You can manage access in Alibaba Cloud by creating polices and attaching them to RAM identities (RAM users, RAM user groups, or RAM roles) or Alibaba Cloud resources. A policy, when associated with an identity or an Alibaba Cloud resource, defines their permissions.
A statement within a policy that allows or denies access to a particular Alibaba Cloud resource.
- An Alibaba Cloud account (resource owner) controls all permissions.
- Each Alibaba Cloud resource has only one owner. The owner must be an Alibaba Cloud account and has full resource control permissions.
- The resource owner is not necessarily the resource creator. For example, if a RAM user has permission to create Alibaba Cloud resources, the resources created by this RAM user belong to the RAM user's Alibaba Cloud account. The RAM user is the resource creator, but is not the resource owner.
- By default, a RAM user has no permissions.
- A RAM user is an operator and must be granted explicit permission before performing any operations.
- A new RAM user has no operation permissions by default, and cannot perform operations on Alibaba Cloud resources through the console or APIs until being granted permission.
- A resource creator (RAM user) is not automatically granted permissions for the created
- A RAM user can create resources if the user is granted the resource creation permission.
- However, the RAM user is not automatically granted any permissions for the created resources, unless the resource owner explicitly grants permission to the user.
A set of permissions that are described by using policy structure and grammar. It can accurately describe the authorized resource sets, operation sets, and authorization conditions a user can be granted with. For information about structures and grammars supported by RAM, see Policy structure and grammar.
- System policy: System policies are created by Alibaba Cloud and cannot be modified by users. The policies are automatically upgraded by Alibaba Cloud.
- Custom policy: If no system policy meets your requirements, you can create a custom policy as needed. You can also modify and delete a custom policy as needed.
You can attach one or more policies to RAM users, RAM user groups, or RAM roles. For more information, see Grant permission to a RAM user, Grant permission to a RAM user group, and Grant permission to a RAM role.
Policies attached to RAM identities
You can attach one or more policies to RAM identities to grant necessary permissions to them.
- The attached policy can be either a system policy or a custom policy.
- If the attached policy is updated, the updates to the policy automatically take effect, and you do not need to attach the policy again.