Resource Access Management (RAM) is an Alibaba Cloud service that helps you manage user identities and access to your cloud resources. You can create RAM users and manage their permissions to reduce risks to your Alibaba Cloud account.
Background information
You can create and manage multiple RAM users under an Alibaba Cloud account. You can also grant different permissions to each RAM user. This allows each RAM user to have different access permissions on Alibaba Cloud resources. By using RAM, you do not need to share AccessKey pairs with other users. You can assign minimal permissions to each RAM user to reduce data security risks for your enterprise. For more information, see What is RAM? and Policy overview.
To manage user permissions by using RAM, you must create RAM users or groups. Then, you need to grant different permissions to each RAM user or group.
Create a RAM user
To create a RAM user, perform the following steps:
Create a user group
If you have multiple RAM users under your Alibaba Cloud account, you can create RAM user groups to classify and authorize these RAM users. This simplifies the management of RAM users and permissions.
- Log on to the RAM console with an Alibaba Cloud account.
- In the left-side navigation pane, click Groups under Identities.
- On the Groups page, click Create Group.
- In the Create Group pane, specify the Group Name, Display Name, and Note parameters.
- Click OK.
- Click Close.
Grant permissions to a RAM user or group
By default, a RAM user or group has no permissions. You must grant permissions to a RAM user or group before the RAM user or group can be used to perform operations in the console or call API operations.
- AliyunHbrFullAccess: grants a RAM identity the full access permissions on HBR.
- AliyunHbrReadOnlyAccess: grants a RAM identity the read-only permissions on HBR.
You can authorize a RAM user or group by attaching the policies to the RAM user or group in the RAM console. To attach a policy to a RAM user or group, perform the following steps: