Before a Resource Access Management (RAM) user calls the API operations of Identity Management Service (IMS) to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

User management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user management.

Action Resource
ims:CreateUser acs:ims::${AccountId}:user/*
ims:GetUser acs:ims::${AccountId}:user/${UserName}
ims:UpdateUser acs:ims::${AccountId}:user/${UserName}
ims:DeleteUser acs:ims::${AccountId}:user/${UserName}
ims:ListUsers acs:ims::${AccountId}:user/*
ims:ListUserBasicInfos acs:ims::${AccountId}:user/*
ims:CreateLoginProfile acs:ims::${AccountId}:user/${UserName}
ims:GetLoginProfile acs:ims::${AccountId}:user/${UserName}
ims:UpdateLoginProfile acs:ims::${AccountId}:user/${UserName}
ims:DeleteLoginProfile acs:ims::${AccountId}:user/${UserName}
ims:CreateAccessKey acs:ims::${AccountId}:user/${UserName}
ims:UpdateAccessKey acs:ims::${AccountId}:user/${UserName}
ims:DeleteAccessKey acs:ims::${AccountId}:user/${UserName}
ims:ListAccessKeys acs:ims::${AccountId}:user/${UserName}
ims:GetAccessKeyLastUsed acs:ims::${AccountId}:user/${UserName}
ims:CreateVirtualMFADevice acs:ims::${AccountId}:mfa/*
ims:ListVirtualMFADevices acs:ims::${AccountId}:mfa/*
ims:DeleteVirtualMFADevice ${SerialNumber}
ims:DisableVirtualMFA acs:ims::${AccountId}:user/${UserName}
ims:BindMFADevice acs:ims::${AccountId}:user/${UserName}
ims:UnbindMFADevice acs:ims::${AccountId}:user/${UserName}
ims:GetAccountMFAInfo acs:ims::${AccountId}:*
ims:GetUserMFAInfo acs:ims::${AccountId}:user/${UserName}
ims:GetAccountSummary acs:ims::${AccountId}:*

User group management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user group management.

Action Resource
ims:CreateGroup acs:ims::${AccountId}:group/*
ims:GetGroup acs:ims::${AccountId}:group/${GroupName}
ims:UpdateGroup acs:ims::${AccountId}:group/${GroupName}
ims:DeleteGroup acs:ims::${AccountId}:group/${GroupName}
ims:ListGroups acs:ims::${AccountId}:group/*
ims:AddUserToGroup
  • acs:ims::${AccountId}:user/${UserName}
  • acs:ims::${AccountId}:group/${GroupName}
ims:RemoveUserFromGroup
  • acs:ims::${AccountId}:user/${UserName}
  • acs:ims::${AccountId}:group/${GroupName}
ims:ListUsersForGroup acs:ims::${AccountId}:group/${GroupName}
ims:ListGroupsForUser acs:ims::${AccountId}:user/${UserName}

SSO management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for single sign-on (SSO) management.

Action Resource
ims:SetUserSsoSettings acs:ims::${AccountId}:*
ims:GetUserSsoSettings acs:ims::${AccountId}:*
ims:CreateSAMLProvider acs:ims::${AccountId}:saml-provider/*
ims:GetSAMLProvider acs:ims::${AccountId}:saml-provider/${SamlProviderName}
ims:UpdateSAMLProvider acs:ims::${AccountId}:saml-provider/${SamlProviderName}
ims:ListSAMLProviders acs:ims::${AccountId}:saml-provider/*
ims:DeleteSAMLProvider acs:ims::${AccountId}:saml-provider/${SamlProviderName}

Security settings

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for security settings.

Action Resource
ims:SetPasswordPolicy acs:ims::${AccountId}:*
ims:GetPasswordPolicy acs:ims::${AccountId}:*
ims:SetSecurityPreference acs:ims::${AccountId}:*
ims:GetSecurityPreference acs:ims::${AccountId}:*
ims:SetDefaultDomain acs:ims::${AccountId}:*
ims:GetDefaultDomain acs:ims::${AccountId}:*
ims:GenerateCredentialReport acs:ims::${AccountId}:*
ims:GetCredentialReport acs:ims::${AccountId}:*
ims:GetAccountSecurityPracticeReport acs:ims::${AccountId}:*