and use Tablestore as the RAM user, or you want to access Tablestore by using temporary access tokens. For more information, see Use a RAM policy to grant permissions to a RAM user. |
| |
Manage the security policies for Alibaba Cloud accounts of different departments in an enterprise in a centralized manner. The Control Policy feature does not grant permissions but only denies access. | Resource Management | You have multiple Alibaba Cloud accounts for your enterprise and want to manage the permissions of these accounts in a centralized manner. For more information, see Use a custom access control policy to define the permission boundaries of enterprise users. |
| |
Control the network access to a Tablestore instance under an Alibaba Cloud account. | Tablestore | You want to restrict the types of networks or sources from which users can access the resources of a Tablestore instance. For more information, see the Network ACL. |
| |
Grant fine-grained permissions on API operations on a Tablestore instance under an Alibaba Cloud account. | Tablestore | You want to restrict the access sources of the resources of a Tablestore instance. For more information, see Use instance policies to restrict the access sources of an instance. | Restrict the access sources of a Tablestore instance, including the IP addresses, networks, and TLS versions that users can use to access the instance. |
Permission validation rules
If you configure a RAM policy, a control policy, a network ACL and an instance policy to control the access of RAM users to a Tablestore instance, a RAM user is considered to have the permissions to perform a specific operation on the instance based on the following rules:
The control policy allows the operation.
The instance policy or RAM policy allows the operation.
If the instance policy or RAM policy allows and denies the operation, the operation is denied. In this case, the RAM user does not have the permissions to perform the operation.