This topic describes the Alibaba Cloud services that support Resource Access Management (RAM) and the authorization granularity and system policies for each service. It also provides the links to related topics.

RAM-supported Alibaba Cloud services

The following Alibaba Cloud services support RAM: Elastic computing, Databases, Storage and CDN, Networking, Analytics, Cloud communication,Monitoring and management, Application, IoT, Message queuing, Middleware,Media services, Big data, Security, Marketplace, Domain and hosting, Membership services, Billing management, Ticket services, and Messaging.

For more information about the Alibaba Cloud services that support Security Token Service (STS), see Alibaba Cloud services that support STS.

Each table contains the following columns:

  • Service: the name of the service that supports RAM.
  • Console: indicates whether RAM can be used to implement access control in the console of the service. A check sign (√) indicates that RAM is supported. A cross sign (×) indicates that RAM is not supported. A circle (○) indicates that no console is supported for the service.
  • API: indicates whether RAM can be used to implement access control based on the API of the service. A check sign (√) indicates that RAM is supported. A cross sign (×) indicates that RAM is not supported. A circle (○) indicates that no API is provided for the service.
  • Authorization granularity: the minimum authorization granularity of the service. A hyphen (-) indicates that no authorization granularities are defined.
    The following authorization granularities are defined:
    • Service: You can control whether RAM users can access the service. You can grant RAM users the permissions to access all or none of the resources in the service.
    • Operation: You can control whether RAM users can perform specific operations on a type of resource in the service.
    • Resource: You can control whether RAM users can perform a specific operation on a specific resource in the service. For example, you can authorize a RAM user to restart a specific Elastic Compute Service (ECS) instance.
  • System policy: the system policies that RAM provides for the service. A hyphen (-) indicates that no system policies are provided for the service.
  • Reference: the topics that are related to both RAM and the service. A hyphen (-) indicates that no topics are related to RAM or the service.

Elastic computing

Service Console API Authorization granularity System policy Reference
ECS Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
Auto Scaling Service
  • AliyunESSFullAccess
  • AliyunESSReadOnlyAccess
API usage instructions
Container Service for Kubernetes Resource
  • AliyunCSFullAccess
  • AliyunCSReadOnlyAccess
Use RAM users
Container Registry Resource
  • AliyunContainerRegistryFullAccess
  • AliyunContainerRegistryReadOnlyAccess
Repository access control
Resource Orchestration Service Service
  • AliyunROSFullAccess
  • AliyunROSReadOnlyAccess
Use RAM to control resource access
BatchCompute Service

-

-
Function Compute Resource
  • AliyunFCFullAccess
  • AliyunFCInvocationAccess
  • AliyunFCReadOnlyAccess
Quick start for using the console as RAM users
Elastic High Performance Computing Service
  • AliyunEHPCFullAccess
  • AliyunEHPCReadOnlyAccess
-
Simple Application Server Service AliyunSWASFullAccess -
Elastic Container Instance Resource
  • AliyunECIFullAccess
  • AliyunECIReadOnlyAccess
Grant permissions to a RAM user
Web App Service Operation
  • AliyunWebPlusFullAccess
  • AliyunWebPlusReadOnlyAccess

-

Operation Orchestration Service Resource
  • AliyunOOSFullAccess
  • AliyunOOSReadOnlyAccess
RAM authorization rules

Databases

Service Console API Authorization granularity System policy Reference
PolarDB Operation
  • AliyunPolardbReadOnlyAccess
  • AliyunPolardbFullAccess
Create and authorize a RAM user
ApsaraDB RDS Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
RAM authorization
ApsaraDB for MongoDB Resource
  • AliyunMongoDBFullAccess
  • AliyunMongoDBReadOnlyAccess

-

ApsaraDB for Redis Resource
  • AliyunKvstoreFullAccess
  • AliyunKvstoreReadOnlyAccess
RAM authorization
ApsaraDB for Memcache Service
  • AliyunOCSFullAccess
  • AliyunOCSReadOnlyAccess
-
ApsaraDB for HBase Resource
  • AliyunHBaseFullAccess
  • AliyunHBaseReadOnlyAccess
Use RAM users to manage ApsaraDB for HBase clusters
Time Series Database Operation

-

-
AnalyticDB for PostgreSQL Resource
  • AliyunGPDBFullAccess
  • AliyunGPDBReadOnlyAccess
Authentication rules for APIs
AnalyticDB for MySQL Resource
  • AliyunADBFullAccess
  • AliyunADBReadOnlyAccess
RAM users and permissions
Data Transmission Service Operation
  • AliyunDTSFullAccess
  • AliyunDTSReadOnlyAccess
Database Backup Service
  • AliyunDBSFullAccess
  • AliyunDBSReadOnlyAccess
-
Database Autonomy Service Service
  • AliyunHDMReadOnlyAccess
  • AliyunHDMFullAccess
How do I use a RAM user to access DAS?
PolarDB-X Resource
  • AliyunDRDSReadOnlyAccess
  • AliyunDRDSFullAccess
Support for RAM authorization
Advanced Database & Application Migration Service
  • AliyunADAMReadOnlyAccess
  • AliyunADAMFullAccess
Authorize a RAM user to log on to the ADAM console
Database Gateway Resource
  • AliyunDGFullAccess
  • AliyunDGReadOnlyAccess
-
LedgerDB Resource
  • AliyunLedgerDBFullAccess
  • AliyunLedgerDBReadOnlyAccess
RAM user authorization

