This topic lists the Alibaba Cloud services that support Resource Access Management (RAM), the authorization granularity and system policies for each service, and the links to related topics.

Services that support RAM

The following types of services support RAM: elastic computing, database, storage and CDN, networking, analysis, cloud communications, monitoring and management, application, middleware, message queue, media, big data, security, marketplace, domain and website, membership, billing management, support, and messaging.

For the list of Alibaba Cloud services that support Security Token Service (STS), see Alibaba Cloud services that support STS.

Each table contains the following columns:

  • Service: the service name.
  • Console: indicates whether RAM can be used to implement access control on the console of the service. A check sign (√) indicates that RAM can be used to implement the access control. A cross sign (×) indicates that RAM cannot be used to implement the access control. A circle (○) indicates that no console is available for the service.
  • API: indicates whether RAM can be used to implement access control on the API of the service. A check sign (√) indicates that RAM can be used to implement the access control. A cross sign (×) indicates that RAM cannot be used to implement the access control. A circle (○) indicates that the service does not provide an API.
  • Authorization granularity: the minimum authorization granularity of the service. A hyphen (-) indicates that no authorization granularities are defined.
    The following authorization granularities are available:
    • Service: You can control whether RAM users can access the service. You can grant RAM users the permissions to access all or none of the service resources.
    • Operation: You can control whether RAM users can perform specific operations on a type of service resource.
    • Resource: You can control whether RAM users can perform a specific operation on a service resource. For example, you can authorize a RAM user to restart a specific ECS instance.
  • System policy: the system policies that RAM provides for the service. A hyphen (-) indicates that no system policies are available.
  • Reference: the topics that are related to both RAM and the service. A hyphen (-) indicates that no topics are available.

Elastic computing

Service Console API Authorization granularity System policy Reference
Elastic Compute Service Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
Auto Scaling Service
  • AliyunESSFullAccess
  • AliyunESSReadOnlyAccess
API usage instructions
Alibaba Cloud Container Service for Kubernetes Resource
  • AliyunCSFullAccess
  • AliyunCSReadOnlyAccess
Use sub-accounts
Container Registry Resource
  • AliyunContainerRegistryFullAccess
  • AliyunContainerRegistryReadOnlyAccess
Repository access control
Resource Orchestration Service Service
  • AliyunROSFullAccess
  • AliyunROSReadOnlyAccess
Use RAM to control resource access
Batch Compute Service

-

-
Function Compute Resource
  • AliyunFCFullAccess
  • AliyunFCInvocationAccess
  • AliyunFCReadOnlyAccess
Subaccount userguide
E-HPC Service
  • AliyunEHPCFullAccess
  • AliyunEHPCReadOnlyAccess
-
Simple Application Server Service AliyunSWASFullAccess -
Elastic Container Instance Resource
  • AliyunECIFullAccess
  • AliyunECIReadOnlyAccess
Grant permissions to a RAM user
Web App Service Operation
  • AliyunWebPlusFullAccess
  • AliyunWebPlusReadOnlyAccess

-

Operation Orchestration Service Resource
  • AliyunOOSFullAccess
  • AliyunOOSReadOnlyAccess
RAM authorization policies

Database

Service Console API Authorization granularity System policy Reference
ApsaraDB for RDS Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
RAM authorization
ApsaraDB for MongoDB Resource
  • AliyunMongoDBFullAccess
  • AliyunMongoDBReadOnlyAccess

-

ApsaraDB for Redis Resource
  • AliyunKvstoreFullAccess
  • AliyunKvstoreReadOnlyAccess
RAM authentication
ApsaraDB for Memcache Service
  • AliyunOCSFullAccess
  • AliyunOCSReadOnlyAccess
-
ApsaraDB for Hbase Resource
  • AliyunHBaseFullAccess
  • AliyunHBaseReadOnlyAccess
Use RAM users to manage ApsaraDB for HBase clusters
Time Series Database (TSDB) Operation

-

-
AnalyticDB for PostgreSQL Resource
  • AliyunGPDBFullAccess
  • AliyunGPDBReadOnlyAccess
Authentication rules for APIs
AnalyticDB for MySQL Resource
  • AliyunADBFullAccess
  • AliyunADBReadOnlyAccess
Use RAM to manage permissions
Data Transmission Service Service
  • AliyunDTSFullAccess
  • AliyunDTSReadOnlyAccess

