Resource Access Management (RAM) is an Alibaba Cloud service that helps you manage user identities and access to your cloud resources. You can create RAM users and manage their permissions to reduce risks to your Alibaba Cloud account.

Background

You can create and manage multiple RAM users under an Alibaba Cloud account. You can also grant different permissions to each RAM user. This allows each RAM user to have different access permissions on Alibaba Cloud resources. Using RAM, you do not need to share an AccessKey with another account. You can assign minimal permissions to each RAM user to reduce data security risks for your enterprise. For more information, see What is RAM? and Policy overview.

To use RAM to manage user permissions, you must create RAM users or groups. Then, you need to grant different permissions to each RAM user or group.

Create a RAM user

The procedure is as follows:
  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Users under Identities.
  3. Click Create User.
    Note To create multiple RAM users at a time, click Add User.
  4. Specify the Logon Name and Display Name parameters.
  5. Under Access Mode, select Console Password Logon or Programmatic Access.
    • Console Password Logon: If you select this check box, you must also complete the basic security settings for logon, including deciding whether to automatically generate a password or customize the logon password, whether the user must reset the password upon the next logon, and whether to enable multi-factor authentication (MFA).
    • Programmatic Access: If you select this check box, an AccessKey pair is automatically created for the RAM user. The user can access Alibaba Cloud resources by calling an API operation or by using a development tool.
    Note We recommend that you select only one access mode for the RAM users to ensure the security of your Alibaba Cloud account. This prevents RAM users who have terminated their employment contracts with the company from accessing Alibaba Cloud resources.
  6. Click OK.

Create a RAM group

If you need to create multiple RAM users, you can group RAM users with identical responsibilities together and grant permissions to the group. This helps you conveniently manage RAM users and their permissions. The procedure for creating a RAM group is as follows:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Groups under Identities.
  3. Click Create Group.
  4. Specify the Group Name, Display Name, and Note parameters.
  5. Click OK.
  6. Click Close.

Grant permissions to a RAM user or group

By default, a new RAM user or group does not have any permissions. You need to grant permissions to the RAM user or group. Then, you can use the RAM user or group to perform operations in the console or call API operations.

Alibaba Cloud RAM provides two authorization policies for Hybrid Backup Recovery (HBR):
  • AliyunHbrFullAccess: grants a RAM user full access permissions on HBR.
  • AliyunHbrReadOnlyAccess: grants a RAM user the read-only permission on HBR.
You can grant these two policies to a RAM user or group in the RAM console to grant permissions. The procedure is as follows:
  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Grants under Permissions.
  3. Click Grant Permission.
  4. Under Principal, enter a principle name and click the target principle.
    Note You can enter a name of the RAM user, user group, or role for a fuzzy search.
  5. In the left-side Policy Name column, click one or more policies. For example, click AliyunHbrFullAccess and AliyunHbrReadOnlyAccess.

    Note You can click × for a selected policy in the right-side Selected section to remove this policy from the section.
  6. Click OK.
  7. Click Finished.
Note In addition to the policies provided in the RAM console, you can also create custom policies.