Overview

<p>Resource Access Management (RAM) refers to user identity management and access control services. With RAM, you can create and manage user accounts and control the access of these user accounts to the resources under your tenant.</p>

Functions

<p>RAM has the following features:</p> <p>1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Centralized control of RAM users and their keys;</p> <p>2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Centralized control of RAM user access - Each user or group can be bound to one or more authorization policies to place restrictions on users&#39; operation of the specified resources;</p> <p>3)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Centralize control of cloud resources - User-created instances or data can be controlled in a centralized manner. When a user leaves your organization, these instances or data are still under your complete control.</p>

Application Scenarios

<p><strong>Scenario 1 Enterprise sub-account permission management</strong></p> <p>Company F opened a main account on Ping An Cloud and bought various cloud services. There are many employees responsible for different actions such as purchasing, operating and maintaining these cloud resources. Different duties require different permissions. Given the security of deploying cloud services, F does not want to disclose the main account key directly to the employees. RAM may be used to open sub-users for employees and grant different permissions to employees.</p> <p>All sub-user purchase cost is charged to the main account, which at any time may change the permissions of sub-users or delete sub-users.</p> <p><strong>Scenario 2 Permission and resource management of different enterprises </strong></p> <p>F is a financial enterprise. F opened its main account on Ping An Cloud and purchased a cloud service to deploy business applications. However, F wants to focus on business expansion and assigned system operation and maintenance to Company I. For data and account security, F will not deliver the main account key to I, but may consider opening a sub-user for I via RAM and granting appropriate permissions to I, which may further break permissions down and grant them to its employees. After the cooperation between F and I is terminated, F may stop the permissions of I or delete them directly at any time.</p> <p><strong>Requirement </strong><strong>S</strong><strong>pecification</strong></p> <p>1. Avoid sharing of the main account by many employees, and prevent main account password or AccessKey leaks that result in uncontrollable risks</p> <p>2. Assign independent user accounts and permissions (or operator account) to different employees, so as to achieve right-obligation consistency</p> <p>3. There&#39;s no need to separately compute the cost of each operator, as the cost incurred is subject to centralized billing of the main account.</p>

RAM Terms

<p><strong>Main </strong><strong>A</strong><strong>ccount</strong></p> <p>It is the basic subject all resources belong to for measuring and billing of resources utilization. When users start using Ping An Cloud services, firstly they need a main account (provided by the Ping An Cloud team). The main account pays for resources owned under its name and has full permissions to resources under its name.</p> <p><strong>Sub-user</strong></p> <p>The main account creates and grants permissions to a sub-user for different operation. Sub-users&#39; cloud services cost is borne by the main account, which at any time can change or directly delete the permissions of sub-users.</p> <p><strong>Resource</strong></p> <p>It is the abstract of the object entity presented by the cloud service to the user.</p> <p>The overall format is as follows: pcs:&lt;service-name&gt;:&lt;region&gt;:&lt;tenant-id&gt;:&lt;resource-relative-id&gt;</p> <p>Format description:</p> <p>pcs: the acronym for Pingan Cloud Service, standing for Ping An Cloud&#39;s public cloud platform</p> <p>&nbsp;&nbsp;&nbsp; service-name: the name of the Open Service provided by Ping An Cloud, such as ecs, ram etc.</p> <p>&nbsp;&nbsp;&nbsp; region: region information. If this is not supported, the wildcard character &quot;*&quot; can be used instead.</p> <p>&nbsp;&nbsp;&nbsp; tenant-id: account ID, such as 1234567890123456, you can also use &quot;*&quot; instead.</p> <p>relative-id: service-related resource description part; semantics is specified by the service.</p> <p><strong>Permission</strong></p> <p>Permission policies can allow or deny a user&#39;s operation of a resource.</p> <p><strong>Authorization </strong><strong>Policy</strong></p> <p>An authorization policy is a simple language specification that describes a permission set. The language specification supported by RAM can be found in the Authorization Policy Language.</p>
Did the above content solve your problem? Yes No
Please complete information!

Call us

400-151-8800

Email us

cloud@pingan.com

Online customer service

Instant reply

Technical Support

cloud products