Resources Access Management

Enables centralized management without paying extra charges; pay only for other services used by your RAM users Provides one consolidated bill for all expenses incurred by resource operations performed by all users present in multiple accounts falling under one enterprise account

Features

SSO (Identity Federation)

User-based SSO

You can configure your IdP to specify a RAM user in the SAML assertion and use the RAM user to access Alibaba Cloud.

Role-based SSO

You can configure your IdP to specify a RAM role in the SAML assertion and use the RAM role to access Alibaba Cloud.

High Flexibility

Fine-grained Authorization

Allows you to grant permission for one or multiple operations on a single resource. For example, a resource owner can grant permission to create, perform operations or delete resources

Multi-dimensional Authorization

Restricts access permissions by IP, time, and other factors

Version Management Mechanism

Retain multiple versions of each authorization policy to eliminate risk of unwanted policy deletion

Multiple Authorization Scenario Support

Allows you to define and control various authorization policies for specific Alibaba Cloud resources meeting certain business conditions

Lets you grant read-only, full, or customized permissions to users, partners and enterprise employee accounts

Enables you to define user or service specific roles

Identity Management

User Identity Management

Create and manage user identities and grant permissions using the primary account

Multi-factor Authentication

Supports MFA devices that comply with TOTP protocol standard (RFC 6238) to keep user passwords secure and assign special permissions like shutting down virtual hosts

Independent Password Policy Management

Create custom password strength policies for users and set the number of allowed logon attempts, password validity periods, and other password policies

User Groups

Create and manage user groups for assigning the same set of permissions to multiple users

Access Keys

Set access keys for users wanting to perform operations using the console. You can also set up API access keys for users who require programmatic access

Authorization Management

Execution Permission

Set permissions for allowing or denying execution of certain operations on specific resources under certain conditions

Custom Authorization

Use custom authorization policies to manage user permissions effectively

Group Permission

The group authorization mechanism allows for scenario-specific authorization to reduce the burdens associated with permission management

User Authorization

Grant user or user group authorization to users under your account, or even other Alibaba Cloud accounts

Authorization Policy Management

Custom Policy

Create, modify, and delete custom authorization policies to meet fine-grained access control requirements, such as only allowing operations on a specific ECS instance if the request comes from a particular IP address

Resource Access

Users can access resources and perform operations on them using the console, APIs, or client tools such as the Alibaba Cloud CLI (aliyun)

Alibaba Security Token Service

Access Permission

Security Token Service grants specific cloud resource access permissions to mobile clients, giving your mobile customers direct access to cloud resources

Custom Validity

Supports custom token validity periods for enhanced security

Centralized Control

User Resource Access Methods

Provides users with security channels (such as SSL) to request access to specific cloud resources at the designated time and from the specified source IP

Role and External Account Identity Federation Management

Associate RAM roles with external identity systems (such as your local enterprise domain accounts or app accounts) and directly use an external identity to log on to a RAM role to access Alibaba Cloud console or API

Cloud Resources

Control instances created by RAM users in a centralized manner, so that you have full control over these instances and associated data after a user has left your organization

Usage and Billing

Free of Charge

RAM is offered at no additional cost. You are charged only for other Alibaba products/services used by RAM users

Consolidated Bill

Your account receives a consolidated bill for all expenses incurred from resource operations performed by all RAM users/accounts

How it works

Enterprise User Account Management and Permission Allocation
Temporary Authorization Management for Mobile Apps
Resource Operations and Authorization Management Between Enterprises

Enterprise User Account Management and Permission Allocation

An enterprise has a project for which it has purchased multiple cloud resources like ECS/RDS/SLB instances and OSS buckets. Employees with different responsibilities and permissions need to perform various operations. They can be allocated independent user or operator accounts to perform only those resource operations to which they have permissions. This way the enterprise does not compromise on security and can also grant/revoke permissions for any user account at any time. Also, charges for resource operations are billed collectively to the enterprise that is the primary account.

