Community Blog Best Practice for Creating and Managing User Access Permissions

Best Practice for Creating and Managing User Access Permissions

User access management is used by system administrators to control user access to network resources, and is implemented by granting users and groups access to specific objects.

Alibaba Cloud Resource Access Management (RAM) allows you to create and manage the Alibaba Cloud access permissions for employees, systems, applications, and other identities. RAM is supported on resources including ECS instances, networking services, database services, security, analytics, and more. In my last blog, I introduced the concept of RAM identities and gave an introduction to some of RAM's capabilities. This time, I'll show you how to get started by creating a RAM user with some specific permissions.

First, a few additional things it's useful to know:

  1. In RAM, permissions are specified by a statement within a "RAM policy", which allows or denies access to a specific Alibaba Cloud resource.
  2. A policy defines a set of permissions that are described based on the policy structure and syntax. A policy can accurately describe the authorized resource sets, authorized operation sets, and authorization conditions. You can attach one or more policies to RAM users, RAM user groups, or RAM roles.
  3. A RAM user has no permissions by default. Therefore, a new RAM user can manage resources only after the RAM user is granted the required permissions.

So now you're up to speed, let's get started and create some RAM users! You can follow the steps below on the Alibaba Cloud console to try RAM out for yourself.


Before you get started, make sure that you have an Alibaba Cloud account. To create an account, visit the account registration page.

Step 1: Create a RAM user

Follow these steps to create a RAM user:

  1. Visit the official website of Alibaba Cloud.
  2. Click Log In in the upper-right corner.
  3. Log on using your Alibaba Cloud account (root account).
  4. Click Console in the upper-right corner to open the management console.
  5. Click the menu icon in the upper-left corner to open the product list.
  6. Click Products, type ram in the search box, and then click Resource Access Management.
  7. On the left-side navigation pane, click Identifies >> Users, and then click Create User.
  8. Complete the details as follows:
    Resource Access Management
  9. Click OK.

This action may require email verification. When you are prompted, check the inbox of your registered email address and enter the verification code to continue.

Follow the steps in this article to learn how to create and manage users by using Alibaba Cloud Resource Access Management (RAM) service.

Related Blogs

Controlling User Permissions in the Cloud Era

This blog introduces Alibaba Cloud Resource Access Management (RAM) service and provides some references for you to get started.

Imagine you are the system administrator of a large corporation that is sprawled across several offices and has a myriad of different functional departments. Each office location, department, and team has specific permissions that need to be granted to the members of these groups so that they have appropriate access to cloud resources.

Alibaba Cloud Resource Access Management (RAM) is a service that meets this requirement and more. It allows you to create and manage the Alibaba Cloud access permissions for employees, systems, applications, and other identities. And best of all, it is completely free to use!

With RAM, you can create multiple identities under one Alibaba Cloud account. This allows you to keep your Alibaba Cloud account and password strictly confidential in cases where multiple users in your enterprise need to collaboratively manage and access cloud resources. It also allows you to grant the users the minimum required permissions to ensure superior security.

See the RAM documentation for a full list of services that support RAM.

How RAM works

RAM works by using identities knows as "RAM users". Each RAM user can represent a system, an application, or an individual user in your organization.

You can also create "RAM user groups", identities that contain multiple RAM users. RAM user groups allow you to set the access control of whole groups of staff members or systems. For example, you could group all staff in the marketing department into one RAM user group and then configure their permissions at one time.

It's worth pointing out that both RAM users and RAM user groups are "physical identities", in that the users have set username and password credentials that they use to log on to the Alibaba Cloud console. (They can also use an AccessKey pair.)

Interestingly, RAM also has non-physical, virtual roles, known as "RAM roles". These roles are identities to which permission policies are attached. However, RAM roles do not have logon passwords or AccessKey pairs. Instead, an entity user (Alibaba Cloud account, RAM users, or Alibaba Cloud services) assumes a RAM role, and the entity user can then obtain and use an STS token to access the authorized resources. RAM roles are divided into the following types based on the entrusted entity:

  1. Alibaba Cloud account: RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of RAM role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  2. Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize Alibaba Cloud services to manage your resources.
  3. IdP: Users of a trusted IdP can assume this type of RAM role. The RAM roles of this type are used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

As mentioned earlier, RAM is free of charge for Alibaba Cloud users. One thing worth noting though is that all costs incurred by the identities under an Alibaba Cloud account are charged to that Alibaba Cloud account. Always be careful about granting permission to users for creating and modifying the configurations of your cloud resources so you aren't hit with any unexpected bills.


RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. The following is a list of RAM features:

  1. You can manage RAM users and their AccessKey pairs. You can also enable multi-factor authentication (MFA) for RAM users.
  2. You can manage the permissions of RAM users to access Alibaba Cloud resources.
  3. You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP addresses.
  4. You can manage instances and data that are created by RAM users. For an enterprise, RAM ensures that the instances and data created by RAM users are still available even if the users leave the organization.
  5. You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO service for identity providers (IdPs): user-based SSO and role-based SSO.

Log on to Alibaba Cloud Using Internal Enterprise Accounts with RAM Single Sign-On

Resource Access Management SSO is now available for public use, allowing users to use their organization's account authentication mechanism to log on to Alibaba Cloud.