-

Database Backup Service
  • AliyunDBSFullAccess
  • AliyunDBSReadOnlyAccess
-
Distributed Relational Database Service Resource
  • AliyunDRDSReadOnlyAccessyAccess
  • AliyunDRDSFullAccess

-

Database Gateway Resource
  • AliyunDGFullAccess
  • AliyunDGReadOnlyAccess
-

Storage and CDN

Service Console API Authorization granularity System policy Reference
Object Storage Service Resource
  • AliyunOSSFullAccess
  • AliyunOSSReadOnlyAccess
Create RAM policies
Apsara File Storage NAS Operation
  • AliyunNASFullAccess
  • AliyunNASReadOnlyAccess
Manage permission groups
Tablestore Resource
  • AliyunOTSFullAccess
  • AliyunOTSReadOnlyAccess
  • AliyunOTSWriteOnlyAccess
Custom permissions
Alibaba Cloud CDN Resource
  • AliyunCDNFullAccess
  • AliyunCDNReadOnlyAccess

-

Dynamic Route for CDN Resource
  • AliyunDCDNFullAccess
  • AliyunDCDNReadOnlyAccess
-
Cloud Storage Gateway Service AliyunHCSSGWFullAccess -
Hybrid Backup Recovery Resource
  • AliyunHBRFullAccess
  • AliyunHBRReadOnlyAccess
-
Data Transport Service AliyunMGWFullAccess -

Networking

Service Console API Authorization granularity System policy Reference
Virtual Private Cloud Resource
  • AliyunVPCFullAccess
  • AliyunVPCReadOnlyAccess
RAM authentication
Server Load Balancer Resource
  • AliyunSLBReadOnlyAccess
  • AliyunSLBFullAccess
RAM authentication
Elastic IP Address Resource
  • AliyunEIPFullAccess
  • AliyunEIPReadOnlyAccess
RAM authentication
Express Connect Resource
  • AliyunExpressConnectFullAccess
  • AliyunExpressConnectReadOnlyAccess
RAM authentication
NAT Gateway Resource
  • AliyunNATGatewayReadOnlyAccess
  • AliyunNATGatewayFullAccess
RAM authentication
VPN Gateway Resource
  • AliyunVPNGatewayFullAccess
  • AliyunVPNGatewayReadOnlyAccess
RAM authentication
Global Acceleration Resource
  • AliyunGlobalAccelerationReadOnlyAccess
  • AliyunGlobalAccelerationFullAccess
RAM account authentication
Smart Access Gateway Resource

-

RAM authentication
Cloud Enterprise Network Resource
  • AliyunCENReadOnlyAccess
  • AliyunCENFullAccess
RAM authentication

Analysis

Service Console API Authorization granularity System policy Reference
E-MapReduce Service
  • AliyunEMRFullAccess
  • AliyunEMRDevelopAccess
  • AliyunEMRFlowAdmin
-
Data Lake Analytics Operation
  • AliyunDLAFullAccess
  • AliyunDLAReadOnlyAccess
-

Cloud communications

Service Console API Authorization granularity System policy Reference
Short Message Service Service

-

-

Monitoring and management

Service Console API Authorization granularity System policy Reference
Cloud Monitor Operation
  • AliyunCloudMonitorFullAccess
  • AliyunCloudMonitorReadOnlyAccess
RAM for CloudMonitor
ActionTrail Resource

-

RAM authentication
Resource Access Management Resource
  • AliyunRAMFullAccess
  • AliyunRAMReadOnlyAccess
RAM authentication
Key Management Service Resource
  • AliyunKMSFullAccess
  • AliyunKMSReadOnlyAccess
  • AliyunKMSCryptoAccess
Use RAM to authorize KMS resources
Intelligent Advisor × × Operation - -
Cloud Config Service
  • AliyunConfigFullAccess
  • AliyunConfigReadOnlyAccess
-

Application

Service Console API Authorization granularity System policy Reference
Log Service Resource
  • AliyunLogFullAccess
  • AliyunLogReadOnlyAccess
RAM authorization policies
Direct Mail Service
  • AliyunDirectMailFullAccess
  • AliyunDirectMailReadOnlyAccess
-
API Gateway Service
  • AliyunApiGatewayFullAccess
  • AliyunApiGatewayReadOnlyAccess
ApiGateway_RAM
IoT Platform Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
Use RAM users
Blockchain as a Service Resource -

