To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on domain names to RAM users. The authorized RAM users can then manage domain names. This topic describes how to authorize a RAM user to manage domain names.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is a resource access control service provided by Alibaba Cloud. You can use RAM to authorize a RAM user to manage your domain names. System policies and custom policies are supported by default. Currently, only the AliyunDomainFullAccess system policy is supported. You can create a custom policy to provide finer-grained access control if the default system policies cannot satisfy your requirements.
Note This topic describes two custom policies: setting the read-only permissions and managing permissions on a domain name. For more information about how to create other custom policies, see Create a custom policy.

Grant read and write permissions to a RAM user

You can use RAM to add the AliyunDomainFullAccess system policy to authorize a RAM user to manage domain names. This is the highest-level permission. The authorized RAM user can manage all domain name resources under the Alibaba cloud account.

  1. Log on to the RAM console.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. In the User Logon Name/Display Name column, find the target RAM user.
  5. Click Add Permissions. In the Add Permissions dialog box that appears, the Principal field is automatically filled in.
  6. In the Add Permissions dialog box, select the required permission policies.
    1. Select System Policy.
    2. Enter Domain in the search box. System policies for the domain name are displayed.
    3. Click AliyunDomainFullAccess to add the policy to the Selected section.
  7. Click OK.
  8. Click Complete.

Grant the read-only permissions to a RAM user

You can use RAM to create custom policies and grant the read-only permissions to a RAM user. The authorized RAM user can view domain names of the Alibaba Cloud account, but cannot manage these domain names. The script of the custom policy is as follows: 
{
   "Version": "1",
   "Statement": [
     {
       "Action": [
         "domain:Query*"
       ],
       "Resource": "acs:domain:*:*:*",
       "Effect": "Allow"
     }
    ]
}
For more information, see Create a custom policy.

Authorize a RAM user to manage a single domain name

You can use RAM to create custom policies and authorize a RAM user to manage a single domain name. The authorized RAM user can manage the resources of a domain name such as example.com. The script of the custom policy is as follows:
Note Currently, only the actions listed in the following script can be authorized. For more information about the authorization rules of each action, see Authentication rules for the Domains API. 
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
      "domain:DnsModification",
      "domain:SecuritySetting",
      "domain:RealNameVerificationOperation",
      "domain:DnsHostModification",
      "domain:CreateOrderActivate",
      "domain:CreateOrderRenew",
      "domain:CreateOrderRedeem",
      "domain:CreateOrderTransfer",
      "domain:DomainTransferInOperation",
      "domain:DomainTransferOutOperation",
      "domain:QualificationAuditOperation",
      "domain:EnsSetting",
      "domain:DnsSecSetting",
      "domain:SaveArtExtension",
      "domain:CreateOrderPendingDelete"
      ],
      "Resource": "acs:domain:*:*:domain/example.com",
      "Effect": "Allow"
    },
    {
      "Action":
      "domain:Query*",
      "Resource": "acs:domain:*:*:*",
      "Effect": "Allow"
    }
  ]
}
For more information, see Create a custom policy.

What to do next

Log on to the RAM console as the authorized RAM user. For more information, see Log on to the console as a RAM user.