This topic describes how to attach one or more policies to RAM users, RAM user groups, or RAM roles under an Alibaba Cloud account.

Background information

  • You can grant permissions to the RAM users under your Alibaba Cloud account. After RAM users are granted the corresponding permissions, RAM users can access the required Alibaba Cloud resources to fulfill their duties.
  • You can grant permissions to the RAM user groups under your Alibaba Cloud account. After you grant permissions to a RAM user group, all RAM users in the group share the same permissions. This helps you to manage RAM users that require the same permissions to access Alibaba Cloud resources.
  • You can grant permissions to the RAM roles under your Alibaba Cloud account to address business needs in complex cloud environments. These business needs include temporary authorization for mobile apps, cross-account resource authorization, dynamic identity and authorization management for cloud apps, and authorization for operations between Alibaba Cloud services.

Grant permissions to a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Users.
  3. In the User Name/Display Name column, find the target RAM user and click Authorize.
  4. In the Edit User-Level Authorization dialog box, select one or more target policies from the Available Authorization Policy Names column, click the rightwards arrow, and then click OK.
    Note To delete a policy, select the target policy from the Selected Authorization Policy Name column, and click the leftwards arrow.

Grant permissions to a RAM user group

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Groups.
  3. In the Group Name, find the target user group and click Authorize.
  4. In the Edit Group Authorization Policy dialog box, select one or more target policies from the Available Authorization Policy Names column, click the rightwards arrow, and then click OK.
    Note To delete a policy, select the target policy from the Selected Authorization Policy Name column, and click the leftwards arrow.

Grant permissions to a RAM role

When you create a RAM role, you can select User Role or Service Role.

  • If you select User Role and Current Alibaba Cloud Account, the RAM users under the current Alibaba Cloud account can assume this role and access the authorized Alibaba Cloud resources.
  • If you select User Role and Other Alibaba Cloud Account, the RAM users under the specified Alibaba Cloud account can assume the RAM role and access the authorized Alibaba Cloud resources.
  • If you select Service Role, the trusted Alibaba Cloud service can assume the RAM role and access the authorized Alibaba Cloud resources.
  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Roles.
  3. In the Role Name column, find the target RAM role and click Authorize.
  4. In the Edit Role Authorization Policy dialog box, select one or more target policies from the Available Authorization Policy Names column, click the rightwards arrow, and then click OK.
    Note To delete a policy, select the target policy from the Selected Authorization Policy Name column, and click the leftwards arrow.