This topic lists the Alibaba Cloud services that support Resource Access Management (RAM) and the authorization granularity and system policies for each service. It also provides the links to related topics.

Alibaba Cloud services that support RAM

The following Alibaba Cloud products support RAM: Elastic computing, Database, Storage and CDN, Networking, Analytics, Cloud communications, Monitoring and management, Application, IoT, Message queueing, Middleware, Media services, Big data, Security, Marketplace, Domains and websites, Membership services, Billing management, Ticket services, and Messaging.

For more information about the Alibaba Cloud services that support Security Token Service (STS), see STS-supported Alibaba Cloud services.

Each table in this topic contains the following columns:

  • Service: the name of the service that supports RAM.
  • Console: indicates whether RAM can be used to implement access control in the console of the service. A check sign (√) indicates that RAM is supported. A cross sign (×) indicates that RAM is not supported. A circle (○) indicates that no consoles are supported for the service.
  • API: indicates whether RAM can be used to implement access control based on the API of the service. A check sign (√) indicates that RAM is supported. A cross sign (×) indicates that RAM is not supported. A circle (○) indicates that no API is provided for the service.
  • Authorization granularity: the minimum authorization granularity of the service. A hyphen (-) indicates that no authorization granularities are defined.
    The following authorization granularities are defined:
    • Service: You can control whether RAM users can access the service. You can grant RAM users the permissions to access all or none of the resources in the service.
    • Operation: You can control whether RAM users can perform specific operations on a type of resource in the service.
    • Resource: You can control whether RAM users can perform a specific operation on a specific resource in the service. For example, you can authorize a RAM user to restart a specific Elastic Compute Service (ECS) instance.
  • System policy: the system policies that RAM provides for the service. A hyphen (-) indicates that no system policies are provided for the service./*
  • Reference: the topics that are related to both RAM and the service. A hyphen (-) indicates that no topics are related to RAM or the service.

Elastic computing

Service Console API Authorization granularity System policy Reference
ECS Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
Auto Scaling (ESS) Service
  • AliyunESSFullAccess
  • AliyunESSReadOnlyAccess
API usage instructions
Container Service for Kubernetes (ACK) Resource
  • AliyunCSFullAccess
  • AliyunCSReadOnlyAccess
Use RAM users
Container Registry Resource
  • AliyunContainerRegistryFullAccess
  • AliyunContainerRegistryReadOnlyAccess
Repository access control
Resource Orchestration Service (ROS) Service
  • AliyunROSFullAccess
  • AliyunROSReadOnlyAccess
Use RAM to control resource access
Batch Compute Service

-

-
Function Compute Resource
  • AliyunFCFullAccess
  • AliyunFCInvocationAccess
  • AliyunFCReadOnlyAccess
Quick start for using the console as RAM users
Elastic High Performance Computing (E-HPC) Service
  • AliyunEHPCFullAccess
  • AliyunEHPCReadOnlyAccess
-
Simple Application Server Service AliyunSWASFullAccess -
Elastic Container Instance (ECI) Resource
  • AliyunECIFullAccess
  • AliyunECIReadOnlyAccess
Grant permissions to a RAM user
Web App Service Operation
  • AliyunWebPlusFullAccess
  • AliyunWebPlusReadOnlyAccess

-

Operation Orchestration Service (OOS) Resource
  • AliyunOOSFullAccess
  • AliyunOOSReadOnlyAccess
RAM authorization rules

Database

Service Console API Authorization granularity System policy Reference
PolarDB Operation
  • AliyunPolardbReadOnlyAccess
  • AliyunPolardbFullAccess
Create and authorize a RAM user
ApsaraDB RDS Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
RAM authorization
ApsaraDB for MongoDB Resource
  • AliyunMongoDBFullAccess
  • AliyunMongoDBReadOnlyAccess

-

ApsaraDB for Redis Resource
  • AliyunKvstoreFullAccess
  • AliyunKvstoreReadOnlyAccess
RAM authorization
ApsaraDB for Memcache Service
  • AliyunOCSFullAccess
  • AliyunOCSReadOnlyAccess
-
ApsaraDB for HBase Resource
  • AliyunHBaseFullAccess
  • AliyunHBaseReadOnlyAccess
Use RAM users to manage ApsaraDB for HBase clusters
Time Series Database (TSDB) Operation

-

-
AnalyticDB for PostgreSQL Resource
  • AliyunGPDBFullAccess
  • AliyunGPDBReadOnlyAccess
Authentication rules for APIs
AnalyticDB for MySQL Resource
  • AliyunADBFullAccess
  • AliyunADBReadOnlyAccess
RAM users and permissions
Data Transmission Service (DTS) Operation
  • AliyunDTSFullAccess
  • AliyunDTSReadOnlyAccess
Database Backup Service
  • AliyunDBSFullAccess
  • AliyunDBSReadOnlyAccess
-
Database Autonomy Service (DAS) Service
  • AliyunHDMReadOnlyAccess
  • AliyunHDMFullAccess
How do I use a RAM user to access DAS?
PolarDB-X (formerly DRDS) Resource
  • AliyunDRDSReadOnlyAccess
  • AliyunDRDSFullAccess
Support for RAM authorization
Advanced Database & Application Migration (ADAM) Service
  • AliyunADAMReadOnlyAccess
  • AliyunADAMFullAccess
Authorize a RAM user to log on to the ADAM console
Database Gateway Resource
  • AliyunDGFullAccess
  • AliyunDGReadOnlyAccess
-
LedgerDB Resource
  • AliyunLedgerDBFullAccess
  • AliyunLedgerDBReadOnlyAccess
RAM user authorization

