Attach EDS system policies to a RAM user - Elastic Desktop Service

By default, you can use all Elastic Desktop Service (EDS) Enterprise resources when you log on to the EDS Enterprise console by using an Alibaba Cloud account. However, if you log on to the console as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user before the RAM user can manage EDS Enterprise resources. This topic describes how to authorize a RAM user to access resources in the EDS Enterprise console by attaching policies.

Background information

Alibaba Cloud RAM is a service that allows you to manage user identities and resource access permissions. You can use an Alibaba Cloud account to create multiple identities, such as RAM users, and grant different permissions to a single identity or a group of identities. This way, different RAM users have the permissions to access different resources. For more information, see What is RAM?

By default, RAM users do not have permissions. You can grant permissions to a RAM user by attaching policies based on your business requirements. Policies fall into system policies and custom policies. For more information, see Policy overview. EDS Enterprise provides the following system policies:

Policy	Description	Remark
AliyunECDFullAccess	The permissions to manage EDS Enterprise.	RAM users can manage all EDS resources.
AliyunECDReadOnlyAccess	The read-only permissions on EDS Enterprise.	RAM users can view all EDS resources.
AliyunECDRamUserAccess	The permissions to use cloud computers from the Alibaba Cloud Workspace client.	RAM users can query, start, connect to, stop, and restart, cloud computers. Note RAM users can log on to the Alibaba Cloud Workspace client only by using RAM directories. If end users use office networks of the RAM directory type as RAM users, you must grant permissions to the RAM users. If your business does not require Active Directory (AD), convenience accounts can be used to log on to the client without authorization.
AliyunECDTagFullAccess	The permissions to manage tags of cloud computers.	RAM users can manage cloud computer tags. For example, they can create, delete, and query tags.
AliyunECDOfficeSiteFullAccess	The permissions to manage office networks.	RAM users can perform operations on office networks. For example, they can create, view, edit, modify, and destroy office networks. They can also migrate cloud computers across office networks.
AliyunECDDesktopFullAccess	The permissions to manage cloud computers.	RAM users can manage cloud computers. For example, they can edit, modify, release cloud computers, or switch billing methods for cloud computers.
AliyunECDUserFullAccess	The permissions to manage EDS Enterprise users.	RAM users can manage users. For example, they can create, synchronize, view, lock, and delete users. They can also authorize users to use cloud computers, reset passwords, manage users by group, and manage multi-factor authentication (MFA) devices.
AliyunECDPolicyGroupFullAccess	The permissions to manage global security configurations and policies of EDS Enterprise.	RAM users can manage security audits and policies. For example, they can create, view, modify, and delete global security policies and configurations.
AliyunECDTechnicalSupportFullAccess	The permissions to manage EDS Enterprise technical support.	RAM users can perform operations on or view the cloud computers or applications assigned to users. Operations on cloud computers. For example, RAM users can manage global sessions, stop, reset, and restart session hosts. They can also run commands on all session hosts and sessions. Management of remote processes and applications and remote assistance on cloud computers or sessions. For example, RAM users can terminate application processes and cloud computer sessions, and view session hosts and network data of users. Logon to the EDS Enterprise console and access to resources in the console. For example, RAM users can view resource details in the console, such as information about users, password reset, sessions, and session connections.

You can also create custom policies and associate the policies to cloud computers to meet business requirements. For more information about how to create a custom policy, see Create custom policies.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Procedure

Use an Alibaba Cloud account to log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Grant Permission panel, configure parameters based on your business requirements.

Parameter	Description
Resource Scope	The scope in which you want the permissions to take effect. You need to select Account. Resource groups are not available for cloud computers.
Principal	The RAM user to which you want to grant permissions. You can keep the default value. The selected RAM user is autopopulated. You can also specify another RAM user.
Policy	You can select policies based on your business requirements.

Click Grant permissions.

What to do next

If you attach policies to the RAM user, the RAM user has the permissions to view or manage specified resources.

For example, if you attach the AliyunECDReadOnlyAccess policy to a RAM user, the RAM user can log on to the EDS Enterprise console and view cloud computer resources. If the RAM user clicks Create Office Network on the Office Networks page, a message appears, indicating that the RAM user does not have related permissions.