In RAM, authorization is the process of attaching one or more policies to a user, user group, or role. You can:

  • Authorize users or user groups for authorization of RAM users under the current account.
  • Authorize roles for authorization of both RAM users under the current account and those under other accounts. The difference is that authorized objects must assume roles to obtain role identities and permissions.

Authorize users or user groups

You can authorize either a specific user or a group to which the target user belongs. The difference is that if you choose to authorize a group, all users in the group will be authorized, which is applicable to users with similar resource access requirements (for example, create resources and add them to the same group).

Authorize a user

The procedure is as follows:

  1. Log on to the RAM Console.
  2. In the left-side navigation pane, click Users.
  3. In the User Name/Display Name column, find the target user (fuzzy search is supported) and click Authorize.
  4. In the Edit User-Level Authorization dialog box,
    • Find the target policy from the Available Authorization Policy Names column (fuzzy search is supported), click the policy, and click the rightwards arrow to add the policy to the Selected Authorization Policy Name column on the right.
    • Click a policy in the Selected Authorization Policy Name column on the right and click the leftwards arrow to revoke the policy.
  5. Click OK.

Authorize a user group

The procedure is as follows:

  1. Log on to the RAM Console.
  2. In the left-side navigation pane, click Groups.
  3. In the Group Name column, find the target group (fuzzy search is supported) and click Authorize.
  4. In the Edit Group Authorization Policy dialog box,
    • Find the target policy from the Available Authorization Policy Names column (fuzzy search is supported), click the policy, and click the rightwards arrow to add the policy to the Selected Authorization Policy Name column on the right.
    • Click a policy in the Selected Authorization Policy Name column on the right and click the leftwards arrow to revoke the policy.
  5. Click OK.

Authorize a role

You can create a user role (whose trusted account can be the current account or another account) or a service role as needed. Then, set the trusted account or cloud service for the role (that is, to allow the role to access your cloud resources).

  • If you authorize a role under the current account, RAM users under the current account can assume the role and access the authorized cloud resources.
  • If you authorize a role under another account, RAM users under the account can assume the role and access the authorized cloud resources.
  • If you authorize a service role, the trusted cloud service can assume the role and access the authorized cloud resources.

Procedure

  1. Log on to the RAM Console.
  2. In the left-side navigation pane, click Roles.
  3. In the Role Name column, find the target role (fuzzy search is supported) and click Authorize.
  4. In the Edit Role Authorization Policy dialog box,
    • Find the target policy from the Available Authorization Policy Names column (fuzzy search is supported), click the policy, and click the rightwards arrow to add the policy to the Selected Authorization Policy Name column on the right.
    • Click a policy in the Selected Authorization Policy Name column on the right and click the leftwards arrow to revoke the policy.
  5. Click OK.