A Resource Access Management (RAM) user must be subject to authentication rules when requesting access to the domain resources of the Alibaba Cloud account by using the Domains API. This topic describes the authentication rules for the Domains API.

When a RAM user requests access to the domain resources of an Alibaba Cloud account by using the Domains API, Domains sends a request to the RAM user for authentication. This is to ensure that the RAM user is authorized by the resource owner to access the resources.

For each Domains API operation, the resources to check are determined by the involved resources and the semantics of the API operation. The following table lists the authentication rules for each API operation.
Note $accountid indicates the account ID. You can log on to your Alibaba Cloud account to view the account ID.
Table 1. Resource-level authorization
Operation Authenticated action Resource
SaveSingleTaskForUpdatingContactInfo domain:DomainInfoModification acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfo acs:domain:*:$accountid:domain/$domainName
TransferInReenterTransferAuthorizationCode domain:DomainTransferInOperation acs:domain:*:$accountid:domain/$domainName
TransferInRefetchWhoisEmail acs:domain:*:$accountid:domain/$domainName
TransferInResendMailToken acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferIn acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferOut domain:DomainTransferOutOperation acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForQueryingTransferAuthorizationCode acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForModifyingDnsHost domain:DnsHostModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForSynchronizingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForDeletingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForModifyingDomainDns domain:DnsModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForTransferProhibitionLock domain:SecuritySetting acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForTransferProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
Table 2. Operation-level authorization
Operation Authenticated action Resource
QueryDomainList domain:QueryCommonInfo acs:domain:*:$accountid:*
QueryDomainByInstanceId acs:domain:*:$accountid:*
QueryContactInfo acs:domain:*:$accountid:*
VerifyContactField acs:domain:*:$accountid:*
QueryTaskList domain:QueryDomainTask acs:domain:*:$accountid:*
QueryTaskInfoHistory acs:domain:*:$accountid:*
QueryTaskDetailList acs:domain:*:$accountid:*
QueryTaskDetailHistory acs:domain:*:$accountid:*
PollTaskResult acs:domain:*:$accountid:*
QueryChangeLogList domain:QueryChangeLog acs:domain:*:$accountid:*
QueryTransferInByInstanceId domain:QueryDomainTransferIn acs:domain:*:$accountid:*
QueryTransferInList acs:domain:*:$accountid:*
CheckTransferInFeasibility acs:domain:*:$accountid:*
TransferInCheckMailToken domain:TransferInCheckMailToken acs:domain:*:$accountid:*
QueryTransferOutInfo domain:QueryDomainTransferOut acs:domain:*:$accountid:*
QueryDnsHost domain:QueryDnsHost acs:domain:*:$accountid:*
QueryRegistrantProfiles domain:QueryRegistrantProfile acs:domain:*:$accountid:*
ListEmailVerification domain:QueryEmailVerification acs:domain:*:$accountid:*
AcknowledgeTaskResult domain:AcknowledgeTaskResult acs:domain:*:$accountid:*
SaveRegistrantProfile domain:RegistrantProfileOperation acs:domain:*:$accountid:*
DeleteRegistrantProfile acs:domain:*:$accountid:*
DeleteEmailVerification domain:EmailVerificationOperation acs:domain:*:$accountid:*
VerifyEmail acs:domain:*:$accountid:*
ResendEmailVerification acs:domain:*:$accountid:*
SubmitEmailVerification acs:domain:*:$accountid:*
Table 3. Service-level authorization
Operation Authenticated action Resource
* domain:* acs:domain:*:$accountid:*