This topic describes the terms that are used in Resource Access Management (RAM).
Alibaba Cloud account
Before using Alibaba Cloud services, you must first register an Alibaba Cloud account. The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for all the resources that it owns. The Alibaba Cloud account has full control over all these resources.
By default, only the Alibaba Cloud account can access Alibaba Cloud resources. Other users can access resources only after being explicitly authorized by the Alibaba Cloud account. The Alibaba Cloud account is the administrator or root user of an operating system. Therefore, the Alibaba Cloud account is also known as the root account or primary account.
Terms for identity management
RAM provides three types of identities: RAM user, user group, and RAM role. RAM users and user groups are physical identities. RAM roles are virtual identities.
default domain name
A unique identifier of an Alibaba Cloud account. Alibaba Cloud assigns a default domain name for each Alibaba Cloud account. The format of the default domain name is
<AccountAlias>.onaliyun.com. This unique identifier can be used for RAM user logon and single sign-on (SSO) management.
For more information, see Manage the default domain name.
account alias or enterprise alias
A unique identifier of an Alibaba Cloud account. When a RAM user logs on to the Alibaba Cloud console, the suffix of the logon name can be the account alias, default domain name, or domain alias.
Each Alibaba Cloud account can set an account alias in RAM. The account alias is used for RAM user logon and can be displayed after successful logon.
For example, an enterprise can set the account alias of its Alibaba Cloud account to company1. The RAM user alice that belongs to this Alibaba Cloud account can log on to the Alibaba Cloud console by using alice@company1. After a successful logon, the display name of the RAM user is alice@company1.
A custom domain name that can be used to replace the default domain name. The custom domain name must be publicly resolvable. A domain alias is the alias of the default domain name.
For more information, see Create a domain alias.
A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application.
- An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.
- RAM users do not own resources. Fees incurred by RAM users are billed to their parent Alibaba Cloud accounts. RAM users do not receive individual bills and cannot make payments.
- RAM users are visible only to the Alibaba Cloud account to which they belong.
- Before RAM users can log on to the Alibaba Cloud console or call API operations, they must be authorized by their parent Alibaba Cloud accounts. After authorization, RAM users can use resources that are owned by their parent Alibaba Cloud accounts.
For more information, see Create a RAM user.
An identity credential that is used to log on to the Alibaba Cloud console.
An identity credential that consists of an AccessKey ID and AccessKey secret. You can use your AccessKey pair or Alibaba Cloud SDK to sign API requests that you send to Alibaba Cloud. The AccessKey ID and AccessKey secret are used for symmetric encryption and identity verification. After the identity is verified, you can manage Alibaba Cloud resources by calling API operations.
The AccessKey ID is used to identify a user, and the AccessKey secret is used to encrypt and verify a signature string.
For more information, see Create an AccessKey pair for a RAM user.
multi-factor authentication (MFA)
A simple best practice that adds an extra layer of protection on top of your username and password. Multi-factor authentication provides enhanced security for your account. If you log on to the Alibaba Cloud console with MFA enabled, you must enter the following information:
- Username and password
- Verification code provided by the MFA device
RAM user group
A physical identity that contains a group of RAM users. You can create RAM user groups to classify and authorize RAM users. This simplifies the management of personnel and permissions.
- If the responsibilities of a RAM user change, you only need to move the RAM user to
a RAM user group with the appropriate permissions. This does not affect other RAM
For more information, see Create a RAM user group.
- If the responsibilities of a RAM user group change, you only need to modify the policy
attached to the user group. Changes to the policy apply to all RAM users in the RAM
For more information, see Grant permissions to a RAM user group.
A virtual identity that you can create in your Alibaba Cloud account. The differences among RAM roles, entity users (Alibaba Cloud account, RAM users, and Alibaba Cloud services), and textbook roles are described as follows:
- Entity users have specific logon passwords or AccessKey pairs.
- Textbook roles (or traditionally defined roles) indicate a set of permissions, which are similar to policies in RAM. If a textbook role is granted to a user, the user can obtain a set of permissions and access authorized resources.
- RAM roles have specific identities and can be granted a set of policies. However, RAM roles do not have specific logon passwords or AccessKey pairs. After an entity user assumes a RAM role, the entity user can obtain and use the role token to access authorized resources.
