By default, you can use all Elastic Desktop Service (EDS) resources when you log on to the EDS console by using an Alibaba Cloud account. However, if an end user logs on to the console as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user before the end user can manage EDS resources. This topic describes how to grant permissions to a RAM user.
Prerequisites
A RAM user is created. For information about how to create a RAM user, see Create a RAM user.
Overview
RAM is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. You can use an Alibaba Cloud account to create multiple identities, such as RAM users, and grant different permissions to a single identity or a group of identities. This way, different RAM users can access different resources. For more information, see What is RAM?
By default, RAM users do not have permissions. You can grant permissions to a RAM user by using policies based on your business requirements. Policies fall into system policies and custom policies. For more information, see Policy overview. By default, EDS provides the following system policies:
Policy | Permission | Description |
AliyunECDFullAccess | Full permissions on EDS | RAM users can perform all actions on all EDS resources. |
AliyunECDReadOnlyAccess | Read-only permissions on EDS | RAM users can view all EDS resources. |
AliyunECDRamUserAccess | Permissions to use cloud computers by using clients Note RAM users can log on to clients only by using RAM directories. If end users use the IDs of office networks, formerly known as workspaces, of the RAM directory type as RAM users, you must grant permissions to the RAM users. If your business does not require Active Directory (AD), end users can use convenience accounts to log on to clients. This does not require authorization. | RAM users can start, connect to, query, stop, and restart cloud computers. |
AliyunECDTagFullAccess | Permissions on cloud computer tags | RAM users can perform actions on cloud computer tags. For example, RAM users can create, delete, and query tags of cloud computers. |
AliyunECDOfficeSiteFullAccess | Permissions to manage office networks in EDS | RAM users can perform actions on office networks. For example, RAM users can create, view, edit, modify, destroy, and migrate office networks. |
AliyunECDDesktopFullAccess | Permissions to manage cloud computers | RAM users can manage cloud computers. For example, RAM users can edit, modify, or release cloud computers, or switch billing methods for cloud computers. |
AliyunECDUserFullAccess | Permissions to manage EDS users | RAM users can manage users. For example, RAM users can create, synchronize, view, lock, and delete users. In addition, RAM users can authorize users to use cloud computers and can reset passwords, manage users by group, and manage multi-factor authentication (MFA) devices. |
AliyunECDPolicyGroupFullAccess | Permissions to manage EDS global security configurations and policies | RAM users can perform security audits and manage policies. For example, RAM users can create, view, modify, and delete global policies and related settings. |
AliyunECDTechnicalSupportFullAccess | Permissions to manage EDS technical support | RAM users can perform actions on or view cloud computers and applications of users.
|
You can also create custom policies to grant permissions to RAM users based on your business requirements. For more information about how to create a custom policy, see Create a custom policy.
Procedure
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose .
Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, configure parameters to attach policies to the RAM user.
The following table describes the parameters.
Parameter
Description
Authorized Scope
The scope in which you want the permissions to take effect. Cloud computers do not support the resource group feature. Select Alibaba Cloud Account.
Principal
The RAM user to which you want to grant permissions. The RAM user that you selected is automatically filled in the Principal field. You can also specify another RAM user.
Select Policy
You can select policies based on your business requirements.
Click OK.
Confirm the authorization scope and policies and click Complete.
Result
If you attach policies to the RAM user, the RAM user has the permissions to view or manage specified resources.
For example, if you grant the AliyunECDReadOnlyAccess permission to a RAM user, the RAM user can log on to the EDS console and view cloud computer resources. If you click Create Office Network on the Office Network (Formerly Workspace) page as the RAM user, a dialog box appears to remind you that you do not have the permissions.