By default, you can use an Alibaba Cloud account to operate all cloud desktops within this account. If you use a RAM user, you must authorize the RAM user before you perform operations. This topic describes how to authorize a RAM user.


A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to create multiple identities such as RAM users within an Alibaba Cloud account and assign a single identity or a group of identities different permissions. This way, different RAM users can access various resources.

By default, a RAM user has no permissions. When you authorize a RAM user, attach policies to the RAM user as required. By default, the following three system policies are provided:
  • AliyunECDFullAccess: You can manage cloud desktop resources. That is, you have full permissions to operate cloud desktops.
  • AliyunECDReadOnlyAccess: You can access cloud desktop resources in read-only mode. That is, you can only query cloud desktop resources.
  • AliyunECDRamUserAccess: You can use cloud desktops on a client to query, connect, or restart cloud desktops, and power on or off the cloud desktops.
Note You can create a custom policy and then authorize a RAM user based on your business requirement. For more information about how to create a custom policy, see Create a custom policy.


  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, configure the parameters to attach policies to the RAM user.
    The following table describes the parameters.
    Parameter Description
    Authorized Scope The scope that you want the permissions to take effect within the current Alibaba Cloud account or in the specified resource group. The resource group feature is unavailable in Elastic Desktop Service (EDS). Therefore, you must select Alibaba Cloud Account.
    Principal The RAM user that you want to authorize. The selected RAM user is automatically entered in the Principal field. You can also specify another RAM user.
    Select Policy The policies that you want to attach to the RAM user. Select policies that fit your needs.
    • If you want the RAM user to manage cloud desktop resources, select AliyunECDFullAccess.
    • If you want the RAM user to only view cloud desktop resources, select AliyunECIReadOnlyAccess.
    • If you want the RAM user to use cloud desktops on a client, select AliyunECDRamUserAccess.
      Note A RAM user can log on to a client only by using the RAM directory. When you log on to the client and the workspace account is of the RAM directory type, you need to authorize the RAM user. In the scenario where Active Directory (AD) is not connected, you do not need to authorize the convenience user. In the latest version of RAM directory, the convenience user is supported.
  5. Click OK.
  6. Confirm the authorized scope and the policies and click Complete.


  • If AliyunECDFullAccess is attached to a RAM user, the RAM user can perform all operations related to cloud desktops by using the console or calling API operations.
  • If AliyunECDReadOnlyAccess is attached to a RAM user, the RAM user can perform all operations related to cloud desktops by using the console or calling API operations.
  • If AliyunECDRamUserAccess is attached to a RAM user and a RAM directory already exists (that is, a workspace of the RAM directory type is used), the RAM user can use cloud desktops on a client.