You can apply policies to authorize individual RAM users directly or authorize entire RAM user groups as needed. Both methods can grant RAM users the resource access permission.

Policy types

System policies are a group of common policies that meet coarse-grained authorization requirements. For example, you can use system policies to authorize a RAM user to manage orders (through the AliyunBSSFullAccess policy), ECS resources (through the AliyunECSFullAccess policy), or all users and their permissions (through the AliyunRAMFullAccess policy).

You can view all system policies supported by RAM in Policy overview.

If you require finer-grained authorization, you can create a custom policy as needed. For more information, see (Optional) Create a custom policy.

Authorize RAM users directly

Call the AttachPolicyToUser API to authorize RAM users directly.

  1. Log on to the RAM Console.
  2. Choose Identities > Users.
  3. In the User Logon Name/Display Name column, locate the user you want to authorize and click Add Permissions.
    • In the displayed dialog box, select the policies you want to grant the user from the Policy Name column. Then, the selected policies are displayed in the right area.
      Note You can enter keywords to search for a specific policy name.
    • To revoke a selected policy, select the target policy in the right area and click ×.

Authorize RAM users by authorizing their user groups

Call the AttachPolicyToGroup API to authorize a user group.

Note The user to be authorized must be included in the target user group.
  1. Log on to the RAM Console.
  2. Choose Identities > Groups.
  3. In the Group Name/Display Name column, locate the user group you want to authorize and click Add Permissions.
    • In the displayed dialog box, select the policies you want to grant the user from the Policy Name column. Then, the selected policies are displayed in the right area.
      Note You can enter keywords to search for a specific policy name.
    • To revoke a selected policy, select the target policy in the right area and click ×.
  4. Click OK.

What to do next

  • In the User Logon Name/Display Name column, click a user logon name. On the displayed Permissions tab page, you can navigate to the Individual tab page to view or revoke a permission granted directly to the user.
  • In the Group Name/Display Name column, click a group name. On the displayed Permissions tab page, you can view or revoke a permission granted to the group.