edit-icon download-icon

Permissions and policies

Last Updated: Sep 15, 2017

Permissions are used to allow or deny certain operations on resources under specific conditions. In RAM, authorization policies express permissions following the Authorization Policy Language. A policy contains a set of permissions.

This document explains related attributes of permissions and polices for your better understanding of the service.


In RAM, the primary account owns all resources, and the RAM users can be granted access permissions to the resource.

  • The primary account (resource owner) controls all permissions
    • Each resource has only one owner (resource owner). The owner must have an Alibaba Cloud account. This account is the primary account, and incurs all fees related to resources under it. The primary account also has control over all permissions on the resource.
    • The resource owner is not necessarily the resource creator. For example, if a RAM user is granted permission to create resources, the resources created by this user belong to the primary account. Therefore, the user is the resource creator, but not the resource owner.
  • By default, RAM users (operators) have no permissions
    • A RAM user represents an operator and must be explicitly authorized by the primary account owner to perform any operation.
    • By default a RAM user has no operation permissions after being created. Only after being authorized, the user can perform resource operations on the console or by calling APIs.
  • Resource creators (RAM users) are not automatically granted permissions for the resources they create
    • If a RAM user is granted the appropriate permission by the primary account owner, the RAM user can create resources.
    • The RAM user does not have any permissions for the created resources unless the resource owner explicitly grants permissions to the user.

Authorization policies

An authorization policy is a group of permissions described using Authorization Policy Language. It describes the authorized resource set and operation set, and the authorization conditions that are associated. When an authorization policy contains both Allow and Deny authorization statements, priority is given to Deny statements.

In RAM, an authorization policy is a type of resource entity. You can create, update, delete, and view authorization policies. RAM supports two types of authorization policies:

  • System authorization policies

    • System authorization policies are a group of general permission sets created and managed by Alibaba Cloud, such as read-only permission for ECS or full permissions for ECS.
    • These policies can be used but not modified by users.
  • Custom authorization policies

    • Custom authorization policies are policies created and managed by users. They can be used to expand and supplement system authorization policies.
    • System authorization policies contain coarse-grained permissions. If finer-grained authorization policies are required, such as policies that precisely control permissions for a certain ECS instance or that have additional authorization conditions, you must create custom authorization policies.

Attach policies to a RAM user

To grant permissions to a RAM user, attach one or more authorization policies to the user or a user group which the user is a member of.

  • You can attach both system authorization policies and custom authorization policies.
  • If an attached authorization policy is updated, the updated policy automatically takes effect, and you do not have to reattach it.
Thank you! We've received your feedback.