Alibaba Cloud uses permissions to describe the ability of internal identities (such as users, user groups, roles) to access specific resources. A permission refers to allow or deny someone to perform certain operations on certain resources under certain conditions. A policy is the collection of access permissions.

This topic describes the attributes of Alibaba Cloud permissions and policies to help you understand and use them.


  • An account (resource owner) controls all permissions.
    • Each resource has only one owner (resource owner). The owner must be an account. The account pays for and has full control over the resource.
    • The resource owner is not necessarily the resource creator. For example, a RAM user is granted the permission to create a resource. The RAM user is the resource creator, but the resource belongs to the account of the RAM user.
  • A RAM user (operator) has no permission by default.
    • A RAM user represents an operator and must be explicitly authorized to perform any operation.
    • By default, a new RAM user has no operation permission and cannot operate on resources in the console or by using APIs until the permission is granted.
  • Resource creators (RAM users) are not automatically granted permissions of the resources they have created.
    • If a RAM user is granted the permission to create a resource, the user can create the resource.
    • The RAM user has no permission of the created resource unless the resource owner has an explicit authorization on the user.


A policy is a set of permissions described by Policy syntax structure that accurately describes the set of authorized resources, the set of operations, and authorization conditions. The deny prevails principle is followed when there are both allow and deny authorization statements in a policy.

In RAM, a policy is a type of resource entity. Users can create, update, delete, and view policies. RAM supports two types of policies:

  • System policies are a group of general permissions created and managed by Alibaba Cloud, such as the read-only permission of ECS or full permissions of ECS. You can use these policies, but cannot modify them.
  • Custom policies are a group of permissions created and managed by users. Such policies can be used to expand and supplement system policies.

System policies describe coarse-grained permissions. If you require finer-grained policies, such as policies that precisely control permissions of a certain ECS instance or that have additional authorization requirements, you must create custom policies.

Authorize a RAM user

Authorizing a RAM user refers to attaching one or more policies to a user, user group, or role.

  • The policy to be attached can be either a system policy or a custom policy.
  • If an attached policy is updated, the policy automatically takes effect after the update, and you do not need to reattach it.