This topic describes how to assign Role-based Access Control (RBAC) roles to RAM users.


  • You have an Alibaba Cloud account with one or more RAM users.
  • You can only use an Alibaba Cloud account to assign RBAC roles to RAM users within the Alibaba Cloud account. If you are a RAM user, you cannot assign RBAC roles to other RAM users.
  • For security reasons, you cannot modify RAM permissions in the Alibaba Cloud Service Mesh (ASM) console. To modify RAM permissions when you authorize RAM users on the Authorization page of the ASM console, you must go to the RAM console. Then, you can modify the permissions that are granted to the RAM users based on the sample policy content and operation notes on the page.


  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Authorization.
  3. On the Authorization page, find the RAM user that you want to authorize and click Authorize in the Actions column.
  4. Assign a preset RBAC role to the RAM user for each ASM instance and click Submit.
    The following table describes the preset RBAC roles.
    Role RBAC permissions on cluster resources
    Mesh administrator Has the read and write permissions on all resources in all namespaces.
    Restricted user Has the read-only permissions on resources visible to the ASM console in all or specific namespaces.
    Unauthorized Has no read or write permission on any resources in any namespaces.