RAM helps manage identities and control resource access with various features.

Manage RAM users and their keys

You can create and manage RAM users and their keys under your account and attach or detach MFA devices for them.

Control access permissions of RAM users

You can attach one or more policies to a user or a user group to restrict users' operation permissions on resources.

Control resource access methods of RAM users

You can specify that users use security channels (for example, SSL) to operate on the specified cloud resources at a specified time or from specified source IP addresses.

Manage identity associations of RAM roles and external accounts

You can associate a RAM role with an external identity system (such as your local enterprise domain account or app account). In this way, you can directly use the external identity to log on to the Alibaba Cloud console or use APIs as the RAM role identity.

Control cloud resources

You can control the instances and data created by RAM users in a centralized manner. Therefore, when a user leaves your organization, you can still fully control the user's instances and data.

Pay for bills

Your account pays for all fees incurred due to resource operations performed by all RAM users.