Recommended configuration for this scenario

RAM-user accounts and authorization management function

Advantages

- Bind the primary account to an MFA device and configure MFA for the primary account to prevent risks caused by disclosure of primary account password

- Activate RAM

- Create user accounts and RAM user accounts for different employees (or application systems) and set logon passwords or create access keys as needed

- Create a group for multiple employees with same responsibilities and add users to the group

- Create custom authorization policies and grant permissions by binding one or more policies to groups/users

Temporary Authorization Management for Mobile Apps

An enterprise does not want to allow all apps to use the AppServer to transmit data. However, mobile apps run on mobile devices and controlling these devices is not possible. The enterprise also wants to minimize security risks by giving each app an access token with minimal permissions and reducing the access duration.

Recommended configuration for this scenario

RAM STS-tokens

Advantages

-To complete the authorization process, the enterprise creates a role and grants permissions to the role by binding it with authorization policy

-Enterprise creates a RAM-user for AppServer and authorizes this user to assume the role it created

- AppServer issues STS-tokens for resource access

Resource Operations and Authorization Management Between Enterprises

Enterprise A has purchased multiple cloud resources and granted cloud resource O&M, monitoring management, and other tasks to Enterprise B. Enterprise B can allocate access permissions for A’s resources to one or more of its employees. B needs to precisely control the operations its employees can perform on A’s resources. A needs to revoke B’s permissions at will if the O&M entrustment contract is revoked.

Suggested configuration for this scenario

RAM roles for cross-account authorization

Advantages

-A role is created and permissions are granted for cross-account authorization

-Cross-account resources can be accessed through the console by creating sub-users and authorizing them to assume the role

FAQs

1. How do I get started with Alibaba Cloud RAM?

Once you have signed up for Alibaba Cloud, you can either use web-based Alibaba Cloud Management Console or RAM APIs (for programmatic access) to create users and groups as well as assign them permissions to access different resources.

2. How does a sub-user sign into the Alibaba Cloud Management Console?

Visit the logon page or refer to the links on the Management Console dashboard.

3. Which Alibaba Cloud products and services support RAM integration?

Service	Management Console	API	Reference
Elastic Compute Service	√	√	ECS Permission
ApsaraDB for RDS	√	√	RDS Permission
Server Load Balancer	√	√	SLB Permission
Virtual Private Cloud	√	√	VPC Permission
EIP	√	√	EIP Permission
Object Storage Service	√	√	OSS Permission
Table Store	√	√	TableStore Permission
Message Service	√	√	MessageService Permission
Alibaba Cloud CDN	√	√	CDN Permission
ApsaraDB for Redis	√	√
ApsaraDB for Memcache	√	√
CloudMonitor	√	√
Server Guard	√	〇
Anti-DDoS	√	〇
Mobile Security	√	〇
Support Center	√	〇

4. What is a RAM-role?

A RAM-Role is a virtual user (shadow account) or a type of RAM user. This user has a fixed identity and can be granted policies. However, a RAM-Role must be assumed by an authorized real user.

5. Which operation permissions are granted to a new RAM-user?

By default, a new RAM user has no operation permissions. A RAM user represents an operator and must be explicitly authorized to perform any operation. The user can perform resource operations through the RAM console or APIs, only after being authorized.

6. What are authorization policies?

An authorization policy is a group of permissions described using Authorization Policy Language. It can precisely define the authorized resource set and operation set, as well as the authorization conditions.

7. How do I view all system authorization policies supported by Alibaba Cloud?

To view all the system authorization policies supported by Alibaba Cloud, log on to the RAM console and go to the Authorization Policy Management page to view a list of all system authorization policies.

8. What is a RoleARN?

A RoleARN is the global resource descriptor that specifies a role. RoleARNs follow Alibaba Cloud’s ARN naming rules.

For example, the RoleARN for the “devops” role of an Alibaba Cloud account: acs:ram::1234567890123456:role/devops.

9. How do I delete an authorization policy with multiple versions?

Authorization policies which have been edited and saved multiple times will have several attached "versions". Once these have been deleted from the RAM console, the remaining "default" authorization policy can be deleted, which will completely remove the policy from your Alibaba Cloud account.

