This topic describes the API operations that can be authorized in Resource Access Management (RAM) and the Alibaba Cloud Resource Name (ARN) format of the resources involved in each API operation.

Before a user calls an API operation to access the resources that belong to an Alibaba Cloud account, RAM checks whether the resource owner has granted the required permissions to the user. RAM checks the permissions based on the function and involved resources of each API operation.

The following table describes the API operations that can be authorized in RAM and the ARN format of the resources involved in each API operation.

Operation ARN format
ram:CreateUser acs:ram:*:${AccountId}:user/*
ram:GetUser acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateUser acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsers acs:ram:*:${AccountId}:user/*
ram:CreateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:GetLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:CreateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:ListAccessKeys acs:ram:*:${AccountId}:user/${UserName}
ram:CreateVirtualMFADevice acs:ram:*:${AccountId}:mfa/*
ram:ListVirtualMFADevices acs:ram:*:${AccountId}:mfa/*
ram:DeleteVirtualMFADevice ${SerialNumber}
ram:BindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:UnbindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:GetUserMFAInfo acs:ram:*:${AccountId}:user/${UserName}
ram:ChangePassword acs:ram:*:${AccountId}:user/${UserName}
ram:CreateGroup acs:ram:*:${AccountId}:group/*
ram:GetGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:UpdateGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroups acs:ram:*:${AccountId}:group/*
ram:DeleteGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:AddUserToGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:RemoveUserFromGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroupsForUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsersForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:CreateRole acs:ram:*:${AccountId}:role/*
ram:GetRole acs:ram:*:${AccountId}:role/${RoleName}
ram:UpdateRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListRoles acs:ram:*:${AccountId}:role/*
ram:DeleteRole acs:ram:*:${AccountId}:role/${RoleName}
ram:CreatePolicy acs:ram:*:${AccountId}:policy/*
ram:GetPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DeletePolicy acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicies acs:ram:*:${AccountId}:policy/*
ram:CreatePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:GetPolicyVersion acs:ram:*:${AccountId} or system:group/${PolicyName}
ram:DeletePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicyVersions acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetDefaultPolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:AttachPolicyToUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:ListPoliciesForUser acs:ram:*:${AccountId}:user/{UserName}
ram:ListPoliciesForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListPoliciesForRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListEntitiesForPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetAccountAlias acs:ram:*:${AccountId}:*
ram:GetAccountAlias acs:ram:*:${AccountId}:*
ram:ClearAccountAlias acs:ram:*:${AccountId}:*
ram:SetPasswordPolicy acs:ram:*:${AccountId}:*
ram:GetPasswordPolicy acs:ram:*:${AccountId}:*
ram:SetSecurityPreference acs:ram:*:${AccountId}:*