This topic explains terms that are commonly used in Alibaba Cloud RAM.
Alibaba Cloud account
An Alibaba Cloud account, also known as the root account or primary account, is the account type used to own Alibaba Cloud resources and manage the billing of these resources. You must register an Alibaba Cloud account before using Alibaba Cloud services. An Alibaba Cloud account owner has full operational control over all associated resources. Furthermore, the account owner can manage the payment for all resources under the Alibaba Cloud account (including fees incurred by RAM users under this account).
By default, a resource can be accessed only by the owner of an Alibaba Cloud account. Other users must be granted the corresponding authorization from the owner to access and operate on the resource. As a result, the Alibaba Cloud account functions similar to that of the root user or administrator of an operating system.
Terms related to identity management
Identities can be created in RAM to allow or deny access to resources in your Alibaba Cloud account. RAM users, RAM user groups, and RAM roles are identities that you can create in RAM. RAM users and RAM user groups are entity identities, whereas RAM roles are virtual identities.
Default domain name
A unique identifier of an Alibaba Cloud account that is used in scenarios such as
RAM user logon and Single Sign On (SSO) management. Alibaba Cloud assigns a default domain name for each Alibaba Cloud account in the
For information about how to set a default domain name, see Manage the default domain name of an Alibaba Cloud account.
To log on to the RAM console, a RAM user must have a username that contains the enterprise alias, default domain name, or domain alias as a suffix.
The enterprise alias is a unique account identifier that appears at the end of the RAM user's username and forms part of the RAM user's display name after logon.
For example, a company named company1 sets company1 as its enterprise alias. The RAM user Alice can then use alice@company1 to log on to the RAM console. The display name of RAM user Alice is then alice@company1.
For information about how to set a domain alias, see Create a domain alias for an Alibaba Cloud account.
An identity with a fixed ID and credential information. Specifically, a RAM user directly corresponds to a specific identity, which can be either a person or an application.
- An Alibaba Cloud account owner can create multiple RAM users (which correspond to employees, systems, or applications of their enterprise) under their account.
- RAM users do not own resources. Rather, the fees incurred by RAM users are billed to the Alibaba Cloud accounts to which they belong. RAM users do not receive individual bills and cannot make payments.
- RAM users are visible only to the corresponding Alibaba Cloud account to which they belong.
- RAM users have permissions for only the Alibaba Cloud resources under the Alibaba Cloud account to which they belong after they are authorized to operate on these resources.
For information about how to create a RAM user, see Create a RAM user.
The combination of an access key ID and an access key secret. You can use your access key or Alibaba Cloud SDK to sign API requests that you make to Alibaba Cloud.
For information about how to create an access key, see Create an access key for a RAM user.
Multi-factor authentication (MFA)
- Your username and password
- Verification code provided by the MFA device
RAM user group
A type of entity identity in RAM. You can create RAM user groups to classify and organize RAM users under your Alibaba Cloud account. By classifying and organizing your RAM users, you can effectively manage permissions in the RAM console.
- If the responsibilities of a RAM user change, you only need to move the user to a
RAM user group with the appropriate permissions. This action does not affect other
For information about how to create a RAM user group, see Create a RAM user group.
- If the responsibilities of a RAM user group change, you only need to modify the policy
attached to the user group. Changes to the policy apply to all RAM users in the group.
For information about how to grant permission to a RAM user group, see Grant permission to a RAM user group.
- Entity users have specific logon passwords or access keys.
- A textbook role (or a traditionally defined role) indicates a permission set, similar to a policy in RAM. If such a role is granted to a user, the user has a set of permissions and can access the authorized resources.
- As virtual users, RAM roles have specific identities and can be granted a set of policies. However, RAM roles do not have standard long-term credentials (passwords or access keys). When an entity user wants to use a role, the user must assume the role to obtain the role token. Then, the user can use the role token to call Alibaba Cloud API actions.
- Alibaba Cloud account: roles that RAM users can assume. The RAM users may belong to their own Alibaba Cloud accounts or other Alibaba Cloud accounts. Such roles provide solutions to cross-account access and temporary authorization.