Storage and CDN

Service Console API Authorization granularity System policy Reference
Object Storage Service (OSS) Resource
  • AliyunOSSFullAccess
  • AliyunOSSReadOnlyAccess
Overview
Apsara File Storage NAS (NAS) Operation
  • AliyunNASFullAccess
  • AliyunNASReadOnlyAccess
Manage permission groups
Tablestore Resource
  • AliyunOTSFullAccess
  • AliyunOTSReadOnlyAccess
  • AliyunOTSWriteOnlyAccess
Custom permissions
Cloud Storage Gateway (CSG) Service AliyunHCSSGWFullAccess -
Hybrid Backup Recovery (HBR) Resource
  • AliyunHBRFullAccess
  • AliyunHBRReadOnlyAccess
-
Lightning Cube Service AliyunMGWFullAccess -
Dynamic Route for CDN (DCDN) Resource
  • AliyunDCDNFullAccess
  • AliyunDCDNReadOnlyAccess
-
CDN Resource
  • AliyunCDNFullAccess
  • AliyunCDNReadOnlyAccess
RAM authentication

Networking

Service Console API Authorization granularity System policy Reference
Virtual Private Cloud (VPC) Resource
  • AliyunVPCFullAccess
  • AliyunVPCReadOnlyAccess
RAM authorization
Server Load Balancer (SLB) Resource
  • AliyunSLBReadOnlyAccess
  • AliyunSLBFullAccess
RAM authorization
Elastic IP Address (EIP) Resource
  • AliyunEIPFullAccess
  • AliyunEIPReadOnlyAccess
RAM authorization
Express Connect Resource
  • AliyunExpressConnectFullAccess
  • AliyunExpressConnectReadOnlyAccess
RAM authorization
NAT Gateway (NAT) Resource
  • AliyunNATGatewayReadOnlyAccess
  • AliyunNATGatewayFullAccess
RAM authorization
VPN Gateway Resource
  • AliyunVPNGatewayFullAccess
  • AliyunVPNGatewayReadOnlyAccess
RAM authorization
EIP Bandwidth Plan Resource
  • AliyunCommonBandwidthPackageReadOnlyAccess
  • AliyunCommonBandwidthPackageFullAccess
-
Global Accelerator (GA) Resource
  • AliyunGlobalAccelerationReadOnlyAccess
  • AliyunGlobalAccelerationFullAccess
RAM authorization
Smart Access Gateway Resource

-

RAM authorization
Cloud Enterprise Network Resource
  • AliyunCENReadOnlyAccess
  • AliyunCENFullAccess
RAM authorization

Analytics

Service Console API Authorization granularity System policy Reference
E-MapReduce Service
  • AliyunEMRFullAccess
  • AliyunEMRDevelopAccess
  • AliyunEMRFlowAdmin
-
Data Lake Analytics (DLA) Operation
  • AliyunDLAFullAccess
  • AliyunDLAReadOnlyAccess
-

Cloud communications

Service Console API Authorization granularity System policy Reference
Short Message Service (SMS) Service

-

-

Monitoring and management

Service Console API Authorization granularity System policy Reference
Cloud Monitor Operation
  • AliyunCloudMonitorFullAccess
  • AliyunCloudMonitorReadOnlyAccess
RAM for Cloud Monitor
ActionTrail Resource

-

RAM authorization
Resource Access Management (RAM) Resource
  • AliyunRAMFullAccess
  • AliyunRAMReadOnlyAccess
RAM authorization
Key Management Service (KMS) Resource
  • AliyunKMSFullAccess
  • AliyunKMSReadOnlyAccess
  • AliyunKMSCryptoAccess
Use RAM to control access to resources
Intelligent Advisor × × Operation - -
Resource Management Resource
  • AliyunResourceDirectoryFullAccess
  • AliyunResourceDirectoryReadOnlyAccess
RAM authorization
Cloud Config Service
  • AliyunConfigFullAccess
  • AliyunConfigReadOnlyAccess
Permission verification

Application

Service Console API Authorization granularity System policy Reference
Log Service Resource
  • AliyunLogFullAccess
  • AliyunLogReadOnlyAccess
RAM authorization rules
Direct Mail Service
  • AliyunDirectMailFullAccess
  • AliyunDirectMailReadOnlyAccess
-
API Gateway Service
  • AliyunApiGatewayFullAccess
  • AliyunApiGatewayReadOnlyAccess
Use RAM to manage user permissions for API Gateway
Blockchain as a Service (BaaS) Resource - Hyperledger Fabric RAM authentication
Mini Program Cloud Operation
  • AliyunMPCAFullAccess
  • AliyunMPCAReadOnlyAccess
-