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service that enables you to centrally manage your users and securely control their access to your resources through permission levels. With RAM, you can easily create and manage users, including employees and apps developed by your enterprise. You can control the access permissions of these users for cloud resources, allowing for collaborative work while protecting your account from any unsolicited access.

The ability to protect cloud resources and mitigate risks are necessary to ensure successful enterprise cloud migration. In various cloud-native app scenarios, RAM provides customers with diversified access control mechanisms and enables enterprises to implement the principle of least privilege across full-stack systems such as DevOps, computing environment, apps, and data access. These benefits reduce the exposure to attack of cloud resources and effectively control the information security risks involved in enterprise cloud migration.

RAM has provided identity security and access management services to over 100,000 enterprise customers. Based on the Attribute Based Access Control (ABAC) security model, RAM provides customers with fine-grained access control over cloud resources and supports the following cloud-native app scenarios:

  1. User management and resource authorization
  2. Resource authorization across cloud accounts
  3. Resource authorization across cloud services
  4. Temporary access authorization for mobile apps
  5. Dynamic identity management and resource authorization for apps deployed on the cloud

Recently, the RAM Single Sign-On (SSO) function was released to support a new scenario: logging on to Alibaba Cloud using internal enterprise accounts.

SSO Scenario Overview

Let's assume that your enterprise has deployed a local domain account system, such as Microsoft AD or AD FS. To meet the enterprise's security management and compliance requirements, all employees must pass a unified identity verification of the enterprise domain account system before they can perform any operations on resources, including cloud resources. In this case, employees are prohibited from using independent user accounts and passwords to directly operate on cloud resources. To meet the security and compliance requirements, a similar security capability is required from the cloud service provider.

Alibaba Cloud RAM supports the Security Assertion Markup Language 2.0 (SAML 2.0) standard for identity federation, which is widely used by enterprise-level identity providers (IdPs). By activating the RAM user federated Single Sign-On (SSO) service under the cloud account, you can use internal enterprise accounts to log on to Alibaba Cloud.

Related Products

Simple Application Server

Simple Application Server provides one-click application deployment and supports all-in-one services such as management and O&M monitoring of domain name, website and application.

Elastic Compute Service

Alibaba Cloud Elastic Compute Service (ECS) offers high performance, elastic & secure virtual cloud servers with various instance types at cost-effective prices for all your cloud hosting needs.

Related Documentation

User management - MaxCompute

Any user, except the project owner, must be added to the MaxCompute project and granted the corresponding permissions to manage data, jobs, resources, and functions in MaxCompute. This article describes how a project owner can add, authorize, and remove other users, including RAM sub-accounts to MaxCompute.

If you are a project owner, we recommend that you read this article carefully. If you are a typical user, we recommend that you submit an application to the project owner to be added to the corresponding project. We recommend all users to read the subsequent sections.

All the operations mentioned in this article are executed on the console. For Linux, run ./bin/odpscmd and for Windows, run ./bin/odpscmd.bat.

Add a user

In this example, the project owner, Alice, wants to authorize another user, therefore she must add the user to the project first. Only a user who has been added to the project can be authorized.

The command to add a user is as follows:

add user

The of an Alibaba Cloud account is a valid email address registered with Alibaba Cloud, or a RAM sub-account of an Alibaba Cloud account that runs the command. For example:

add user ALIYUN$odps_test_user@aliyun.com;
add user RAM$ram_test_user;

Assume that the Alibaba Cloud account of Alice is alice@aliyun.com. When Alice runs these statements, the following results are returned by running the list users; command:


This indicates that the Alibaba Cloud account odps_test_user@aliyun.com and the sub-account ram_test_user created by Alice using RAM have been added to the project.

Permission management

This topic describes how to perform simple permission management through ossbrowser.

Log on to ossbrowser as a RAM user

For data security, we recommend that you use the AccessKey pair of a RAM user to log on to ossbrowser.

RAM users can be classified into two types based on their permissions:

  1. Administrator RAM user: a RAM user with administrative permissions. For example, a RAM user that can manage all buckets and authorize other RAM users is an administrator RAM user. You can log on to the RAM console with your Alibaba Cloud account to create an administrator RAM user and grant permissions to the user, as shown in the following figure.
    administrator RAM user
  2. Operator RAM user: a RAM user with the read-only permission on a bucket or directory. Administrator RAM users can use the simple policy function to authorize RAM users. For more information, see the Grant permissions with a simple policy section.

Related Market Products

Joomla powered by Websoft9(LAMP | CentOS7.4)

Websoft9 Joomla is a pre-configured, ready to run image for running Joomla on Alibaba Cloud.Joomla! is an award-winning content management system (CMS), which enables you to build websites and powerful online applications.

Plesk Onyx on CentOS 7 (BYOL)

WordPress management and security tools, one click staging/production, security scanning, one-click server hardening, and more. Enhanced security core that protects your server from brute force attacks and protects your web sites from common malware attacks. Ready-to-code environment with LAMP and NGINX, Javascript; NodeJS, Docker, Perl, Ruby, Python, Java,.NET with Git support.

0 0 0
Share on

Alibaba Clouder

2,600 posts | 750 followers

You may also like