Permission is used to allow or deny the execution of operations on resources under certain conditions.
Each resource has only one owner (resource owner). The owner must have an Alibaba Cloud account. This account is the primary account, and incurs all fees related to resources under it. The primary account also has control over all permissions on the resource. The resource owner is not necessarily the resource creator. For example, if a RAM user is granted permission to create resources, the resources created by this user belong to the primary account. Therefore, the user is the resource creator, but not the resource owner.
A RAM user represents an operator and must be explicitly authorized by the primary account owner to perform any operation. By default a RAM user has no operation permissions. The user can perform resource operations on the console or via APIs only after being authorized.
Resource creators (RAM users) are not automatically granted permissions for the resources they create
If a RAM user is granted the appropriate permission by the primary account owner, the RAM user can create resources. However, the RAM user does not have any permissions for the created resources unless the resource owner explicitly grants permissions to the user.
An authorization policy is a group of permissions described using Authorization Policy Language. It describes the authorized resource set and operation set, as well as authorization conditions that are associated. When an authorization policy contains both Allow and Deny authorization statements, priority is given to Deny statements.
In RAM, an authorization policy is a type of resource entity. Users can create, update, delete, and view authorization policies. RAM supports two types of authorization policies:
System authorization policies
System authorization policies are a group of general permission sets created and managed by Alibaba Cloud, such as read-only permission for ECS or full permissions for ECS. These policies can be used but not modified.
Custom authorization policies
Custom authorization policies are policies created and managed by users. They can be used to expand and supplement system authorization policies. System authorization policies contain coarse-grained permissions. If finer-grained authorization policies are required, such as policies that precisely control permissions for a certain ECS instance or that have additional authorization conditions, you must create custom authorization policies.
To grant permissions to a RAM user, bind one or more authorization policies to the user or user group. You can bind both system authorization policies and custom authorization policies. If a bound authorization policy is updated, the updated policy automatically takes effect, and you do not have to rebind it.