Users

Last Updated: Sep 15, 2017

RAM-User is an identity used in RAM to relate with a true identity, such as a user or an application. To allow a new user or an application access to your cloud resources, you create and grant permissions to a RAM-User. The general procedures are as follows:

  1. Use the primary account (or a RAM-User with RAM operation permissions) to log on to the RAM console.
  2. Create a RAM user and add the user to one or more groups.
  3. Attach one or more authorization policies to the user (or the group to which the user belongs).
  4. Create a credential for the user.
    • If the user is to perform operations using the console, you must set a logon password for the user.
    • If the user is to call APIs, you must create an API AccessKey for the user.
  5. If the user needs to use special permissions (for example, to stop ECS instances), you can set MFA for the user and require that the user uses an MFA password to log on to the Alibaba Cloud console.
  6. Provide the user with the logon URL, username, and logon password.

This document describes the RAM-User related operations, such as creating a RAM user, creating a logon password or an AccessKey for a RAM user, and enabling virtual MFA devices for a RAM user.

RAM settings

In Settings, you can set your enterprise alias, the password policy for RAM users, and the security policy.

Set the enterprise alias

The procedures are as follows.

  1. Log on to the RAM console.

  2. Select Settings > Enterprise Alias Settings.

  3. Click Edit Enterprise Alias.

  4. Enter an enterprise alias following the instruction, and then click OK.

Set the password policy

The procedures are as follows.

  1. Log on to the RAM console.

  2. Select Settings > Password Strength Settings.

  3. Configure your password policy, and then click Save Changes.

Note: All RAM users created hereafter must comply with the password strength settings.

Set the security settings

The procedures are as follows.

  1. Log on to the RAM console.

  2. Select Settings > User Security Settings.

  3. Configure your security policy, and then click Save Changes.

Create a RAM user

The procedures are as follows.

  1. Log on to the RAM console.

  2. Select Users > New User.

  3. Enter the user information in the dialog box and click OK.

Set a logon password

To allow a RAM user access to the management console, you create a logon password for the user. The procedures are as follows.

  1. Log on to the RAM console and click Users.

  2. Select a user to go to the User Details page.

  3. Click Enable console logon and set an initial password for the user in the dialog box. You can also specify that the user must change this password upon the first logon.

  4. After setting a logon password, you can also enable MFA, Reset Password, or Disable console logon in the User Details page.

    Set Logon

Create an AccessKey

An AccessKey (AK) is equivalent to a logon password, but it is used in different scenarios. AccessKeys are used to call cloud service APIs, and logon passwords are used to log on to the console. If the user does not have to call APIs, you do not have to create an AccessKey for the user.

To create an AccessKey, do the following:

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Create AccessKey in the User AccessKey section to create a new AccessKey in the dialog box.

    createAccessKey

    Note:

    New AccessKeys are displayed only during creation. For security reasons, RAM does not provide an AccessKey query interface. Therefore, please keep the AccessKey safe. If your AccessKey is disclosed or lost, you must create a new one.

Enable virtual MFA devices

Multi-Factor Authentication (MFA) is a simple but effective best practice that can provide additional security protection.

After MFA is enabled, when a user logs on to Alibaba Cloud, the system requires the user to enter the user name and password (first security factor), and then enter a variable verification code (second security factor) provided by the user’s VMFA (virtual MFA) device. All these factors work together to offer higher security protection for your account.

The virtual MFA (VMFA) device is an application that generates a 6-digit verification code. It complies with the time-based one-time password algorithm (TOTP) standard (RFC 6238). This application can run on mobile hardware devices including smartphones, making it easily accessible.

To enable virtual MFA devices for a RAM user, do the following:

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Enable VMFA device in the MFA Device section.

    Enable VMFA Device

    Note: Ensure that you have installed an MFA application (for example, Google Authenticator) on a smart device (a smart phone is optimal) before proceeding with the following operation.

  4. On the Enable virtual MFA device page, do one of the following to associate your MFA application with the RAM user:

    • Scan the generated QR code with the MFA application on your smart phone.
    • Manually enter the information under Manual information retrieval in the MFA application.

    After the association is established, the RAM user account is added into the MFA application and is provided with a dynamic security code (Time-based One-Time Password, TOTP) every 30 seconds.

  5. Enter two successive security codes you obtained from the MFA application into the First security code and Second security code boxes, and click Enable.

Log on to a RAM user

RAM-Users are different from Alibaba Cloud accounts, and therefore, their logon portal is different. RAM-Users cannot log on from the Alibaba Cloud account logon page.

On the RAM console overview page, you can find the RAM-User logon link. RAM-Users can log on to the Alibaba Cloud console through the logon URL.

RAM User Logon URL

Note: By default, RAM-Users do not have any access permissions. A RAM-User without permissions can log on to the console, but cannot perform any operations.

For details on how to grant permissions to RAM-Users, see User Authorization.

Thank you! We've received your feedback.