All Products
Search

This Product

    Resource Access Management:Resource Management

    Document Center

    Resource Access Management:Resource Management

    Last Updated:Sep 30, 2021

    Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Resource Management.

    The code (RamCode) in RAM that is used to indicate Resource Management is resourcemanager. You can grant permissions on Resource Management at the resource level.

    Action

    The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Resource Management. The following list describes the columns in the table:

    • Action: the value that you can use in the Action element to specify the operation on a resource.

    • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

    • Access level: the access level of each action. The levels are read, write, and list.

    • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

      • The required resource types are displayed in bold characters.

      • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

    • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

    • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

    Actions

    APIs

    Access level

    Resource types

    Condition keys

    Dependent actions

    ram:AttachPolicyToGroup

    AttachPolicy

    Write

    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:AttachPolicyToRole

    AttachPolicy

    Write

    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:AttachPolicyToUser

    AttachPolicy

    Write

    RAM:User


    acs:ram::{#accountId}:user/{#UserName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:CreatePolicy

    CreatePolicy

    Write


    RAM:Policy


    acs:ram::{#accountId}:policy/*


    N/A

    N/A

    ram:CreatePolicyVersion

    CreatePolicyVersion

    Write


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    N/A

    N/A

    ram:CreateResourceGroup

    CreateResourceGroup

    Write


    ResourceGroup


    acs:ram:*:{#accountId}:resourcegroup/*


    N/A

    N/A

    ram:CreateRole

    CreateRole

    Write


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}


    N/A

    N/A

    ram:CreateServiceLinkedRole

    CreateServiceLinkedRole

    Write


    RAM:Role


    acs:ram::{#accountId}:role/*



    ram:ServiceName


    N/A

    ram:DeletePolicy

    DeletePolicy

    Write


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    N/A

    N/A

    ram:DeletePolicyVersion

    DeletePolicyVersion

    Write


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    N/A

    N/A

    ram:DeleteRole

    DeleteRole

    Write


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}


    N/A

    N/A

    ram:DeleteServiceLinkedRole

    DeleteServiceLinkedRole

    Write


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}



    ram:ServiceName


    N/A

    ram:DetachPolicyToGroup

    DetachPolicy

    Write




    acs:ram::{#accountId}:group/{#GroupName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:DetachPolicyToRole

    DetachPolicy

    Write

    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:DetachPolicyToUser

    DetachPolicy

    Write

    RAM:User


    acs:ram::{#accountId}:user/{#UserName}

    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:GetPolicy

    GetPolicy

    Read


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:GetPolicyVersion

    GetPolicyVersion

    Read


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:GetRole

    GetRole

    Read


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}


    N/A

    N/A

    ram:GetServiceLinkedRoleDeletionStatus

    GetServiceLinkedRoleDeletionStatus

    Read


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}



    ram:ServiceName


    N/A

    ram:ListPolicies

    ListPolicies

    List


    RAM:Policy


    acs:ram::{#accountId}:policy/*


    RAM:Policy


    acs:ram::system:policy/*


    N/A

    N/A

    ram:ListPolicyAttachments

    ListPolicyAttachments

    List


    RAM: all resources


    acs:ram::{#accountId}:*


    N/A

    N/A

    ram:ListPolicyVersions

    ListPolicyVersions

    List


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    RAM:Policy


    acs:ram::system:policy/{#PolicyName}


    N/A

    N/A

    ram:ListRoles

    ListRoles

    List


    RAM:Role


    acs:ram::{#accountId}:role/*


    N/A

    N/A

    ram:SetDefaultPolicyVersion

    SetDefaultPolicyVersion

    Write


    RAM:Policy


    acs:ram::{#accountId}:policy/{#PolicyName}


    N/A

    N/A

    ram:UpdateRole

    UpdateRole

    Write


    RAM:Role


    acs:ram::{#accountId}:role/{#RoleName}


    N/A

    N/A

    resourcemanager:AcceptHandshake

    AcceptHandshake

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:AttachControlPolicy

    AttachControlPolicy

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CancelCreateCloudAccount

    CancelCreateCloudAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CancelHandshake

    CancelHandshake

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CancelPromoteResourceAccount

    CancelPromoteResourceAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CheckPayabilityForAccount

    N/A

    Read

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CreateCloudAccount

    CreateCloudAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CreateControlPolicy