-

Middleware

Service Console API Authorization granularity System policy Reference
Enterprise Distributed Application Service Service AliyunEDASFullAccess Sub-accounts
Application Real-Time Monitoring Service Service AliyunARMSFullAccess Grant different permissions to RAM users
Application Configuration Management Resource AliyunACMFullAccess Access control
Global Transaction Service Service
  • AliyunGTSFullAccess
  • AliyunGTSReadOnlyAccess
-

Message queue

Service Console API Authorization granularity System policy Reference
Alibaba Cloud Message Queue for Apache RocketMQ Resource
  • AliyunMQFullAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess
Grant permissions to RAM users
Message Service Resource
  • AliyunMNSFullAccess
  • AliyunMNSReadOnlyAccess

-

Media

Service Console API Authorization granularity System policy Reference
ApsaraVideo for Media Processing Service
  • AliyunMTSFullAccess
  • AliyunMTSPlayerAuth
Sub-account console operating instructions
ApsaraVideo VOD Service AliyunVODFullAccess -
ApsaraVideo Live Resource AliyunLiveFullAccess API authentication rules
Real-Time Communication Resource

-

-

Big data

Service Console API Authorization granularity System policy Reference
DataWorks Service AliyunDataWorksFullAccess RAM User Operations
Quick BI Service - -
Machine Learning Platform for AI Service - -
Public Recognition Service - -
DataV Service - -
MaxCompute Service - -
Elasticsearch Resource
  • AliyunElasticsearchReadOnlyAccess
  • AliyunElasticsearchFullAccess
Resource types
Machine Translation Service - -
Image Search Resource
  • AliyunImagesearchReadOnlyAccess
  • AliyunImagesearchFullAccess
Authorization policies

Security

Service Console API Authorization granularity System policy Reference
Security Center Service
  • AliyunYundunSASFullAccess
  • AliyunYundunSASReadOnlyAccess
-
Server Guard Service
  • AliyunYundunAegisFullAccess
  • AliyunYundunAegisReadOnlyAccess
-
Anti-DDoS Basic Service
  • AliyunYundunDDosFullAccess
  • AliyunYundunDDosReadOnlyAccess
-
Anti-DDoS Pro Service
  • AliyunYundunHighFullAccess
  • AliyunYundunHighReadOnlyAccess
-
Anti-DDoS Premium Service
  • AliyunYundunAntiDDoSPremiumFullAccess
  • AliyunYundunAntiDDoSPremiumReadOnlyAccess
-
GameShield Service

AliyunYundunGameShieldReadOnlyAccess

-
Web Application Firewall Service
  • AliyunYundunWAFFullAccess
  • AliyunYundunWAFReadOnlyAccess
-
SSL Certificates Service Service
  • AliyunYundunCertFullAccess
  • AliyunYundunCertReadOnlyAccess
-
Cloud Security Scanner Service - -
Content Moderation Service AliyunYundunGreenWebFullAccess -
Anti-Bot Service Service
  • AliyunYundunAntibotFullAccess
  • AliyunYundunAntibotReadOnlyAccess
-
ID Verification for Financial Services Service
  • AliyunAntCloudAuthFullAccess
  • AliyunAntCloudAuthReadOnlyAccess
-

Marketplace

Service Console API Authorization granularity System policy Reference
Alibaba Cloud Marketplace Service AliyunMarketplaceFullAccess -

Domain and website

Service Console API Authorization granularity System policy Reference
Alibaba Cloud DNS Resource
  • AliyunDNSFullAccess
  • AliyunDNSReadOnlyAccess
-
Domains Resource AliyunDomainFullAccess Domain API Authentication Rules
Cloud Web Hosting × × - - -
Alibaba Mail × × - - -

Membership

Service Console API Authorization granularity System policy Reference
ICP Filing Service AliyunBeianFullAccess -

Billing management

Service Console API Authorization granularity System policy Reference
Billing Management × Service
  • AliyunBSSFullAccess
  • AliyunBSSReadOnlyAccess
  • AliyunBSSOrderAccess

-

Support

Service Console API Authorization granularity System policy Reference
Ticket Management Service AliyunSupportFullAccess -

Messaging

Service Console API Authorization granularity System policy Reference
Message Center Service AliyunNotificationsFullAccess -