All Products
Search

This Product

    Resource Access Management:Grant permissions to a RAM user

    Document Center

    Resource Access Management:Grant permissions to a RAM user

    Last Updated:May 08, 2024

    After you attach system policies or custom policies to a Resource Access Management (RAM) user, the RAM user can access the required Alibaba Cloud resources. We recommend that you grant only the required permissions to the RAM user based on the principle of least privilege.

    Limits

    For more information about the maximum numbers of system policies and custom policies that can be attached to each RAM user, see Limits.

    Method 1: Grant permissions to a RAM user on the Users page

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Grant Permission panel, grant permissions to the RAM user.

      1. Configure the Resource Scope parameter.

      2. Configure the Principal parameter.

        The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

      3. Configure the Policy parameter.

        A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

        • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

          Note

          The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

        • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Method 2: Grant permissions to a RAM user on the Grants page

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Permissions > Grants.

    3. On the Permission page, click Grant Permission.

      image

    4. In the Grant Permission panel, grant permissions to the RAM user.

      1. Configure the Resource Scope parameter.

      2. Configure the Principal parameter.

        The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.

      3. Configure the Policy parameter.

        A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

        • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

          Note

          The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

        • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.