This topic describes the limits of Resource Access Management (RAM).
| Category | Item | Upper limit |
|---|---|---|
| RAM user | The number of RAM users that can be created within an Alibaba Cloud account | 1000 |
| The number of characters that the name of a RAM user can contain | 64 | |
| The number of groups that a RAM user can join | 5 | |
| The number of AccessKey pairs that a RAM user can create | 2 | |
| The number of multi-factor authentication (MFA) devices that can be enabled for a RAM user | 1 | |
| The number of system policies that can be attached to a RAM user | 20 | |
| The number of custom policies that can be attached to a RAM user | 10 | |
| RAM user group | The number of RAM user groups that can be created within an Alibaba Cloud account | 50 |
| The number of characters that the name of a RAM user group can contain | 64 | |
| The number of system policies that can be attached to a RAM user group | 20 | |
| The number of custom policies that can be attached to a RAM user group | 5 | |
| RAM role | The number of RAM roles that can be created within an Alibaba Cloud account | 1000 |
| The number of characters that the name of a RAM role can contain | 64 | |
| The number of system policies that can be attached to a RAM role | 20 | |
| The number of custom policies that can be attached to a RAM role | 5 | |
| Account alias | The number of characters that an account alias can contain | 64
Note An account alias must be 3 to 64 characters in length.
|
| Policy | The number of characters that the name of a policy can contain | 128 |
| MFA | The number of MFA devices that can be created within an Alibaba Cloud account | 1000 |
| Custom policy | The number of custom policies that can be created within an Alibaba Cloud account | 1500 |
| The number of characters that a custom policy can contain | 4096 | |
| The number of versions that a custom policy can have | 5 | |
| Identity provider (IdP) | The number of IdPs that can be created within an Alibaba Cloud account | 100 |
| The number of IdP descriptors that an IdP metadata file can contain | 1 | |
| The number of certificates that an IdP descriptor in an IdP metadata file can contain | 2 |
Note The number of policies that can be attached to a RAM user, RAM user group, or RAM
role is not affected by authorization scope. In other words, you can apply the same
number of policies whether you grant permissions on a single resource group or on
your Alibaba Cloud account.