All Products
Document Center

Access control overview

Last Updated: Mar 25, 2019

ARMS now supports RAM (Resource Access Management). Resource Access Management (RAM) is a cloud service that helps you manage user identities and control resources access. If multiple users in your enterprise collaboratively work with resources, using RAM allows you to avoid sharing your Alibaba Cloud account AccessKey with other users. Instead, you can grant users the minimum permissions needed to complete their work, reducing security risks of your enterprise.

Resource access control

Currently ARMS supports the following authorization policy:

Authorization policy Type Description
AliyunARMSFullAccess System To manage the permissions of Application Real-Time Monitoring Service (ARMS).

Use cases

  • Use case 1: Access ARMS with a RAM sub-account

    Because the primary account has the access to ARMS homepage, you might want to limit the use of it for security reasons. In this case, you can authorize a RAM sub-account with the primary account, and handle the daily operation and maintenance work with this sub-account.

    For instructions on how to create a RAM sub-account, see Create and authorize RAM sub-account.

  • Use case 2: Call OpenAPI with a RAM sub-account

    ARMS allows you to call OpenAPI, but it requires the AK and SK of the primary account. The security of AK and SK is of the utmost importance, and any leakage may lead to severe security incidents. Therefore, for security reasons likewise, you can authorize RAM sub-accounts to call OpenAPI with their own AK and SK.

    For instructions on how to authorize a RAM sub-account to call OpenAPI, see Create and authorize RAM sub-account.

  • Use case 3: Call OpenAPI with a RAM user role

    A RAM user role is a virtual user without a fixed authentication AccessKey, and must be assumed by a trusted real user, such as an Alibaba Cloud account, RAM user account, and cloud service account. After assuming a role, the real user receives a temporary security token of this RAM user role. Then, the user can use this security token to access the authorized resources as a RAM user role.

    For instructions on how to configure RAM user roles, see Create and authorize RAM user role.