To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on domain names to RAM users. The authorized RAM users can then manage domain names. This topic describes how to authorize a RAM user to manage domain names.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is a resource access control service provided by Alibaba Cloud. You can use RAM to authorize a RAM user to manage your domain names. System policies and custom policies are supported by default. The AliyunDomainFullAccess system policy is provided for Alibaba Cloud Domains. You can create a custom policy to provide finer-grained access control if the default system policies cannot satisfy your requirements.
Note This topic describes three custom policies, which are used to grant a RAM user the read and write permissions on all domain names, the read-only permissions on all domain names, and the management permissions on a specific domain name, respectively. For more information about how to create other custom policies, see Create a custom policy.

Grant the read and write permissions to a RAM user

You can use RAM to attach the AliyunDomainFullAccess system policy to a RAM user to authorize the user to manage domain names. This is the highest-level permission. The authorized RAM user can manage all domain name resources under the Alibaba Cloud account.

  1. Log on to the RAM consoleRAM console by using your Alibaba Cloud account.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. In the User Logon Name/Display Name column, find the target RAM user.
  5. Click Add Permissions. In the Add Permissions right-side pane, information is automatically entered in the Principal field.
  6. Configure permission policies as required.
    1. Set Authorization to Alibaba Cloud account all resources.
    2. Set Select Policy to System Policy.
    3. Enter domain in the search box. System policies for the domain name are displayed.
    4. Click AliyunDomainFullAccess to add the policy to the Selected section.
  7. Click OK.
  8. Click Complete.

Grant the read-only permissions to a RAM user

You can use RAM to create a custom policy to grant the read-only permissions on domain names to a RAM user. The authorized RAM user can view domain names of the Alibaba Cloud account, but cannot manage these domain names. Add the following script to the custom policy: 
{
   "Version": "1",
   "Statement": [
     {
       "Action": [
         "domain:Query*"
       ],
       "Resource": "acs:domain:*:*:*",
       "Effect": "Allow"
     }
    ]
}
For more information, see Create a custom policy.

Authorize a RAM user to manage a single domain name

You can use RAM to create a custom policy to authorize a RAM user to manage a single domain name. The authorized RAM user can manage the resources of a domain name such as example.com. Add the following script to the custom policy:
Note 
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
      "domain:DnsModification",
      "domain:SecuritySetting",
      "domain:RealNameVerificationOperation",
      "domain:DnsHostModification",
      "domain:CreateOrderActivate",
      "domain:CreateOrderRenew",
      "domain:CreateOrderRedeem",
      "domain:CreateOrderTransfer",
      "domain:DomainTransferInOperation",
      "domain:DomainTransferOutOperation",
      "domain:QualificationAuditOperation",
      "domain:EnsSetting",
      "domain:DnsSecSetting",
      "domain:SaveArtExtension",
      "domain:CreateOrderPendingDelete"
      ],
      "Resource": "acs:domain:*:*:domain/example.com",
      "Effect": "Allow"
    },
    {
      "Action":
      "domain:Query*",
      "Resource": "acs:domain:*:*:*",
      "Effect": "Allow"
    }
  ]
}
For more information, see Create a custom policy.

What to do next

Log on to the RAM console as the authorized RAM user. For more information, see Log on to the console as a RAM user.