Before a Resource Access Management (RAM) user calls the API operations of Identity Management Service (IMS) to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).
The following list describes the variables that you can specify in a policy. Replace the variables with actual values.
- <account-id>: the ID of an Alibaba Cloud account
- <user-name>: the username of a RAM user
- <group-name>: the name of a RAM user group
- <saml-provider-name>: the name of an identity provider (IdP)
- <serial-number>: the serial number of a virtual multi-factor authentication (MFA) device
User management
The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user management.
Action | Resource |
---|---|
ram:CreateUser | acs:ram:*:<account-id>:user/* |
ram:GetUser | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateUser | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteUser | acs:ram:*:<account-id>:user/<user-name> |
ram:ListUsers | acs:ram:*:<account-id>:user/* |
ram:ListUserBasicInfos | acs:ram:*:<account-id>:user/* |
ram:CreateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:GetLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:CreateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:ListAccessKeys | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccessKeyLastUsed | acs:ram:*:<account-id>:user/<user-name> |
ram:CreateVirtualMFADevice | acs:ram:*:<account-id>:mfa/* |
ram:ListVirtualMFADevices | acs:ram:*:<account-id>:mfa/* |
ram:DeleteVirtualMFADevice | acs:ram:*:<account-id>:mfa/<serial-number> |
ram:DisableVirtualMFA | acs:ram:*:<account-id>:user/<user-name> |
ram:BindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
ram:UnbindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccountMFAInfo | acs:ram:*:<account-id>:* |
ram:GetUserMFAInfo | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccountSummary | acs:ram:*:<account-id>:* |
User group management
The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user group management.
Action | Resource |
---|---|
ram:CreateGroup | acs:ram:*:<account-id>:group/* |
ram:GetGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:UpdateGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:DeleteGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:ListGroups | acs:ram:*:<account-id>:group/* |
ram:AddUserToGroup |
|
ram:RemoveUserFromGroup |
|
ram:ListUsersForGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:ListGroupsForUser | acs:ram:*:<account-id>:user/<user-name> |
SSO management
The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for single sign-on (SSO) management.
Action | Resource |
---|---|
ram:SetUserSsoSettings | acs:ram:*:<account-id>:* |
ram:GetUserSsoSettings | acs:ram:*:<account-id>:* |
ram:CreateSAMLProvider | acs:ram:*:<account-id>:saml-provider/* |
ram:GetSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
ram:UpdateSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
ram:ListSAMLProviders | acs:ram:*:<account-id>:saml-provider/* |
ram:DeleteSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
Security settings
The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for security settings.
Action | Resource |
---|---|
ram:SetPasswordPolicy | acs:ram:*:<account-id>:* |
ram:GetPasswordPolicy | acs:ram:*:<account-id>:* |
ram:SetSecurityPreference | acs:ram:*:<account-id>:* |
ram:GetSecurityPreference | acs:ram:*:<account-id>:* |
ram:SetDefaultDomain | acs:ram:*:<account-id>:* |
ram:GetDefaultDomain | acs:ram:*:<account-id>:* |
ram:GenerateCredentialReport | acs:ram:*:<account-id>:* |
ram:GetCredentialReport | acs:ram:*:<account-id>:* |
ram:GetAccountSecurityPracticeReport | acs:ram:*:<account-id>:* |