All Products
Search

This Product

    Blockchain as a Service:Hyperledger Fabric RAM authentication

    Document Center

    Blockchain as a Service:Hyperledger Fabric RAM authentication

    Last Updated:Jan 15, 2026

    To allow a RAM user to call Blockchain as a Service (BaaS) APIs, create an authorization policy that grants the required permissions. In the policy, specify the authorized resource using its Alibaba Cloud Resource Name (ARN).

    This topic describes the Resource Access Management (RAM) authentication rules for Blockchain as a Service (BaaS). You can use these rules to authenticate team members, grant resource access across different accounts, and authorize access across cloud services. For more information about RAM, see the RAM documentation and RAM API reference.

    Authorizable Hyperledger Fabric resource types

    When you grant permissions to a RAM user, describe Hyperledger Fabric resources as follows:

    Resource typeResource description method in an authorization policy
    Consortiumacs:baas:$regionId:$accountId:consortium/$consortiumId
    Organizationacs:baas:$regionId:$accountId:organization/$organizationId
    Channelacs:baas:*:$accountId:channel/$channelId
    Chaincodeacs:baas:*:$accountId:chaincode/$chaincodeId

    In these formats, $regionId is the region where the resource is located. $accountId is the ID of the Alibaba Cloud account that owns the resource. $consortiumId/$organizationId/$channelId/$chaincodeId is the ID of the resource in BaaS.

    Note Channels and chaincode are global resources. The region must be "*".

    Authorizable Hyperledger Fabric APIs

    The following table lists the Hyperledger Fabric blockchain APIs that are authorized by default. RAM users and Security Token Service (STS) token holders have permissions for these APIs by default:

    API
    CheckFabricConsortiumDomain
    CheckFabricOrganizationDomain
    DescribeTasks
    DescribeRootDomain
    DescribeFabricConsortiumConfig
    DescribeFabricConsortiumSpecs
    DescribeFabricOrganizationSpecs
    DescribeFabricInviter
    DescribeFabricChaincodeUploadPolicy
    AcceptFabricInvitation

    The following table lists the authorizable APIs in Hyperledger Fabric and their corresponding ARN formats:

    APIResource description
    CreateFabricOrganizationacs:baas:$regionId:$accountId:organization/*
    DescribeFabricOrganizationacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricOrganizationDeletableacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricOrganizationsacs:baas:*:$accountId:organization/*
    DescribeFabricCandidateOrganizationsacs:baas:*:$accountId:organization/*
    CreateFabricChannelacs:baas:*:$accountId:channel/*

    acs:baas:$regionId:$accountId:consortium/$consortiumId

    DescribeFabricOrganizationChannelsacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricConsortiumChannelsacs:baas:$regionId:$accountId:consortium/$consortiumId
    CreateFabricChannelMemberacs:baas:*:$accountId:channel/$channelId
    DescribeFabricChannelMembersacs:baas:*:$accountId:channel/$channelId
    JoinFabricChannelacs:baas:*:$accountId:channel/$channelId
    CreateFabricConsortiumacs:baas:$regionId:$accountId:consortium/*
    CreateFabricConsortiumMemberacs:baas:$regionId:$accountId:consortium/$consortiumId
    ConfirmFabricConsortiumMemberacs:baas:$regionId:$accountId:consortium/$consortiumId
    DescribeFabricOrganizationMembersacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricOrganizationPeersacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricConsortiumsacs:baas:*:$accountId:consortium/*
    DescribeFabricConsortiumAdminStatusacs:baas:*:$accountId:consortium/*
    DescribeFabricConsortiumMembersacs:baas:$regionId:$accountId:consortium/$consortiumId
    DescribeFabricConsortiumMemberApprovalacs:baas:$regionId:$accountId:consortium/$consortiumId
    DescribeFabricConsortiumOrderersacs:baas:$regionId:$accountId:consortium/$consortiumId
    DescribeFabricConsortiumDeletableacs:baas:$regionId:$accountId:consortium/$consortiumId
    CreateFabricChaincodeacs:baas:*:$accountId:chaincode/*

    acs:baas:*:$accountId:channel/$channelId

    acs:baas:$regionId:$accountId:consortium/$consortiumId

    acs:baas:$regionId:$accountId:organization/$organizationId

    DescribeFabricOrganizationChaincodesacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricConsortiumChaincodesacs:baas:$regionId:$accountId:consortium/$consortiumId
    DeleteFabricChaincodeacs:baas:*:$accountId:chaincode/$chaincodeId
    InstallFabricChaincodeacs:baas:*:$accountId:chaincode/$chaincodeId

    acs:baas:$regionId:$accountId:organization/$organizationId

    InstantiateFabricChaincodeacs:baas:*:$accountId:chaincode/$chaincodeId

    acs:baas:$regionId:$accountId:organization/$organizationId

    UpgradeFabricChaincodeacs:baas:*:$accountId:chaincode/$chaincodeId

    acs:baas:$regionId:$accountId:organization/$organizationId

    SynchronizeFabricChaincodeacs:baas:*:$accountId:chaincode/$chaincodeId

    acs:baas:$regionId:$accountId:organization/$organizationId

    CreateFabricOrganizationUseracs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricOrganizationUsersacs:baas:$regionId:$accountId:organization/$organizationId
    ResetFabricOrganizationUserPasswordacs:baas:$regionId:$accountId:organization/$organizationId
    DownloadFabricOrganizationSDKacs:baas:$regionId:$accountId:organization/$organizationId
    DescribeFabricInvitationCodeacs:baas:$regionId:$accountId:consortium/$consortiumId

    Examples of Hyperledger Fabric RAM rules

    Example 1: Grant read-only permissions for BaaS. These permissions allow users to view the blockchain status and download the SDK using the console or APIs.

    {
   "Statement": [{ 
       "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
       "Effect": "Allow",
       "Resource": "acs:baas:*:*:*"
   }],
   "Version": "1"
}
    Example 2: Grant permissions for chaincode management operations, such as uploading, installing, and instantiating chaincodes. These permissions allow users to manage all chaincodes using the console or APIs. 
    {
  "Statement": [{
     "Action": "baas:*Chaincode",
     "Effect": "Allow",
     "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/*", "acs:baas:*:*:consortium/*","acs:baas:*:*:channel/*"]
  }],
  "Version": "1"
}

    Example 3: Grant fine-grained permissions to a chaincode developer. This authorization typically requires all read permissions and chaincode management permissions for a specific organization. In accordance with the least privilege principle, the user is restricted to creating chaincodes only for specified consortiums, organizations, and channels. The user can also install or instantiate chaincodes only on specific organizations. Replace $consortiumId/$organizationId/$channelId with the ID of the resource in BaaS.

    {
 "Statement": [{
   "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
   "Effect": "Allow",
   "Resource": "acs:baas:*:*:*"
 },
 {
   "Action": "baas:*Chaincode",
   "Effect": "Allow",
   "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/$organizationId","acs:baas:*:*:consortium/$consortiumId","acs:baas:*:*:channel/$channelId"]
 }],
 "Version": "1"
}