Users

Last Updated: Apr 02, 2018

RAM user is an identity used in RAM to relate with a true identity, such as a user or an application. To allow a new user or a new application to access your cloud resources, you can create and grant permissions to a RAM user. The general procedure is as follows:

  1. Use the primary account (or a RAM user with RAM operation permissions) to log on to the RAM console.
  2. Create a RAM user and add the user to one or more groups.
  3. Attach one or more authorization policies to the user (or the group to which the user belongs).
  4. Create a credential for the user.
    • If the user performs operations through the console, set a logon password for the user.
    • If the user performs operations by calling APIs, create an API AccessKey for the user.
  5. If the user needs to use special permissions (for example, to stop ECS instances), you can set MFA for the user and require that the user use an MFA password to log on to the Alibaba Cloud console.
  6. Provide the user with the logon URL, username, and password.

This document describes RAM user related operations, such as creating a RAM user, setting a logon password, creating an AccessKey, and enabling virtual MFA devices.

RAM settings

The following describes RAM settings.

Set the enterprise alias

To set the enterprise alias, follow these steps:

  1. Log on to the RAM console.

  2. Choose Settings > Enterprise Alias Settings.

  3. Click Edit Enterprise Alias.

  4. Enter an enterprise alias and click OK.

Configure the password policy

To configure the password policy, follow these steps:

  1. Log on to the RAM console.

  2. Choose Settings > Password Strength Settings.

  3. Configure your password policy and click Save Changes.

Note: Once the password policy takes effect, all RAM users created hereafter must comply with the password strength settings.

Configure the security policy

To configure the security policy, follow these steps:

  1. Log on to the RAM console.

  2. Choose Settings > User Security Settings.

  3. Configure your security policy and click Save Changes.

Create a RAM user

To create a RAM user, follow these steps:

  1. Log on to the RAM console.

  2. Choose Users > New User.

  3. Enter user information in the displayed dialog box and click OK.

Set a logon password

To allow a RAM user to access the RAM console, you can set a logon password for the user. The procedure is as follows:

  1. Log on to the RAM console and click Users.

  2. In the User Management area, click the name of a user.

  3. On the User Details tab page, click Enable console logon and set an initial password for the user. You can specify a rule that the user must change the password upon logon.

  4. After setting a logon password, you can enable MFA, Reset Password, or Disable console logon.

    Set Logon

Create an AccessKey

An AccessKey (AK) is equivalent to a logon password, but it is used in different scenarios. AccessKeys are used to call cloud service APIs, and logon passwords are used to log on to the console. If the user does not have to call APIs, you do not have to create an AccessKey for the user.

To create an AccessKey, follow these steps:

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Create AccessKey in the User AccessKey section to create a new AccessKey in the dialog box.

    createAccessKey

    Note:

New AccessKeys are displayed only during creation. For security reasons, RAM does not provide an AccessKey query interface. Therefore, please keep the AccessKey safe. If your AccessKey is disclosed or lost, you must create a new one.

Enable virtual MFA devices

Multi-Factor Authentication (MFA) is a simple but effective best practice that can provide additional security protection.

After MFA is enabled, when a user logs on to Alibaba Cloud, the system requires the user to enter the user name and password (first security factor), and then enter a variable verification code (second security factor) provided by the user’s VMFA (virtual MFA) device. All these factors work together to offer higher security protection for your account.

The virtual MFA (VMFA) device is an application that generates a 6-digit verification code. It complies with the time-based one-time password algorithm (TOTP) standard (RFC 6238). This application can run on mobile hardware devices including smartphones, making it easily accessible.

To enable virtual MFA devices for a RAM user, follow these steps:

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Enable VMFA device in the MFA Device section.

    Enable VMFA Device

    Note: Make sure that you have installed an MFA application (for example, Google Authenticator) on a smart device (a smart phone is optimal) before proceeding with the following operation.

  4. On the Enable virtual MFA device page, do one of the following to associate your MFA application with the RAM user:

    • Scan the generated QR code with the MFA application on your smart phone.
    • Manually enter the information under Manual information retrieval in the MFA application.

After the association is established, the RAM user account is added into the MFA application and is provided with a dynamic security code (Time-based One-Time Password, TOTP) every 30 seconds.

  1. Enter two successive security codes you obtained from the MFA application into the First security code and Second security code boxes, and click Enable.

Log on to a RAM user

RAM users are different from Alibaba Cloud accounts, and therefore, their logon portal is different. RAM users cannot log on from the Alibaba Cloud account logon page.

On the RAM console overview page, you can find the RAM user logon link. RAM users can log on to the Alibaba Cloud console through the logon URL.

RAM User Logon URL

Note: By default, RAM users do not have any access permissions. A RAM user without permissions can log on to the console, but cannot perform any operations.

For more information of how to grant permissions to RAM users, see User Authorization.

Delete a RAM user

Warning: Think it over before deleting a RAM user. If a user is running a certain service, deleting this user may cause a service failure.

To delete a RAM user, follow these steps:

  1. Log on to the RAM console.

  2. Find the RAM user you want to delete and click Delete in the Actions area.
    Delete RAM user

  3. In the displayed Delete User dialog box, select the Unlink Dependent Objects check box and click OK.Delete User dialog box

Thank you! We've received your feedback.