edit-icon download-icon

Sub-account management

Last Updated: Jan 17, 2018

Sub-account management

The ACM system supports the Resource Access Management (RAM) account system of Alibaba Cloud. A primary account can create RAM sub-accounts, so that the account key is not shared with other users and only minimum permissions are assigned to these sub-accounts as necessary, thus enabling the enterprise to function efficiently.

This article includes the following sections:

Introduction to RAM sub-accounts

When using ACM, a primary account can enable clearly defined roles and responsibilities by assigning different roles and resources to its sub-accounts. This primary and sub-account permission model works in a similar way to the system and normal user model in the Linux system, where system users can grant or revoke permissions from normal users.


  • RAM sub-accounts are created by a primary account in the RAM system. No legality verification is required provided that each sub-account under the same primary account has a unique name.
  • Unlike logons with an Alibaba Cloud account, RAM sub-accounts log on through a unique logon entrance, which is described in the RAM console.

Create a RAM sub-account

Follow the instructions in RAM document to create a RAM account and log on to .

Note: Make sure you enable console logon and password reset for next logon.

Log on to the ACM console with RAM sub-account

The RAM user logon link varies with the primary account, so the RAM logon links created by different primary accounts are different from each other. Also refer to RAM document for the detailed logon link.

After logging on to the RAM Console, click Products in the navigation bar at the top. Locate Application Configuration Management (ACM) under the Middleware category to enter the ACM console.

Authorize a RAM account

The granularity of RAM authorization is at the ACM service level, which means that users that are granted the RAM authorization have full access to ACM. You can only grant or revoke the RAM authorization in the RAM console.

Here are the steps to authorize a RAM account:

  1. Click Users in the left-side pane of the RAM console. Select the user and click Authorize in the Actions column.

  2. In the left-side search box of the dialog box, enter ACM, and select AliyunACMFullAccess and add it to Selected Authorization Policies box on the right. Click OK to grant this account full access to ACM.

    After the authorization is complete, the sub-account can log on to the console to manage configurations.

Here are the steps to revoke the RAM authorization:

  1. Click Users in the left-side pane of the RAM console. Select the user and click Auhtorize in the Actions column.

  2. Move AliyunACMFullAccess in the right sidebar to the left and click OK.

After the authorization is revoked, the sub-user will not be able to log on to the ACM console.

Unbind a RAM account

Here are the steps to unbind a RAM account:

  1. Log on to the RAM console.

  2. Click Users in the left-side navigation pane. Select Delete in the Actions column on the right to unbind.

Thank you! We've received your feedback.