Before a Resource Access Management (RAM) user can call an API operation to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to attach the required permission policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

The following table lists the RAM API operations that you can specify in the Action element and the ARN format that is used in the Resource element.

Action Resource
ram:CreateUser acs:ram:*:${AccountId}:user/*
ram:GetUser acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateUser acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsers acs:ram:*:${AccountId}:user/*
ram:CreateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:GetLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:CreateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:ListAccessKeys acs:ram:*:${AccountId}:user/${UserName}
ram:CreateVirtualMFADevice acs:ram:*:${AccountId}:mfa/*
ram:ListVirtualMFADevices acs:ram:*:${AccountId}:mfa/*
ram:DeleteVirtualMFADevice ${SerialNumber}
ram:BindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:UnbindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:GetUserMFAInfo acs:ram:*:${AccountId}:user/${UserName}
ram:ChangePassword acs:ram:*:${AccountId}:user/${UserName}
ram:CreateGroup acs:ram:*:${AccountId}:group/*
ram:GetGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:UpdateGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroups acs:ram:*:${AccountId}:group/*
ram:DeleteGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:AddUserToGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:RemoveUserFromGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroupsForUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsersForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:CreateRole acs:ram:*:${AccountId}:role/*
ram:GetRole acs:ram:*:${AccountId}:role/${RoleName}
ram:UpdateRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListRoles acs:ram:*:${AccountId}:role/*
ram:DeleteRole acs:ram:*:${AccountId}:role/${RoleName}
ram:CreatePolicy acs:ram:*:${AccountId}:policy/*
ram:GetPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DeletePolicy acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicies acs:ram:*:${AccountId}:policy/*
ram:CreatePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:GetPolicyVersion acs:ram:*:${AccountId} or system:group/${PolicyName}
ram:DeletePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicyVersions acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetDefaultPolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:AttachPolicyToUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:ListPoliciesForUser acs:ram:*:${AccountId}:user/{UserName}
ram:ListPoliciesForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListPoliciesForRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListEntitiesForPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetAccountAlias acs:ram:*:${AccountId}:*
ram:GetAccountAlias acs:ram:*:${AccountId}:*
ram:ClearAccountAlias acs:ram:*:${AccountId}:*
ram:SetPasswordPolicy acs:ram:*:${AccountId}:*
ram:GetPasswordPolicy acs:ram:*:${AccountId}:*
ram:SetSecurityPreference acs:ram:*:${AccountId}:*