All Products
Search

This Product

    Resource Access Management:Resource Access Management (IMS)

    Document Center

    Resource Access Management:Resource Access Management (IMS)

    Last Updated:Sep 30, 2021

    Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Resource Access Management (IMS).

    The code (RamCode) in RAM that is used to indicate IMS is ram. You can grant permissions on RAM at the resource level.

    Action

    The following table describes the values that you can use in the Action element of a policy statement. The values are defined by RAM. The following list describes the columns in the table:

    • Action: the value that you can use in the Action element to specify the operation on a resource.

    • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

    • Access level: the access level of each action. The levels are read, write, and list.

    • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

      • The required resource types are displayed in bold characters.

      • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

    • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

    • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

    Actions

    API

    Access level

    Resource type

    Condition keys

    Associated operation

    ram:ProvisionExternalApplication

    N/A

    Write

    Application

    acs:ram::{#accountId}:application/*




    N/A

    ram:AddUserToGroup

    AddUserToGroup

    Write


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}





    N/A

    N/A

    ram:BindMFADevice

    BindMFADevice

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:ChangePassword

    ChangePassword

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:CreateAccessKey

    CreateAccessKey

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:CreateAppSecret

    CreateAppSecret

    Write


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:CreateApplication

    CreateApplication

    Write


    RAM:Application


    acs:ram::{#accountId}:application/*



    N/A

    N/A

    ram:CreateGroup

    CreateGroup

    Write


    RAM:Group


    acs:ram::{#accountId}:group/*



    N/A

    N/A

    ram:CreateLoginProfile

    CreateLoginProfile

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:CreateSAMLProvider

    CreateSAMLProvider

    Write


    RAM:SAMLProvider


    acs:ram::{#accountId}:saml-provider/*



    N/A

    N/A

    ram:CreateUser

    CreateUser

    Write


    RAM:User


    acs:ram::{#accountId}:user/*



    N/A

    N/A

    ram:CreateVirtualMFADevice

    CreateVirtualMFADevice

    Write


    RAM:MFADevice


    acs:ram::{#accountId}:mfa/*



    N/A

    N/A

    ram:DeleteAccessKey

    DeleteAccessKey

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:DeleteAppSecret

    DeleteAppSecret

    Write


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:DeleteApplication

    DeleteApplication

    Write


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:DeleteGroup

    DeleteGroup

    Write


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}



    N/A

    N/A

    ram:DeleteLoginProfile

    DeleteLoginProfile

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:DeleteSAMLProvider

    DeleteSAMLProvider

    Write


    RAM:SAMLProvider


    acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}



    N/A

    N/A

    ram:DeleteUser

    DeleteUser

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:DeleteVirtualMFADevice

    DeleteVirtualMFADevice

    Write


    RAM:MFADevice


    acs:ram::{#accountId}:mfa/{#SerialNumber}



    N/A

    N/A

    ram:DeprovisionApplication

    N/A

    Write


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:DisableVirtualMFA

    DisableVirtualMFA

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:GenerateCredentialReport

    GenerateCredentialReport

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetAccessKeyLastUsed

    GetAccessKeyLastUsed

    Read


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:GetAccountMFAInfo

    GetAccountMFAInfo

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetAccountSecurityPracticeReport

    GetAccountSecurityPracticeReport

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetAccountSummary

    GetAccountSummary

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetAppSecret

    GetAppSecret

    Read


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:GetApplication

    GetApplication

    Read


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:GetCredentialReport

    GetCredentialReport

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetDefaultDomain

    GetDefaultDomain

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetGroup

    GetGroup

    Read


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}



    N/A

    N/A

    ram:GetLoginProfile

    GetLoginProfile

    Read


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:GetPasswordPolicy

    GetPasswordPolicy

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetSAMLProvider

    GetSAMLProvider

    Read


    RAM:SAMLProvider


    acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}



    N/A

    N/A

    ram:GetSamlSsoSettings

    N/A

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetSecurityPreference

    GetSecurityPreference

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:GetUser

    GetUser

    Read


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:GetUserMFAInfo

    GetUserMFAInfo

    Read


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:GetUserSsoSettings

    GetUserSsoSettings

    Read


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:ListAccessKeys

    ListAccessKeys

    List


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:ListAppSecretIds

    ListAppSecretIds

    List


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:ListApplications

    ListApplications

    List


    RAM:Application


    acs:ram::{#accountId}:application/*



    N/A

    N/A

    ram:ListGroups

    ListGroups

    List


    RAM:Group


    acs:ram::{#accountId}:group/*



    N/A

    N/A

    ram:ListGroupsForUser

    ListGroupsForUser

    List


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:ListSAMLProviders

    ListSAMLProviders

    List


    RAM:SAMLProvider


    acs:ram::{#accountId}:saml-provider/*



    N/A

    N/A

    ram:ListUserBasicInfos

    ListUserBasicInfos

    List


    RAM:User


    acs:ram::{#accountId}:user/*



    N/A

    N/A

    ram:ListUsers

    ListUsers

    List


    RAM:User


    acs:ram::{#accountId}:user/*



    N/A

    N/A

    ram:ListUsersForGroup

    ListUsersForGroup

    List


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}



    N/A

    N/A

    ram:ListVirtualMFADevices

    ListVirtualMFADevices

    List


    RAM:MFADevice


    acs:ram::{#accountId}:mfa/*



    N/A

    N/A

    ram:RemoveUserFromGroup

    RemoveUserFromGroup

    Write


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}





    N/A

    N/A

    ram:SetDefaultDomain

    SetDefaultDomain

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:SetPasswordPolicy

    SetPasswordPolicy

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:SetSamlSsoSettings

    N/A

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:SetSecurityPreference

    SetSecurityPreference

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:SetUserSsoSettings

    SetUserSsoSettings

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:UnbindMFADevice

    UnbindMFADevice

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:UpdateAccessKey

    UpdateAccessKey

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:UpdateApplication

    UpdateApplication

    Write


    RAM:Application


    acs:ram::{#accountId}:application/{#AppName}



    N/A

    N/A

    ram:UpdateDefaultDomain

    N/A

    Write


    RAM: all resources


    acs:ram::{#accountId}:*



    N/A

    N/A

    ram:UpdateGroup

    UpdateGroup

    Write


    RAM:Group


    acs:ram::{#accountId}:group/{#GroupName}



    N/A

    N/A

    ram:UpdateLoginProfile

    UpdateLoginProfile

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    ram:UpdateSAMLProvider

    UpdateSAMLProvider

    Write


    RAM:SAMLProvider


    acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}



    N/A

    N/A

    ram:UpdateUser

    UpdateUser

    Write


    RAM:User


    acs:ram::{#accountId}:user/{#UserName}



    N/A

    N/A

    Resource

    The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by RAM.

    The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

    • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

    • An asterisk (*) is used as a wildcard. Examples:

      • If you specify {#resourceType}/*, all resources are specified.

      • If {#regionId} is set to *, all regions are specified.

      • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

    Resource type

    ARN

    Application

    acs:ram:*:{#accountId}:application/{#AppName}

    Condition

    The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by RAM. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to RAM. For more information about the common condition keys, see Policy elements.

    The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

    Condition keys

    Description

    Type

    ram:ServiceName

    Specifies the service principal of the linked service that trusted by the service-linked role (SLR). Example: "ecs.aliyuncs.com"

    String

    acs:Service

    Specifies the service principal of the service to which a role can be passed. This condition key applies to the "PassRole" action in a policy. Example: "ecs.aliyuncs.com"

    String