IoT

Service Console API Authorization granularity System policy Reference
IoT Platform (IOT) Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
Use RAM users
IoT Edge Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
Access resources of other Alibaba Cloud services

Message queueing

Service Console API Authorization granularity System policy Reference
Message Queue for Apache RocketMQ Resource
  • AliyunMQFullAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess
Grant permissions to RAM users
Message Service (MNS) Resource
  • AliyunMNSFullAccess
  • AliyunMNSReadOnlyAccess

-

Middleware

Service Console API Authorization granularity System policy Reference
Enterprise Distributed Application Service (EDAS) Service AliyunEDASFullAccess RAM users
Application Real-Time Monitoring Service (ARMS) Service AliyunARMSFullAccess Grant different permissions to RAM users
Application Configuration Management Resource AliyunACMFullAccess Access control
Global Transaction Service (GTS) Service
  • AliyunGTSFullAccess
  • AliyunGTSReadOnlyAccess
-

Media services

Service Console API Authorization granularity System policy Reference
ApsaraVideo for Media Processing (MTS) Service
  • AliyunMTSFullAccess
  • AliyunMTSPlayerAuth
Quick start for using the console as RAM users
ApsaraVideo VOD (VOD) Service
  • AliyunVODFullAccess
  • AliyunVODReadOnlyAccess
  • AliyunVODPlayAuth
  • AliyunVODUploadAuth
-
ApsaraVideo Live Resource AliyunLiveFullAccess API authentication rules
Real-Time Communication Resource

-

-

Cloud Video Conferencing Resource
  • AliyunCVCFullAccess
  • AliyunCVCReadOnlyAccess
-

Big data

Service Console API Authorization granularity System policy Reference
DataWorks Service AliyunDataWorksFullAccess Use a RAM user
Quick BI Service - -
Machine Learning Platform for AI (PAI) Service - -
Public Recognition Service - -
DataV Service - -
MaxCompute Service - -
Elasticsearch Resource
  • AliyunElasticsearchReadOnlyAccess
  • AliyunElasticsearchFullAccess
Resource types
Machine Translation × × Service - -
Image Search Resource
  • AliyunImagesearchReadOnlyAccess
  • AliyunImagesearchFullAccess
Grant permissions to RAM users

Security

Service Console API Authorization granularity System policy Reference
Security Center (SAS) Service
  • AliyunYundunSASFullAccess
  • AliyunYundunSASReadOnlyAccess
-
Server Guard Service
  • AliyunYundunAegisFullAccess
  • AliyunYundunAegisReadOnlyAccess
-
Anti-DDoS Basic Service
  • AliyunYundunDDosFullAccess
  • AliyunYundunDDosReadOnlyAccess
-
Anti-DDoS Pro Service
  • AliyunYundunHighFullAccess
  • AliyunYundunHighReadOnlyAccess
-
Anti-DDoS Premium Service
  • AliyunYundunAntiDDoSPremiumFullAccess
  • AliyunYundunAntiDDoSPremiumReadOnlyAccess
-
GameShield Service

AliyunYundunGameShieldReadOnlyAccess

-
Web Application Firewall (WAF) Service
  • AliyunYundunWAFFullAccess
  • AliyunYundunWAFReadOnlyAccess
-
SSL Certificates Service Service
  • AliyunYundunCertFullAccess
  • AliyunYundunCertReadOnlyAccess
-
Cloud Security Scanner Service AliyunYundunAvdsFullAccess -
Content Moderation Service AliyunYundunGreenWebFullAccess -
Anti-Bot Service Service
  • AliyunYundunAntibotFullAccess
  • AliyunYundunAntibotReadOnlyAccess
-
ID Verification for Financial Services Service
  • AliyunAntCloudAuthFullAccess
  • AliyunAntCloudAuthReadOnlyAccess
-

Marketplace

Service Console API Authorization granularity System policy Reference
Alibaba Cloud Marketplace Service AliyunMarketplaceFullAccess -

Domains and websites

Service Console API Authorization granularity System policy Reference
Alibaba Cloud DNS (DNS) Resource
  • AliyunDNSFullAccess
  • AliyunDNSReadOnlyAccess
-
Domains Resource AliyunDomainFullAccess Authorization rules for the Domains API
Cloud Web Hosting × × - - -
Alibaba Mail × × - - -

Membership services

Service Console API Authorization granularity System policy Reference
ICP Filing Service AliyunBeianFullAccess -

Billing management

Service Console API Authorization granularity System policy Reference
Billing Management Service
  • AliyunBSSFullAccess
  • AliyunBSSReadOnlyAccess
  • AliyunBSSOrderAccess
  • AliyunBSSRefundAccess

-

Ticket services

Service Console API Authorization granularity System policy Reference
Ticket Management Service AliyunSupportFullAccess -

Messaging

Service Console API Authorization granularity System policy Reference
Message Center Service AliyunNotificationsFullAccess -