資源目錄支持資源級鑒權,您可以通過RAM或云SSO對資源目錄進行分級管理。
業務場景
對于大型集團公司,資源目錄管理賬號通常由集團云管或運維團隊負責管理。集團往往有多個子公司,集團云管團隊希望將部分管理權下放,由各子公司的管理員管理對應子公司的目錄組織,各子公司之間互不影響,從而在隔離的前提下,提升管理效率和靈活度。
本文將提供一個示例,假設Y公司有兩個業務部門,分別為業務部門1和業務部門2,希望各業務的運維管理員管理各自業務的賬號結構、員工權限等。具體如下表所示。
組織結構 | 管理員 | 職責 |
安全管理團隊 | Mike | Mike為公司中心安全團隊負責人,需要做全局集中的安全管控,即全局的管控策略管理。 |
業務部門1 | Alice | Alice為業務部門1的運維管理員,僅能在業務部門1內創建資源賬號和組織結構、配置管控策略、配置成員的消息通知聯系人,不能操作和影響其他業務。 |
業務部門2 | Bob | Bob為業務部門2的運維管理員,僅能在業務部門2內創建資源賬號和組織結構、配置管控策略、配置成員的消息通知聯系人,不能操作和影響其他業務。 |
解決方案
分級管理主要解決操作范圍和操作行為的權限細化管控。
資源目錄目前已經支持RAM資源級鑒權,您可以通過Resource設置操作范圍,通過Action設置操作行為。資源目錄具體的授權信息,請參見資源目錄鑒權列表。
以下兩種實施方案,您可以根據實際情況任選其一。
方案一:基于RAM實現分級管理
開通資源目錄。
Y公司企業管理員(如財務同學)申請阿里云賬號并進行企業實名認證,然后開通資源目錄,并創建兩個名為
業務部門1和業務部門2的資源夾。具體操作,請參見開通資源目錄、創建資源夾。開通資源目錄的賬號即為管理賬號。
創建RAM用戶
Mike,并授予配置全局管控策略的權限。管理賬號登錄RAM控制臺,創建一個名為
Mike的RAM用戶,為其創建訪問密鑰(AccessKey),然后為其授予以下自定義權限策略。具體操作,請參見創建RAM用戶、創建自定義權限策略、為RAM用戶授權。自定義權限策略內容:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*" ], "Resource": [ "acs:resourcemanager:*:*:account/*", "acs:resourcemanager:*:*:folder/*", "acs:resourcemanager:*:*:policy/controlpolicy/*" ] }, { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListAccount*", "resourcemanager:GetFolder*", "resourcemanager:ListFolder*", "resourcemanager:GetAccount", "resourcemanager:GetControlPolicy*", "resourcemanager:ListControlPolicies", "resourcemanager:ListControlPolicyAttachmentsForTarget", "resourcemanager:ListTargetAttachmentsForControlPolicy", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" } ] }創建一個名為
Alice的RAM用戶,并授予管理資源夾業務部門1的權限。管理賬號登錄RAM控制臺,創建一個名為
Alice的RAM用戶,為其創建訪問密鑰(AccessKey),然后為其授予以下自定義權限策略。具體操作,請參見創建RAM用戶、創建自定義權限策略、為RAM用戶授權。自定義權限策略內容:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] }創建一個名為
Bob的RAM用戶,并授予管理資源夾業務部門2的權限。管理賬號登錄RAM控制臺,創建一個名為
Bob的RAM用戶,為其創建訪問密鑰(AccessKey),然后為其授予以下自定義權限策略。具體操作,請參見創建RAM用戶、創建自定義權限策略、為RAM用戶授權。自定義權限策略內容:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] }驗證結果。
分別使用RAM用戶
Mike、Alice、Bob對應的訪問密鑰(AccessKey)調用資源目錄OpenAPI,訪問資源目錄中有權限的資源。例如:Alice只能操作資源夾業務部門1中的資源,Bob只能操作資源夾業務部門2的資源,則說明以上配置成功。
方案二:基于云SSO實現分級管理
開通資源目錄。
Y公司企業管理員(如財務同學)申請阿里云賬號并進行企業實名認證,然后開通資源目錄,并創建兩個名為
業務部門1和業務部門2的資源夾。具體操作,請參見開通資源目錄、創建資源夾。開通資源目錄的賬號即為管理賬號。
創建云SSO用戶
Mike,并授予配置全局管控策略的權限。管理賬號登錄云SSO控制臺,創建一個名為
Mike的云SSO用戶,為其設置登錄密碼,然后創建訪問配置,并為云SSO用戶Mike在RD管理賬號上部署該訪問配置。具體操作,請參見創建用戶、創建訪問配置、在RD賬號上授權。該訪問配置使用以下內容的內置策略,不使用系統策略。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*" ], "Resource": [ "acs:resourcemanager:*:*:account/*", "acs:resourcemanager:*:*:folder/*", "acs:resourcemanager:*:*:policy/controlpolicy/*" ] }, { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListAccount*", "resourcemanager:GetFolder*", "resourcemanager:ListFolder*", "resourcemanager:GetAccount", "resourcemanager:GetControlPolicy*", "resourcemanager:ListControlPolicies", "resourcemanager:ListControlPolicyAttachmentsForTarget", "resourcemanager:ListTargetAttachmentsForControlPolicy", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" } ] }創建一個名為
Alice的云SSO用戶,并授予管理資源夾業務部門1的權限。管理賬號登錄云SSO控制臺,創建一個名為
Alice的云SSO用戶,為其設置登錄密碼,然后創建訪問配置,并為云SSO用戶Alice在RD管理賬號上部署該訪問配置。具體操作,請參見創建用戶、創建訪問配置、在RD賬號上授權。該訪問配置使用以下內容的內置策略,不使用系統策略。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", //資源夾業務部門1的RDPath "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] }創建一個名為
Bob的云SSO用戶,并授予管理資源夾業務部門2的權限。管理賬號登錄云SSO控制臺,創建一個名為
Bob的云SSO用戶,為其設置登錄密碼,然后創建訪問配置,并為云SSO用戶Bob在RD管理賬號上部署該訪問配置。具體操作,請參見創建用戶、創建訪問配置、在RD賬號上授權。該訪問配置僅使用以下內容的內置策略,不使用系統策略。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", //資源夾業務部門2的RDPath "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] }驗證結果。
分別使用云SSO用戶
Mike、Alice、Bob通過CLI登錄云SSO用戶門戶,登錄后,通過CLI命令行訪問資源目錄中有權限的資源。例如:Alice只能操作資源夾業務部門1中的資源,Bob只能操作資源夾業務部門2中的資源,則說明以上配置成功。關于如何通過CLI登錄云SSO用戶門戶,請參見使用CLI登錄云SSO并訪問阿里云資源。說明基于云SSO實現分級管理的方案配置完成后,暫時只能通過CLI操作有權限的資源,不支持控制臺操作。