Before a Resource Access Management (RAM) user calls the API operations of Identity Management Service (IMS) to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

The following list describes the variables that you can specify in a policy. Replace the variables with actual values.

  • <account-id>: the ID of an Alibaba Cloud account
  • <user-name>: the username of a RAM user
  • <group-name>: the name of a RAM user group
  • <saml-provider-name>: the name of an identity provider (IdP)
  • <serial-number>: the serial number of a virtual multi-factor authentication (MFA) device

User management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user management.

Action Resource
ram:CreateUser acs:ram:*:<account-id>:user/*
ram:GetUser acs:ram:*:<account-id>:user/<user-name>
ram:UpdateUser acs:ram:*:<account-id>:user/<user-name>
ram:DeleteUser acs:ram:*:<account-id>:user/<user-name>
ram:ListUsers acs:ram:*:<account-id>:user/*
ram:ListUserBasicInfos acs:ram:*:<account-id>:user/*
ram:CreateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:GetLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:UpdateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:DeleteLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:CreateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:UpdateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:DeleteAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:ListAccessKeys acs:ram:*:<account-id>:user/<user-name>
ram:GetAccessKeyLastUsed acs:ram:*:<account-id>:user/<user-name>
ram:CreateVirtualMFADevice acs:ram:*:<account-id>:mfa/*
ram:ListVirtualMFADevices acs:ram:*:<account-id>:mfa/*
ram:DeleteVirtualMFADevice acs:ram:*:<account-id>:mfa/<serial-number>
ram:DisableVirtualMFA acs:ram:*:<account-id>:user/<user-name>
ram:BindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:UnbindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:GetAccountMFAInfo acs:ram:*:<account-id>:*
ram:GetUserMFAInfo acs:ram:*:<account-id>:user/<user-name>
ram:GetAccountSummary acs:ram:*:<account-id>:*

User group management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for user group management.

Action Resource
ram:CreateGroup acs:ram:*:<account-id>:group/*
ram:GetGroup acs:ram:*:<account-id>:group/<group-name>
ram:UpdateGroup acs:ram:*:<account-id>:group/<group-name>
ram:DeleteGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListGroups acs:ram:*:<account-id>:group/*
ram:AddUserToGroup
  • acs:ram:*:<account-id>:user/<user-name>
  • acs:ram:*:<account-id>:group/<group-name>
ram:RemoveUserFromGroup
  • acs:ram:*:<account-id>:user/<user-name>
  • acs:ram:*:<account-id>:group/<group-name>
ram:ListUsersForGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListGroupsForUser acs:ram:*:<account-id>:user/<user-name>

SSO management

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for single sign-on (SSO) management.

Action Resource
ram:SetUserSsoSettings acs:ram:*:<account-id>:*
ram:GetUserSsoSettings acs:ram:*:<account-id>:*
ram:CreateSAMLProvider acs:ram:*:<account-id>:saml-provider/*
ram:GetSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>
ram:UpdateSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>
ram:ListSAMLProviders acs:ram:*:<account-id>:saml-provider/*
ram:DeleteSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>

Security settings

The following table lists the API operations that you can specify in the Action element and the ARN format that is used in the Resource element for security settings.

Action Resource
ram:SetPasswordPolicy acs:ram:*:<account-id>:*
ram:GetPasswordPolicy acs:ram:*:<account-id>:*
ram:SetSecurityPreference acs:ram:*:<account-id>:*
ram:GetSecurityPreference acs:ram:*:<account-id>:*
ram:SetDefaultDomain acs:ram:*:<account-id>:*
ram:GetDefaultDomain acs:ram:*:<account-id>:*
ram:GenerateCredentialReport acs:ram:*:<account-id>:*
ram:GetCredentialReport acs:ram:*:<account-id>:*
ram:GetAccountSecurityPracticeReport acs:ram:*:<account-id>:*