All Products
Search
Document Center

Resource Management

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Resource Management.

The code (RamCode) in RAM that is used to indicate Resource Management is resourcemanager. You can grant permissions on Resource Management at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Resource Management. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

ram:AttachPolicyToGroup

AttachPolicy

Write

RAM:Group


acs:ram::{#accountId}:group/{#GroupName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:AttachPolicyToRole

AttachPolicy

Write

RAM:Role


acs:ram::{#accountId}:role/{#RoleName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:AttachPolicyToUser

AttachPolicy

Write

RAM:User


acs:ram::{#accountId}:user/{#UserName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:CreatePolicy

CreatePolicy

Write


RAM:Policy


acs:ram::{#accountId}:policy/*


N/A

N/A

ram:CreatePolicyVersion

CreatePolicyVersion

Write


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:CreateResourceGroup

CreateResourceGroup

Write


ResourceGroup


acs:ram:*:{#accountId}:resourcegroup/*


N/A

N/A

ram:CreateRole

CreateRole

Write


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:CreateServiceLinkedRole

CreateServiceLinkedRole

Write


RAM:Role


acs:ram::{#accountId}:role/*



ram:ServiceName


N/A

ram:DeletePolicy

DeletePolicy

Write


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:DeletePolicyVersion

DeletePolicyVersion

Write


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:DeleteRole

DeleteRole

Write


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:DeleteServiceLinkedRole

DeleteServiceLinkedRole

Write


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}



ram:ServiceName


N/A

ram:DetachPolicyToGroup

DetachPolicy

Write




acs:ram::{#accountId}:group/{#GroupName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:DetachPolicyToRole

DetachPolicy

Write

RAM:Role


acs:ram::{#accountId}:role/{#RoleName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:DetachPolicyToUser

DetachPolicy

Write

RAM:User


acs:ram::{#accountId}:user/{#UserName}

RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:GetPolicy

GetPolicy

Read


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:GetPolicyVersion

GetPolicyVersion

Read


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:GetRole

GetRole

Read


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:GetServiceLinkedRoleDeletionStatus

GetServiceLinkedRoleDeletionStatus

Read


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}



ram:ServiceName


N/A

ram:ListPolicies

ListPolicies

List


RAM:Policy


acs:ram::{#accountId}:policy/*


RAM:Policy


acs:ram::system:policy/*


N/A

N/A

ram:ListPolicyAttachments

ListPolicyAttachments

List


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:ListPolicyVersions

ListPolicyVersions

List


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


RAM:Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:ListRoles

ListRoles

List


RAM:Role


acs:ram::{#accountId}:role/*


N/A

N/A

ram:SetDefaultPolicyVersion

SetDefaultPolicyVersion

Write


RAM:Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:UpdateRole

UpdateRole

Write


RAM:Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

resourcemanager:AcceptHandshake

AcceptHandshake

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:AttachControlPolicy

AttachControlPolicy

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CancelCreateCloudAccount

CancelCreateCloudAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CancelHandshake

CancelHandshake

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CancelPromoteResourceAccount

CancelPromoteResourceAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CheckPayabilityForAccount

N/A

Read

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CreateCloudAccount

CreateCloudAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CreateControlPolicy

CreateControlPolicy

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CreateFolder

CreateFolder

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:CreateResourceAccount

CreateResourceAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DeclineHandshake

DeclineHandshake

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DeleteControlPolicy

DeleteControlPolicy

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DeleteFolder

DeleteFolder

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DeleteInvalidCloudAccountRecord

N/A

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DeleteResourceGroup

DeleteResourceGroup

Write


All resources


acs:ram:*:{#accountId}:resourcegroup/{#resourceGroupId}


N/A

N/A

resourcemanager:DeregisterDelegatedAdministrator

DeregisterDelegatedAdministrator

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DestroyResourceDirectory

DestroyResourceDirectory

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DetachControlPolicy

DetachControlPolicy

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:DisableControlPolicy

DisableControlPolicy

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:EnableControlPolicy

EnableControlPolicy

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetAccount

GetAccount

Read


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetControlPolicy

GetControlPolicy

Read


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetControlPolicyEnablementStatus

GetControlPolicyEnablementStatus

Read

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetFolder

GetFolder

Read


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetHandshake

GetHandshake

Read


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetPayerForAccount

GetPayerForAccount

Read

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:GetResourceDirectory

GetResourceDirectory

Read


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:InitResourceDirectory

InitResourceDirectory

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:InitResourceDirectoryCheck

N/A

Read

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:InviteAccountToResourceDirectory

InviteAccountToResourceDirectory

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListAccountRecordsForParent

N/A

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListAccounts

ListAccounts

List


All resources


acs:resourcemanager:*:{#accountId}:*



acs:Service


N/A

resourcemanager:ListAccountsForParent

ListAccountsForParent

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListAncestors

ListAncestors

List

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListChildrenForParent

N/A

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListControlPolicies

ListControlPolicies

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListControlPolicyAttachmentsForTarget

ListControlPolicyAttachmentsForTarget

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListDelegatedAdministrators

ListDelegatedAdministrators

List

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListDelegatedServicesForAccount

ListDelegatedServicesForAccount

List

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListFoldersForParent

ListFoldersForParent

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListHandshakesForAccount

ListHandshakesForAccount

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListHandshakesForResourceDirectory

ListHandshakesForResourceDirectory

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListTargetAttachmentsForControlPolicy

ListTargetAttachmentsForControlPolicy

List


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ListTrustedServiceStatus

ListTrustedServiceStatus

List

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:MoveAccount

MoveAccount

Write




acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:PrecheckForConsolidatedBillingAccount

N/A

Read

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:PromoteResourceAccount

PromoteResourceAccount

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:RegisterDelegatedAdministrator

RegisterDelegatedAdministrator

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:RemoveCloudAccount

RemoveCloudAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ResendCreateCloudAccountEmail

ResendCreateCloudAccountEmail

Write

All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:ResendPromoteResourceAccountEmail

ResendPromoteResourceAccountEmail

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:UpdateAccount

UpdateAccount

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:UpdateControlPolicy

UpdateControlPolicy

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:UpdateFolder

UpdateFolder

Write


All resources


acs:resourcemanager:*:{#accountId}:*


N/A

N/A

resourcemanager:UpdateResourceGroup

UpdateResourceGroup

Write


ResourceGroup


acs:ram:*:{#accountId}:resourcegroup/{#resourceGroupId}*


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Resource Management.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

Role

acs:ram:*:{#accountId}:role/{#RoleName}

ResourceGroup

acs:ram:*:{#accountId}:resourcegroup/{#Id}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Resource Management. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Resource Management. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

ram:ServiceName

Specifies the service principal of the linked service that trusted by the service-linked role (SLR). Example: "ecs.aliyuncs.com"

String