RAM roles are classified into the following types based on the trusted entity:
- Alibaba Cloud account. RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
- Alibaba Cloud service. Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize Alibaba Cloud services to manage your resources.
- IdP. Users of an trusted IdP can assume this type of RAM role. This type of RAM role is used for single sign-on (SSO) between Alibaba Cloud and an trusted IdP.
single sign-on (SSO)
Alibaba Cloud supports SAML 2.0-based SSO (also known as identity federation).
You can implement SSO between your enterprise services and Alibaba Cloud through SAML 2.0-based IdPs, such as Microsoft Active Directory Federation Service (AD FS). Alibaba Cloud provides the following two SAML 2.0-based SSO methods:
- User-based SSO: The RAM user identity that you can use to log on to the Alibaba Cloud console is determined based on an SAML assertion. After you log on to the Alibaba Cloud console, you can access Alibaba Cloud resources as a RAM user. For more information, see Overview of user-based SSO.
- Role-based SSO: The RAM role that you can use to log on to the Alibaba Cloud console is determined based on an SAML assertion. After you log on to the Alibaba Cloud console, you can use the RAM role specified in the SAML assertion to access Alibaba Cloud resources. For more information, see Overview of role-based SSO.
The metadata file that is provided by your IdP. The metadata file is in the XML format in most cases. The metadata file contains the logon URLs, public key for verifying SAML assertions, and assertion format.
identity provider (IdP)
A RAM entity that provides identity management services. IdPs are classified into the following types:
- IdPs that use the on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth
- IdPs that use the cloud-based architecture, such as Azure AD, Google G Suite, Okta, and OneLogin
service provider (SP)
An application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information provided by an IdP. In some identity systems (such as OpenID Connect) that do not comply with the SAML protocol, SP is known as the relying party of an IdP.
Security Assertion Markup Language 2.0 (SAML 2.0)
A protocol designed for enterprise-level user identity authentication. SAML 2.0 can be used for communication between an SP and an IdP. SAML 2.0 is a standard that enterprises can use to implement enterprise-level SSO.
A core element that describes the authentication request and response. For example, the SAML assertion for an authentication response can contain user attributes.
A mutual trust relationship between an SP and an IdP. In most cases, the trust relationship is established by using public and private keys. An SP obtains the SAML metadata of an IdP in a trusted way. The metadata includes the public key for verifying the SAML assertion that is issued by the IdP. The SP can use the public key to verify the assertion integrity.
Terms for access control
Indicates whether a user is allowed to perform specific operations on a specific Alibaba Cloud resource. Permissions include Allow and Deny.
Operations include the following two types:
- Resource management operations: the lifecycle management and O&M of Alibaba Cloud resources. These operations are performed by resource buyers or O&M staff in an organization. For example, an authorized user can create, stop, or restart ECS instances, or create, modify, or delete OSS buckets.
- Resource using operations: using the core features of Alibaba Cloud resources. These
operations are performed by R&D staff or application systems in an organization. For
example, an authorized user can perform operations in the operating system of an ECS
instance, or upload or download data in an OSS bucket.
- For elastic computing and database products, the permissions for resource management operations can be managed through RAM. However, the permissions for resource using operations are managed in product instances. For example, this applies to the permissions for the operating systems of ECS instances and the permissions for MySQL databases.
- For storage products, such as OSS or Tablestore, both resource management operations and resource using operations can be managed through RAM.
A set of permissions that are described according to the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.
In RAM, a policy is a resource entity that can be created, updated, deleted, and viewed. RAM supports the following two types of policies:
- System policy: System policies are automatically created and upgraded by Alibaba Cloud and cannot be modified by users.
- Custom policy: Custom policies are created, modified, and deleted by users to meet their business requirements.
You can attach one or more policies to RAM users, RAM user groups, or RAM roles. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.
The subject to which a specific permission is granted. The authorized principal can be a RAM user, user group, or RAM role.
The authorization effect. It is a basic element of a permission policy. Valid values are Allow and Deny.
The operations to be performed on a specific Alibaba Cloud resource. The action is a basic element of a permission policy. Valid values are the names of API operations from Alibaba Cloud services.
The condition for the authorization to take effect. The condition is a basic element of a permission policy.
An object that is used to interact with Alibaba Cloud services. For example, resources can be OSS buckets or ECS instances.