All Products
Search
Document Center

Resource Access Management (IMS)

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Resource Access Management (IMS).

The code (RamCode) in RAM that is used to indicate IMS is ram. You can grant permissions on RAM at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by RAM. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

API

Access level

Resource type

Condition keys

Associated operation

ram:ProvisionExternalApplication

N/A

Write

Application

acs:ram::{#accountId}:application/*




N/A

ram:AddUserToGroup

AddUserToGroup

Write


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:BindMFADevice

BindMFADevice

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ChangePassword

ChangePassword

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:CreateAccessKey

CreateAccessKey

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:CreateAppSecret

CreateAppSecret

Write


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:CreateApplication

CreateApplication

Write


RAM:Application


acs:ram::{#accountId}:application/*


N/A

N/A

ram:CreateGroup

CreateGroup

Write


RAM:Group


acs:ram::{#accountId}:group/*


N/A

N/A

ram:CreateLoginProfile

CreateLoginProfile

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:CreateSAMLProvider

CreateSAMLProvider

Write


RAM:SAMLProvider


acs:ram::{#accountId}:saml-provider/*


N/A

N/A

ram:CreateUser

CreateUser

Write


RAM:User


acs:ram::{#accountId}:user/*


N/A

N/A

ram:CreateVirtualMFADevice

CreateVirtualMFADevice

Write


RAM:MFADevice


acs:ram::{#accountId}:mfa/*


N/A

N/A

ram:DeleteAccessKey

DeleteAccessKey

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeleteAppSecret

DeleteAppSecret

Write


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:DeleteApplication

DeleteApplication

Write


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:DeleteGroup

DeleteGroup

Write


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:DeleteLoginProfile

DeleteLoginProfile

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeleteSAMLProvider

DeleteSAMLProvider

Write


RAM:SAMLProvider


acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}


N/A

N/A

ram:DeleteUser

DeleteUser

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeleteVirtualMFADevice

DeleteVirtualMFADevice

Write


RAM:MFADevice


acs:ram::{#accountId}:mfa/{#SerialNumber}


N/A

N/A

ram:DeprovisionApplication

N/A

Write


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:DisableVirtualMFA

DisableVirtualMFA

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GenerateCredentialReport

GenerateCredentialReport

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetAccessKeyLastUsed

GetAccessKeyLastUsed

Read


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetAccountMFAInfo

GetAccountMFAInfo

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetAccountSecurityPracticeReport

GetAccountSecurityPracticeReport

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetAccountSummary

GetAccountSummary

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetAppSecret

GetAppSecret

Read


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:GetApplication

GetApplication

Read


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:GetCredentialReport

GetCredentialReport

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetDefaultDomain

GetDefaultDomain

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetGroup

GetGroup

Read


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:GetLoginProfile

GetLoginProfile

Read


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetPasswordPolicy

GetPasswordPolicy

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetSAMLProvider

GetSAMLProvider

Read


RAM:SAMLProvider


acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}


N/A

N/A

ram:GetSamlSsoSettings

N/A

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetSecurityPreference

GetSecurityPreference

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetUser

GetUser

Read


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetUserMFAInfo

GetUserMFAInfo

Read


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetUserSsoSettings

GetUserSsoSettings

Read


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:ListAccessKeys

ListAccessKeys

List


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListAppSecretIds

ListAppSecretIds

List


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:ListApplications

ListApplications

List


RAM:Application


acs:ram::{#accountId}:application/*


N/A

N/A

ram:ListGroups

ListGroups

List


RAM:Group


acs:ram::{#accountId}:group/*


N/A

N/A

ram:ListGroupsForUser

ListGroupsForUser

List


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListSAMLProviders

ListSAMLProviders

List


RAM:SAMLProvider


acs:ram::{#accountId}:saml-provider/*


N/A

N/A

ram:ListUserBasicInfos

ListUserBasicInfos

List


RAM:User


acs:ram::{#accountId}:user/*


N/A

N/A

ram:ListUsers

ListUsers

List


RAM:User


acs:ram::{#accountId}:user/*


N/A

N/A

ram:ListUsersForGroup

ListUsersForGroup

List


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:ListVirtualMFADevices

ListVirtualMFADevices

List


RAM:MFADevice


acs:ram::{#accountId}:mfa/*


N/A

N/A

ram:RemoveUserFromGroup

RemoveUserFromGroup

Write


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:SetDefaultDomain

SetDefaultDomain

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetPasswordPolicy

SetPasswordPolicy

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetSamlSsoSettings

N/A

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetSecurityPreference

SetSecurityPreference

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetUserSsoSettings

SetUserSsoSettings

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:UnbindMFADevice

UnbindMFADevice

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateAccessKey

UpdateAccessKey

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateApplication

UpdateApplication

Write


RAM:Application


acs:ram::{#accountId}:application/{#AppName}


N/A

N/A

ram:UpdateDefaultDomain

N/A

Write


RAM: all resources


acs:ram::{#accountId}:*


N/A

N/A

ram:UpdateGroup

UpdateGroup

Write


RAM:Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:UpdateLoginProfile

UpdateLoginProfile

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateSAMLProvider

UpdateSAMLProvider

Write


RAM:SAMLProvider


acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}


N/A

N/A

ram:UpdateUser

UpdateUser

Write


RAM:User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by RAM.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Application

acs:ram:*:{#accountId}:application/{#AppName}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by RAM. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to RAM. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

ram:ServiceName

Specifies the service principal of the linked service that trusted by the service-linked role (SLR). Example: "ecs.aliyuncs.com"

String

acs:Service

Specifies the service principal of the service to which a role can be passed. This condition key applies to the "PassRole" action in a policy. Example: "ecs.aliyuncs.com"

String