- Alibaba Cloud service: roles that Alibaba Cloud services can assume. Such roles are used to authorize Alibaba Cloud services to operate resources as stand-alone applications.
- Identity provider (IdP): roles that users in an entrusted IdP can assume. Such roles are used to implement SSO to Alibaba Cloud.
For information about how to create a RAM role, see
Single Sign On (SSO)
Alibaba Cloud supports SAML 2.0-based SSO, also known as identity federation.
- User-based SSO: The RAM user that you can use to log on to Alibaba Cloud can be determined through a SAML assertion. After logon, you can use the RAM user to access Alibaba Cloud. For more information, see Overview of user-based SSO.
- Role-based SSO: The RAM role that you can use to log on to Alibaba Cloud can be determined through SAML assertions. After logon, you can use the role specified in the SAML assertion to access Alibaba Cloud. For more information, see Overview of role-based SSO.
A file, usually in XML format, provided by an IdP. It contains the IdP's logon service address and X.509 public key certificate that is used to verify the validity of the SAML assertion issued by the IdP.
Identity provider (IdP)
- Locally deployed IdPs, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth
- Cloud-based IdPs, such as Azure AD, Google G Suite, Okta, and OneLogin
Service provider (SP)
An application that uses the identity management function of an IdP to provide users with specific services. An SP uses the user information provided by an IdP. In some identity systems (such as OpenID Connect) that do not comply with the SAML protocol, SP is known as relying party, which means the relying party of an IdP.
Security Assertion Markup Language 2.0 (SAML 2.0)
A protocol for enterprise-level user identity authentication. It can be used to achieve communication between an SP and an IdP. SAML 2.0 is a standard that enterprises can use to implement enterprise-level SSO.
A core element in the SAML protocol to describe the authentication request and response. For example, specific properties of a user are contained in the authentication response assertion.
A mutual trust mechanism between an SP and an IdP. It is usually implemented by using public and private keys. An SP obtains SAML metadata of an IdP in a trusted way. The metadata includes the public key for verifying the SAML Assertion issued by the IdP. The SP can use the public key to verify the assertion integrity.
Terms related to access control
A statement within a policy that allows or denies access to a particular Alibaba Cloud resource.
- Resource management and control operations: Used to allow managing the cloud resources, such as creating, stopping, and restarting ECS instances, or creating, modifying, and deleting OSS buckets. Such operations are intended for resource purchasers or O&M engineers in your organization.
- Resource-use operations: Used to allow core operations related to resources, such
as operating an ECS instance operating system, and uploading or downloading OSS bucket
data. Such operations are intended for R&D engineers or application systems in your
- For ECS and database services, resource management and control operations can be managed through RAM, whereas resource-use operations can be managed through the instances of each product (for example, by using the permission control function provided by the ECS instance operating system or by the MySQL database running on the instance).
- For storage services, such as OSS and Table Store, both types of operations can be managed by using RAM.
A set of permissions that are described by using policy structure and grammar. It can accurately describe the authorized resource sets, operation sets, and authorization conditions a user can be granted with. For information about structures and grammars supported by RAM, see Policy structure and grammar.
- System policy: System policies are created by Alibaba Cloud and cannot be modified by users. The policies are automatically upgraded by Alibaba Cloud.
- Custom policy: If no system policy meets your requirements, you can create a custom policy as needed. You can also modify and delete a custom policy as needed.
You can attach one or more policies to RAM users, RAM user groups, or RAM roles. For more information, see Grant permission to a RAM user, Grant permission to a RAM user group, and Grant permission to a RAM role.
The RAM user, group, or role that receives permissions that are defined in a policy.
A policy element that specifies whether the statement results in an allow or an explicit
deny. The valid values are
A policy element that describes the specific API action or actions that will be allowed or denied.
A policy element that specifies when a policy takes effect.
An entity that users can work with in Alibaba Cloud, such as an OSS bucket and an ECS instance.