Storage and CDN

Service Console API Authorization granularity System policy Reference
Object Storage Service Resource
  • AliyunOSSFullAccess
  • AliyunOSSReadOnlyAccess
Implement access control based on RAM policies
Apsara File Storage NAS Operation
  • AliyunNASFullAccess
  • AliyunNASReadOnlyAccess
Manage permission groups
Tablestore Resource
  • AliyunOTSFullAccess
  • AliyunOTSReadOnlyAccess
  • AliyunOTSWriteOnlyAccess
Custom permissions
Cloud Storage Gateway Service AliyunHCSSGWFullAccess -
Hybrid Backup Recovery Resource
  • AliyunHBRFullAccess
  • AliyunHBRReadOnlyAccess
-
Lightning Cube Service AliyunMGWFullAccess -
Dynamic Route for CDN Resource
  • AliyunDCDNFullAccess
  • AliyunDCDNReadOnlyAccess
-
CDN Resource
  • AliyunCDNFullAccess
  • AliyunCDNReadOnlyAccess
RAM authentication

Networking

Service Console API Authorization granularity System policy Reference
Virtual Private Cloud Resource
  • AliyunVPCFullAccess
  • AliyunVPCReadOnlyAccess
RAM authorization
Server Load Balancer Resource
  • AliyunSLBReadOnlyAccess
  • AliyunSLBFullAccess
RAM authorization
Elastic IP Address Resource
  • AliyunEIPFullAccess
  • AliyunEIPReadOnlyAccess
RAM authorization
Express Connect Resource
  • AliyunExpressConnectFullAccess
  • AliyunExpressConnectReadOnlyAccess
RAM authorization
NAT Gateway Resource
  • AliyunNATGatewayReadOnlyAccess
  • AliyunNATGatewayFullAccess
RAM authorization
VPN Gateway Resource
  • AliyunVPNGatewayFullAccess
  • AliyunVPNGatewayReadOnlyAccess
RAM authorization
EIP Bandwidth Plan Resource
  • AliyunCommonBandwidthPackageReadOnlyAccess
  • AliyunCommonBandwidthPackageFullAccess
-
Global Accelerator Resource
  • AliyunGlobalAccelerationReadOnlyAccess
  • AliyunGlobalAccelerationFullAccess
RAM authorization
Smart Access Gateway Resource

-

RAM authorization
Cloud Enterprise Network Resource
  • AliyunCENReadOnlyAccess
  • AliyunCENFullAccess
RAM authorization

Analytics

Service Console API Authorization granularity System policy Reference
E-MapReduce Service
  • AliyunEMRFullAccess
  • AliyunEMRDevelopAccess
  • AliyunEMRFlowAdmin
-
Data Lake Analytics Operation
  • AliyunDLAFullAccess
  • AliyunDLAReadOnlyAccess
-

Cloud communication

Service Console API Authorization granularity System policy Reference
Short Message Service Service

-

-

Monitoring and management

Service Console API Authorization granularity System policy Reference
Cloud Monitor Operation
  • AliyunCloudMonitorFullAccess
  • AliyunCloudMonitorReadOnlyAccess
RAM for Cloud Monitor
ActionTrail Resource

-

RAM authorization
Resource Access Management Resource
  • AliyunRAMFullAccess
  • AliyunRAMReadOnlyAccess
RAM authorization
Key Management Service Resource
  • AliyunKMSFullAccess
  • AliyunKMSReadOnlyAccess
  • AliyunKMSCryptoAccess
Use RAM to control access to resources
Intelligent Advisor × × Operation - -
Resource Management Resource
  • AliyunResourceDirectoryFullAccess
  • AliyunResourceDirectoryReadOnlyAccess
RAM authorization
Cloud Config Service
  • AliyunConfigFullAccess
  • AliyunConfigReadOnlyAccess
Permission verification

Application

Service Console API Authorization granularity System policy Reference
Log Service Resource
  • AliyunLogFullAccess
  • AliyunLogReadOnlyAccess
RAM authorization rules
Direct Mail Service
  • AliyunDirectMailFullAccess
  • AliyunDirectMailReadOnlyAccess
-
API Gateway Service
  • AliyunApiGatewayFullAccess
  • AliyunApiGatewayReadOnlyAccess
Use RAM to manage user permissions for API Gateway
Blockchain as a Service Resource - Hyperledger Fabric RAM authentication
Mini Program Cloud Operation
  • AliyunMPCAFullAccess
  • AliyunMPCAReadOnlyAccess
-