10. How do I assign commonly used permissions?

Alibaba Cloud provides System Authorization Policies, a set of commonly used permissions that you can attach to RAM users, groups, and roles. These policies are a group of comprehensive permission sets created and managed by Alibaba Cloud, such as read-only permission for ECS or full permissions for ECS. You can use these policies but not modify them.

11. How do I create a custom authorization policy?

1. Access the RAM console, select Policy Management and then Custom Policies.

2. Click “New Authorization Policy.”

3. Select a template from the list (for example, AliyunOSSReadOnlyAccess).

4. Edit the name, remarks, and content of the authorization policy as needed.

5. After making necessary changes, click “Add Policy” to create the custom authorization policy.

12. How do I attach an authorization policy to a group?

1. Logon to the RAM console and go to Group Management.

2. Select a group, and click “Authorize” to go to the Edit Authorization Policy page.

3. Select the name of the relevant authorization policy to grant permissions to the group.

13. How do I assign the same set of permissions to multiple RAM users?

You can attach authorization policird to RAM groups. All users in the group will be granted the permissions associated with the group.

14. What kinds of security credentials can RAM users have?

RAM users can access cloud services through APIs or by logging into the Alibaba Cloud Management console with the help of access keys. You can also enable Multi-Factor Authentication (MFA) which requires another verification code (second security factor provided by the user’s MFA device) after entering username and password. This provides another layer of security for your account.

Upgraded Support For You

1 on 1 Presale Consultation, 24/7 Technical Support, Faster Response, and More Tickets.

1 on 1 Presale Consultation

Consulting by experienced cloud experts. Learn More

24/7 Technical Support

Extended service time from 10 hours 5 days a week to 24/7. Learn More

6 Free Tickets per Quarter

The number of free tickets doubled from 3 to 6 per quarter. Learn More

Faster Response

Shorten after-sale response time from 36 hours to 18 hours. Learn More

About Alibaba Cloud

Our Global Network

Alibaba Cloud in Analyst Research

What is Cloud Computing

Customer Success Stories

Security & Compliance Center

Free Trial

Start Package

Beyond APAC's No.1 Cloud

Struggling with DDoS Attacks? Get Free Support Now！

Upgraded Support For You

Upgraded Support For You

Smart, Agile & Powerful Cloud Computing

Alibaba Cloud E-Commerce Campaign

Alibaba Cloud for Students Program

Alibaba Cloud's Galaxy Program

Refer a Friend

Press Room

Product & Feature Update

Notice

China Gateway

China Gateway - Information Compliance

China Gateway - Networking

China Gateway - Security

ICP Support

Smart Olympics

Elastic Compute Service

Simple Application Server

Elastic GPU Service

Auto Scaling

Server Load Balancer

Container Service

Container Service for Kubernetes

Elastic Container InstanceNEW

Container Registry

Resource Orchestration Service

E-HPC

ECS Bare Metal Instance

Super Computing ClusterBeta

Batch ComputeNew

Dedicated Host

Object Storage Service

Table Store

Alibaba Cloud CDN

Network Attached Storage

Hybrid Cloud Storage ArrayComing Soon

Data Transport

Hybrid Backup RecoveryBeta

Cloud Storage GatewayBeta

Dynamic Route for CDNBeta

Networking Overview

Virtual Private Cloud

Express Connect

NAT Gateway

Server Load Balancer

Elastic IP

Hybrid Backup RecoveryBeta

Data Transfer Plan

VPN Gateway

Cloud Enterprise Network

Smart Access GatewayBeta

Alibaba Cloud PrivateZoneBeta

Database Overview

ApsaraDB for Redis

ApsaraDB RDS for MySQL

ApsaraDB for MariaDB TXNEW

ApsaraDB RDS for SQL Server

ApsaraDB RDS for PostgreSQL

Data ManagementNEW

An integrated data management solution

ApsaraDB RDS for PPAS

ApsaraDB for MongoDB

ApsaraDB for Memcache

Data Transmission Service

Database BackupNEW

AnalyticDB for PostgreSQL

Distributed Relational Database Service

Time Series DatabaseBeta

Security OverviewNew

Anti-DDoS Basic

Server Guard/h6>
Comprehensive security detection, response and prevention for hosts