    CreateControlPolicy

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CreateFolder

    CreateFolder

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:CreateResourceAccount

    CreateResourceAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DeclineHandshake

    DeclineHandshake

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DeleteControlPolicy

    DeleteControlPolicy

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DeleteFolder

    DeleteFolder

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DeleteInvalidCloudAccountRecord

    N/A

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DeleteResourceGroup

    DeleteResourceGroup

    Write


    All resources


    acs:ram:*:{#accountId}:resourcegroup/{#resourceGroupId}


    N/A

    N/A

    resourcemanager:DeregisterDelegatedAdministrator

    DeregisterDelegatedAdministrator

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DestroyResourceDirectory

    DestroyResourceDirectory

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DetachControlPolicy

    DetachControlPolicy

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:DisableControlPolicy

    DisableControlPolicy

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:EnableControlPolicy

    EnableControlPolicy

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetAccount

    GetAccount

    Read


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetControlPolicy

    GetControlPolicy

    Read


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetControlPolicyEnablementStatus

    GetControlPolicyEnablementStatus

    Read

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetFolder

    GetFolder

    Read


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetHandshake

    GetHandshake

    Read


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetPayerForAccount

    GetPayerForAccount

    Read

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:GetResourceDirectory

    GetResourceDirectory

    Read


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:InitResourceDirectory

    InitResourceDirectory

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:InitResourceDirectoryCheck

    N/A

    Read

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:InviteAccountToResourceDirectory

    InviteAccountToResourceDirectory

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListAccountRecordsForParent

    N/A

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListAccounts

    ListAccounts

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*



    acs:Service


    N/A

    resourcemanager:ListAccountsForParent

    ListAccountsForParent

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListAncestors

    ListAncestors

    List

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListChildrenForParent

    N/A

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListControlPolicies

    ListControlPolicies

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListControlPolicyAttachmentsForTarget

    ListControlPolicyAttachmentsForTarget

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListDelegatedAdministrators

    ListDelegatedAdministrators

    List

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListDelegatedServicesForAccount

    ListDelegatedServicesForAccount

    List

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListFoldersForParent

    ListFoldersForParent

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListHandshakesForAccount

    ListHandshakesForAccount

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListHandshakesForResourceDirectory

    ListHandshakesForResourceDirectory

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListTargetAttachmentsForControlPolicy

    ListTargetAttachmentsForControlPolicy

    List


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ListTrustedServiceStatus

    ListTrustedServiceStatus

    List

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:MoveAccount

    MoveAccount

    Write




    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:PrecheckForConsolidatedBillingAccount

    N/A

    Read

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:PromoteResourceAccount

    PromoteResourceAccount

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:RegisterDelegatedAdministrator

    RegisterDelegatedAdministrator

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:RemoveCloudAccount

    RemoveCloudAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ResendCreateCloudAccountEmail

    ResendCreateCloudAccountEmail

    Write

    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:ResendPromoteResourceAccountEmail

    ResendPromoteResourceAccountEmail

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:UpdateAccount

    UpdateAccount

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:UpdateControlPolicy

    UpdateControlPolicy

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:UpdateFolder

    UpdateFolder

    Write


    All resources


    acs:resourcemanager:*:{#accountId}:*


    N/A

    N/A

    resourcemanager:UpdateResourceGroup

    UpdateResourceGroup

    Write


    ResourceGroup


    acs:ram:*:{#accountId}:resourcegroup/{#resourceGroupId}*


    N/A

    N/A

    Resource

    The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Resource Management.

    The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

    • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

    • An asterisk (*) is used as a wildcard. Examples:

      • If you specify {#resourceType}/*, all resources are specified.

      • If {#regionId} is set to *, all regions are specified.

      • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

    Resource type

    ARN

    Policy

    acs:ram:*:{#accountId}:policy/{#PolicyName}

    Role

    acs:ram:*:{#accountId}:role/{#RoleName}

    ResourceGroup

    acs:ram:*:{#accountId}:resourcegroup/{#Id}

    Condition

    The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Resource Management. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Resource Management. For more information about the common condition keys, see Policy elements.

    The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

    Condition keys

    Description

    Type

    ram:ServiceName

    Specifies the service principal of the linked service that trusted by the service-linked role (SLR). Example: "ecs.aliyuncs.com"

    String