IoT

Service Console API Authorization granularity System policy Reference
IoT Platform Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
Use RAM users
IoT Edge Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
Access resources of other Alibaba Cloud services

Message queuing

Service Console API Authorization granularity System policy Reference
Message Queue for Apache RocketMQ Resource
  • AliyunMQFullAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess
Grant permissions to RAM users
Message Service Resource
  • AliyunMNSFullAccess
  • AliyunMNSReadOnlyAccess

-

Middleware

Service Console API Authorization granularity System policy Reference
Enterprise Distributed Application Service Service AliyunEDASFullAccess RAM users
Application Real-Time Monitoring Service Service AliyunARMSFullAccess Grant different permissions to RAM users
Application Configuration Management Resource AliyunACMFullAccess Access control
Global Transaction Service Service
  • AliyunGTSFullAccess
  • AliyunGTSReadOnlyAccess
-

Media services

Service Console API Authorization granularity System policy Reference
ApsaraVideo for Media Processing Service
  • AliyunMTSFullAccess
  • AliyunMTSPlayerAuth
Quick start for using the console as RAM users
ApsaraVideo for VOD Service
  • AliyunVODFullAccess
  • AliyunVODReadOnlyAccess
  • AliyunVODPlayAuth
  • AliyunVODUploadAuth
-
ApsaraVideo for Live Resource AliyunLiveFullAccess API authentication rules
Real-Time Communication Resource

-

-

Cloud Video Conferencing Resource
  • AliyunCVCFullAccess
  • AliyunCVCReadOnlyAccess
-

Big data

Service Console API Authorization granularity System policy Reference
DataWorks Service AliyunDataWorksFullAccess Use a RAM user
Quick BI Service - -
Machine Learning Platform for AI Service - -
Public Recognition Service - -
DataV Service - -
MaxCompute Service - -
Elasticsearch Resource
  • AliyunElasticsearchReadOnlyAccess
  • AliyunElasticsearchFullAccess
Resource types
Machine Translation × × Service - -
Image Search Resource
  • AliyunImagesearchReadOnlyAccess
  • AliyunImagesearchFullAccess
Grant permissions to RAM users

Security

Service Console API Authorization granularity System policy Reference
Security Center Service
  • AliyunYundunSASFullAccess
  • AliyunYundunSASReadOnlyAccess
-
Server Guard Service
  • AliyunYundunAegisFullAccess
  • AliyunYundunAegisReadOnlyAccess
-
Anti-DDoS Basic Service
  • AliyunYundunDDosFullAccess
  • AliyunYundunDDosReadOnlyAccess
-
Anti-DDoS Premium and Anti-DDoS Pro Service
  • AliyunYundunHighFullAccess
  • AliyunYundunHighReadOnlyAccess
-
Anti-DDoS Premium Service
  • AliyunYundunAntiDDoSPremiumFullAccess
  • AliyunYundunAntiDDoSPremiumReadOnlyAccess
-
GameShield Service

AliyunYundunGameShieldReadOnlyAccess

-
Web Application Firewall Service
  • AliyunYundunWAFFullAccess
  • AliyunYundunWAFReadOnlyAccess
-
SSL Certificates Service Service
  • AliyunYundunCertFullAccess
  • AliyunYundunCertReadOnlyAccess
-
Cloud Security Scanner Service AliyunYundunAvdsFullAccess -
Content Moderation Service AliyunYundunGreenWebFullAccess -
Anti-Bot Service Service
  • AliyunYundunAntibotFullAccess
  • AliyunYundunAntibotReadOnlyAccess
-
ID Verification for Financial Services Service
  • AliyunAntCloudAuthFullAccess
  • AliyunAntCloudAuthReadOnlyAccess
-

Marketplace

Service Console API Authorization granularity System policy Reference
Marketplace Service AliyunMarketplaceFullAccess -

Domain and hosting

Service Console API Authorization granularity System policy Reference
Alibaba Cloud DNS Resource
  • AliyunDNSFullAccess
  • AliyunDNSReadOnlyAccess
-
Domains Resource AliyunDomainFullAccess Authorization rules for the Domains API
Cloud Web Hosting × × - - -
Alibaba Mail × × - - -

Membership services

Service Console API Authorization granularity System policy Documentation
ICP Filing Service AliyunBeianFullAccess -

Billing management

Service Console API Authorization granularity System policy Reference
Billing Management × Service
  • AliyunBSSFullAccess
  • AliyunBSSReadOnlyAccess
  • AliyunBSSOrderAccess
  • AliyunBSSRefundAccess

-

Ticket services

Service Console API Authorization granularity System policy Reference
Ticket Management Service AliyunSupportFullAccess -

Messaging

Service Console API Authorization granularity System policy Reference
Message Center Service AliyunNotificationsFullAccess -