This topic describes the policy check rules of RAM to provide a better understanding of RAM policies.

Policy check rules

You can access Alibaba Cloud resources by using an Alibaba Cloud account, or as an authorized RAM user or RAM role.

RAM determines whether to allow access based on the following rules.

Access type Rule
Alibaba Cloud account The Alibaba Cloud account is the resource owner and can access all the Alibaba Cloud resources under the account.
Note Some Alibaba Cloud services, such as Log Service, support cross-account access based on the access control list (ACL) authorization. If an Alibaba Cloud account is authorized by using the ACL, access is allowed even if the Alibaba Cloud account is not the resource owner.
RAM user
  • The Alibaba Cloud account has attached an explicit allow policy to the RAM user.
  • The Alibaba Cloud account to which the RAM user belongs has permission to access the resources specified in the policy.
  • The Alibaba Cloud account to which the RAM user belongs is authorized by using the ACL for cross-account access.
Note By default, a RAM user does not have permission to access Alibaba Cloud resources. A RAM user can access Alibaba Cloud resources only when the preceding rules are met.

For more information, see Policy check rules for RAM users.

RAM role
  • The STS token of the RAM role contains the required permissions.

    For more information, see What is STS?

  • The Alibaba Cloud account has attached an explicit allow policy to the RAM role.
  • The Alibaba Cloud account to which the RAM role belongs has permission to access the resources specified in the policy.
  • The Alibaba Cloud account to which the RAM user belongs is authorized by using the ACL for cross-account access.
Note By default, a RAM role does not have permission to access Alibaba Cloud resources. A RAM role can access Alibaba Cloud resources only when the preceding rules are met.

For more information, see Policy check rules for RAM roles.

Policy check rules for RAM users

By default, a RAM user does not have permissions. A RAM user can access resources only after an Alibaba Cloud account grants the required permissions to the RAM user. The required permissions must be granted by attaching one or more explicit allow policies to the RAM user.

Note A policy can contain Allow and Deny statements. If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement prevails.
Policy check rules for RAM users
  1. The system checks whether the policy that is attached to a RAM user has a Deny statement.
    • If yes, access is denied.
    • If no, go to the next step.
  2. The system checks whether the policy that is attached to the Alibaba Cloud account of the RAM user has an Allow statement.
    • If yes, access is allowed.
    • If no, go to the next step.
  3. The system checks whether the Alibaba Cloud account of the RAM user is authorized by using the ACL for cross-account access.
    • If yes, access is allowed.
    • If no, access is denied.

Policy check rules for RAM roles

You can access Alibaba Cloud resources as a RAM role by using an STS token. To do this, you can call the AssumeRole API operation where the Policy request parameter specifies the resource access permissions.

Policy check rules for RAM roles
  1. The system checks whether a policy is attached to the STS token.
    • If a policy is attached to the STS token, the system checks whether the policy has a Deny statement.
      • If yes, access is denied.
      • If no, the system checks the policy attached to the RAM role.
    • If no policy is attached to the STS token, the system checks the policy attached to the RAM role.
  2. The system checks whether the policy that is attached to the RAM role has a Deny statement.
    • If yes, access is denied.
    • If no, go to the next step.
  3. The system checks whether the policy that is attached to the Alibaba Cloud account of the RAM role has an Allow statement.
    • If yes, access is allowed.
    • If no, go to the next step.
  4. The system checks whether the Alibaba Cloud account of the RAM role is authorized by using the ACL for cross-account access.
    • If yes, access is allowed.
    • If no, access is denied.