Access control - Tablestore - Alibaba Cloud Documentation Center

To ensure the security of your resources, you can use Resource Access Management (RAM) policies, control policies for resource directories, network ACLs for Tablestore instances, and instance policies for Tablestore instances to control access to your Tablestore resources. This way, only authorized users can access Tablestore resources.

The following access control methods are supported by Tablestore: RAM policies, control policies, network ACLs, and instance policies. You can use multiple access control methods in combination based on your needs.

The RAM Policy feature provided by RAM allows you to manage your users such as employees, systems, and applications in a centralized manner and control their access to cloud resources.
The Control Policy feature provided by the Resource Directory service of Resource Management allows you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner.
The Network ACL feature provided by Tablestore allows you to restrict the types of networks from which users can access a Tablestore instance.
The Instance Policy feature provided by Tablestore allows you to restrict the access sources of a Tablestore instance.

The following table describes the functionality and applicable scenarios of different access control methods.

Access control method	Applicable scenario	Service	Intended user	Usage note
RAM Policy	Manage the permissions and temporary access permissions of the RAM users under an Alibaba Cloud account.	RAM	You want to grant permissions to a RAM user and use Tablestore as the RAM user, or you want to access Tablestore by using temporary access tokens. For more information, see Use a RAM policy to grant permissions to a RAM user.	Grant the same permissions to different RAM users under the same Alibaba Cloud account. Grant the same permissions on all Tablestore resources or multiple Tablestore instances. Specify the conditions that are required for a policy to take effect. For example, restrict the IP addresses, protocols, and TLS versions that a client can use to access Tablestore resources and the time when users can access Tablestore resources. Grant temporary access permissions on Tablestore resources.
Control Policy	Manage the security policies for Alibaba Cloud accounts of different departments in an enterprise in a centralized manner. The Control Policy feature does not grant permissions but only denies access.	Resource Management	You have multiple Alibaba Cloud accounts for your enterprise and want to manage the permissions of these accounts in a centralized manner. For more information, see Use a custom access control policy to define the permission boundaries of enterprise users.	Restrict the TLS versions that can be used to access Tablestore. Restrict users to create only Tablestore instances that do not support public access.
Network ACL	Control the network access to a Tablestore instance under an Alibaba Cloud account.	Tablestore	You want to restrict the types of networks or sources from which users can access the resources of a Tablestore instance. For more information, see the Network ACL.	Specify whether users can use the Tablestore console to access the resources of a Tablestore instance. Specify the types of networks that users can use to access a Tablestore instance.
Instance Policy	Grant fine-grained permissions on API operations on a Tablestore instance under an Alibaba Cloud account.	Tablestore	You want to restrict the access sources of the resources of a Tablestore instance. For more information, see Use instance policies to restrict the access sources of an instance.	Restrict the access sources of a Tablestore instance, including the IP addresses, networks, and TLS versions that users can use to access the instance.