RAM allows you to create and manage multiple identities under an Alibaba Cloud account and to attach different policies to different identities or identity groups. That is, RAM grants different resource access permissions to different RAM users.

  • You can create and manage RAM users and their access keys under your Alibaba Cloud account and attach or deactivate MFA devices for them.
  • You can attach one or more policies to a RAM user or a RAM user group to restrict users' operation permissions for Alibaba Cloud resources.
  • You can specify that RAM users use security channels (for example, SSL) to operate on the specified Alibaba Cloud resources at a specified time or from specified source IP addresses.
  • You can centrally control the instances and data created by RAM users. Therefore, when a user leaves your organization, you can still fully control the user's instances and data.
  • You can implement Single Sign On (SSO), such as user-based SSO or role-based SSO, between your enterprise IdPs and Alibaba Cloud.