All Products
Search
Document Center

Tablestore:Use a custom access control policy to define the permission boundaries of enterprise users

Last Updated:Jan 15, 2024

If you want to manage the permissions of enterprise members in a centralized manner, you can enable the Resource Directory service. After the Resource Directory service is enabled, you can configure custom access control policies to define the permission boundaries of enterprise members in a resource directory.

Background information

You can use the Resource Directory service of Resource Management to establish an organizational structure based on your business requirements and consolidate your enterprise accounts into this structure. This way, you can establish a hierarchy for the resources of your enterprise. This facilitates centralized management of enterprise accounts and resources For more information, see Resource Directory overview.

You can use resource directory control policies to manage permission boundaries for resources at different levels in resource directories in a centralized manner. This allows you to establish global or local access control rules.

A resource directory control policy is an access control policy based on the structure of resources, such as folders and members. Access control policies do not grant permissions but only define permission boundaries. Before you use an account that is a member of your resource directory to access resources, you must grant the required permissions to the account by using the Resource Access Management (RAM) service. For more information, see Overview.

To manage permission boundaries for Tablestore access, you can use custom access control policies to restrict the TLS versions that users can use to access Tablestore and restrict users to create only Tablestore instances that do not support public access.

Prerequisites

The Resource Directory service is enabled. An organizational structure is built. Enterprise members are added to a resource directory. To do so, perform the following steps:

  1. After you receive the invitation to use Resource Directory, use an Alibaba Cloud account that passes enterprise real-name verification to enable a resource directory. For more information, see Enable a resource directory.

    Important

    An account that has passed only individual real-name verification cannot be used to enable a resource directory.

  2. Create folders based on the organizational structure of your enterprise. For more information, see Create a folder.

  3. Create members or invite existing Alibaba Cloud accounts to your resource directory. Move the members to the folders in your resource directory. For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.

Procedure

You can use custom access control policies to manage the access permissions of enterprise members in a resource directory on Tablestore resources.

  1. Use a management account to enable the Control Policy feature. For more information, see Enable the Control Policy feature.

  2. Use the management account to create a custom access control policy on the JSON tab. For more information, see the "Create a custom access control policy on the JSON tab" section of the Create a custom access control policy topic.

    For more information about how to configure a custom access control policy, see the sample policies in Use custom access control policies.

  3. Use the management account of your resource directory to attach the created custom access control policy to folders or members in the resource directory. For more information, see Attach a custom access control policy.

    After the configuration is complete, the permissions of the members in the resource directory are defined in the custom access control policy.