×
Community Blog Resource Access Management (RAM): Controlling User Permissions

Resource Access Management (RAM): Controlling User Permissions

This blog shows Alibaba Cloud Resource Access Management (RAM) service and how to get started by creating a RAM user with some specific permissions.

Controlling User Permissions in the Cloud Era

Consider yourself the machine administrator in a multinational organization with many branches and a plethora of various operating divisions. Special approvals must be given to representatives of each office area, department, and team in order for them to have sufficient access to cloud services.

Alibaba Cloud Resource Access Management (RAM) is a service that meets this requirement and more. It allows you to create and manage the Alibaba Cloud access permissions for employees, systems, applications, and other identities. And best of all, it is completely free to use!

With RAM, you can create multiple identities under one Alibaba Cloud account. This allows you to keep your Alibaba Cloud account and password strictly confidential in cases where multiple users in your enterprise need to collaboratively manage and access cloud resources. It also allows you to grant the users the minimum required permissions to ensure superior security.

How RAM works

RAM works by using identities knows as "RAM users". Each RAM user can represent a system, an application, or an individual user in your organization.

You can also create "RAM user groups", identities that contain multiple RAM users. RAM user groups allow you to set the access control of whole groups of staff members or systems. For example, you could group all staff in the marketing department into one RAM user group and then configure their permissions at one time.

It's worth pointing out that both RAM users and RAM user groups are "physical identities", in that the users have set username and password credentials that they use to log on to the Alibaba Cloud console. (They can also use an AccessKey pair.)

Interestingly, RAM also has non-physical, virtual roles, known as "RAM roles". These roles are identities to which permission policies are attached. However, RAM roles do not have logon passwords or AccessKey pairs. Instead, an entity user (Alibaba Cloud account, RAM users, or Alibaba Cloud services) assumes a RAM role, and the entity user can then obtain and use an STS token to access the authorized resources. RAM roles are divided into the following types based on the entrusted entity:

  1. Alibaba Cloud account: RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of RAM role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  2. Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize Alibaba Cloud services to manage your resources.
  3. IdP: Users of a trusted IdP can assume this type of RAM role. The RAM roles of this type are used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

As mentioned earlier, RAM is free of charge for Alibaba Cloud users. One thing worth noting though is that all costs incurred by the identities under an Alibaba Cloud account are charged to that Alibaba Cloud account. Always be careful about granting permission to users for creating and modifying the configurations of your cloud resources so you aren't hit with any unexpected bills.

Features

RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. The following is a list of RAM features:

  1. You can manage RAM users and their AccessKey pairs. You can also enable multi-factor authentication (MFA) for RAM users.
  2. You can manage the permissions of RAM users to access Alibaba Cloud resources.
  3. You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP addresses.
  4. You can manage instances and data that are created by RAM users. For an enterprise, RAM ensures that the instances and data created by RAM users are still available even if the users leave the organization.
  5. You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO service for identity providers (IdPs): user-based SSO and role-based SSO.

Getting Started with User Permission Management on Alibaba Cloud

Alibaba Cloud Resource Access Management (RAM) allows you to create and manage the Alibaba Cloud access permissions for employees, systems, applications, and other identities. RAM is supported on resources including ECS instances, networking services, database services, security, analytics, and more. This time, I'll show you how to get started by creating a RAM user with some specific permissions.

First, a few additional things it's useful to know:

  1. In RAM, permissions are specified by a statement within a "RAM policy", which allows or denies access to a specific Alibaba Cloud resource.
  2. A policy defines a set of permissions that are described based on the policy structure and syntax. A policy can accurately describe the authorized resource sets, authorized operation sets, and authorization conditions. You can attach one or more policies to RAM users, RAM user groups, or RAM roles.
  3. A RAM user has no permissions by default. Therefore, a new RAM user can manage resources only after the RAM user is granted the required permissions.

Related Products

Resource Access Management

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.

Related Documentation

Use RAM to manage user permissions and resources

This topic describes how an enterprise that has multiple cloud resources can use Resource Access Management (RAM) to manage user permissions to access the cloud resources.

Use RAM to maintain security of your Alibaba Cloud resources

This topic describes how to apply access and security settings to your Alibaba Cloud resources by using RAM. This allows you to better manage resource permissions with fine-grained access control.

Related Course

Why Do We Need RAM User And Role?

Introduce the RAM service of Alibaba Cloud and demo for creating RAM user and RAM role and how to switch from a RAM user to a RAM role.

0 0 0
Share on

Alibaba Clouder

2,630 posts | 656 followers

You may also like

Comments