RAM helps you with user identity management and resource access management. RAM provides the following features:

Manage RAM users and their access keys

Under your Alibaba Cloud account, you can create and manage RAM users and their access keys, and enable or disable MFA devices for RAM users.

Grant access permissions to RAM users

You can attach one or more authorization policies to a user, a user group or a role, to grant necessary operation permissions on specified resources.

Restrict user access to cloud resources

You can specify that users use security channels (such as SSL) to request access to specific cloud resources at a designated time or from a specified source IP address.

Authorize roles for external account identities

You can associate RAM roles with external identity systems (such as your local enterprise domain accounts, or your app accounts). In this way, you can directly use an external identity to log on to a RAM role to access the Alibaba Cloud console or an API.

Centrally control cloud resources

You can control the instances and data created by RAM users in a centralized manner. Therefore, when a user leaves your organization, these instances and data are still under your full control.

Consolidate bills

Your account receives a single bill for all expenses incurred from resource operations performed by all RAM users.