edit-icon download-icon

RAM terms

Last Updated: Jun 21, 2018

This topic explains some key terms to help you understand how to use the access control function of MQ. For more information, see RAM Concepts.

Alibaba Cloud account (primary account)

An Alibaba Cloud account is the basic entity for judging the ownership of Alibaba Cloud resources and billing for resource consumption. To use Alibaba Cloud services, register an Alibaba Cloud account first. An Alibaba Cloud account is billed for all the resources under the account and has full permissions for these resources.

By default, the resources can only be accessed by the resource owner. Explicit authorization from the owner is required for other users to access the resources. From the perspective of permission management, an Alibaba Cloud account is the equivalent of root or administrator of an operating system, so it’s often called root account or main account (primary account).

RAM users (sub-accounts)

RAM allows creating multiple RAM users (for employees, systems, or applications of an enterprise) under an Alibaba Cloud account. RAM users have no resources and are not billed individually. The Alibaba Cloud account controls its sub-accounts and pays for the services they consume. RAM users belong to an Alibaba Cloud account and are visible only under this account. They’re not independent Alibaba Cloud accounts. RAM users can log on to the console or use APIs to operate on resources under an Alibaba Cloud account only after being authorized by the Alibaba Cloud account.


Resources are an abstraction of the objects or entities that a cloud service presents for interaction with users. Topic is the only form of resources for MQ.

Each resource has a global Alibaba Cloud Resource Name (ARN) in the format of:



  • acs: short for Alibaba Cloud Service, is the public cloud platform of Alibaba Cloud.
  • service-name: is the name of the service. The service name of MQ is mq.
  • region: is the region information, and can be replaced with a wildcard character “*“.

    Note: MQ authorization is temporarily unavailable, so you must use “*“.

  • account-id: is an ID of Alibaba Cloud account, such as 1234567890123456.

  • resource-relative-id: is the specific name of the Topic resource.

Example: The ARN acs:mq:*:1234567890123456:TopicA indicates that:

  • It’s a MQ resource.
  • The resource owner is 1234567890123456.
  • The resource name is TopicA.


Action defines permission controls related to the resource. MQ defines three actions:

Action Description
PUB The publishing permission, including permission to create Producers on the MQ Console, and to send messages through SDK.
SUB The subscription permission, including permission to create Consumers on the MQ Console, and to subscribe to messages through SDK.
* Includes PUB and SUB actions.
Thank you! We've received your feedback.