您可以創(chuàng)建自定義權限策略,實現(xiàn)精細化權限管理。
背景信息
權限指在特定條件下 ,允許(Allow)或拒絕(Deny)對指定資源執(zhí)行的相關操作。權限的載體是授權策略。自定義權限,即在自定義授權策略時定義某些權限。
創(chuàng)建自定義權限策略方式,請參見創(chuàng)建方式。本文介紹通過腳本編輯模式創(chuàng)建自定義權限策略的操作步驟。
操作步驟
使用RAM管理員登錄RAM控制臺。
在左側導航欄,選擇。
在權限策略頁面,單擊創(chuàng)建權限策略。
在創(chuàng)建權限策略頁面,單擊腳本編輯頁簽。
輸入權限策略內容,然后單擊繼續(xù)編輯基本信息。
關于權限策略語法結構的詳情,請參見權限策略語法和結構。
權限策略中包含參數(shù)如下:
Action:表示要授權的操作。IoT操作都以
iot:開頭。定義方式和示例,請參見本文檔中Action定義。Effect : 表示授權類型,取值:Allow(允許)、Deny(拒絕)。
Resource :表示要授權的資源。
如果為RAM用戶授予訪問您的所有物聯(lián)網平臺資源的權限,取值為
*。Condition :表示鑒權條件。IoT不支持Condition定義。
關于權限策略元素的詳情,請參見權限策略基本元素。
輸入權限策略名稱和備注。
檢查并優(yōu)化權限策略內容。
基礎權限策略優(yōu)化
系統(tǒng)會對您添加的權限策略語句自動進行基礎優(yōu)化。基礎權限策略優(yōu)化會完成以下任務:
刪除不必要的條件。
刪除不必要的數(shù)組。
可選:高級權限策略優(yōu)化
您可以將鼠標懸浮在可選:高級策略優(yōu)化上,單擊執(zhí)行,對權限策略內容進行高級優(yōu)化。高級權限策略優(yōu)化功能會完成以下任務:
拆分不兼容操作的資源或條件。
收縮資源到更小范圍。
去重或合并語句。
單擊確定。
Action 定義
Action是API的名稱。在創(chuàng)建IoT授權策略時,每個Action前綴均為iot:,多個Action以英文逗號(,)分隔,支持使用星號(*)通配符。IoT API名稱定義,請參見IoT授權映射表。
下面介紹一些典型的Action定義示例。
定義單個API。
"Action": "iot:CreateProduct"定義多個API。
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ]定義所有只讀API,包含規(guī)則引擎數(shù)據(jù)流轉目標產品的權限。
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:GetProject", "dhs:ListTopic", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }定義所有讀寫API,包含規(guī)則引擎數(shù)據(jù)流轉目標產品的權限。
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:ListTopic", "dhs:GetProject", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance", "hitsdb:ModifyHiTSDBInstanceSecurityIpList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
授權策略創(chuàng)建成功后,將此權限授予RAM用戶,獲得授權的RAM用戶就可以進行權限中定義的操作。創(chuàng)建RAM用戶和授權操作,請參見RAM用戶訪問。