Grant permissions to RAM users
Resource Access Management (RAM) users cannot access ApsaraMQ for RocketMQ resources by default. To allow a RAM user to manage resources through the console or API, a RAM administrator must explicitly grant permissions.
If you use an Alibaba Cloud account (root account), skip this step. Alibaba Cloud accounts have full permissions on ApsaraMQ for RocketMQ.
Determine your account type
Check the upper-right corner of the Alibaba Cloud Management Console:
| Indicator under Account ID | Account type | Action required |
|---|---|---|
| Main Account | Alibaba Cloud account | No authorization needed. Skip this page. |
| RAM User | RAM user | Complete the following procedure. |
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with RAM administrator privileges
At least one RAM user created in the RAM console
Grant permissions to a RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column.

To grant permissions to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following settings:
Resource Scope: Select the authorization scope.
Option Effect Account Permissions apply to all resources under the current Alibaba Cloud account. Resource Group Permissions apply only to resources in a specific resource group. Important: If you select Resource Group, make sure the cloud service supports resource groups. For more information, see Services that work with Resource Group. For an example, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.Principal: Verify the RAM user. The user you selected in step 3 is automatically populated.
Policy: A policy contains a set of permissions. Select one or more policies to attach.
Policy type Description System policies Predefined by Alibaba Cloud. You can use but not modify these policies. Version updates are maintained by Alibaba Cloud. For a full list, see Services that work with RAM. Custom policies Created and managed by your organization for fine-grained access control. For instructions, see Create a custom policy. Note: The console flags high-risk system policies such asAdministratorAccessandAliyunRAMFullAccess. Avoid attaching these policies unless strictly necessary.Click Grant permissions.
Click Close.
Available system policies
ApsaraMQ for RocketMQ provides two predefined system policies:
| Policy | Permissions | Typical use case |
|---|---|---|
AliyunMQFullAccess | Full access to all ApsaraMQ for RocketMQ resources, including sending and receiving messages and managing all features through the console and OpenAPI Explorer. Equivalent to Alibaba Cloud account-level permissions. | Administrators who manage the message queue infrastructure |
AliyunMQReadOnlyAccess | Read-only access to ApsaraMQ for RocketMQ resources through the console or API. | Auditors or monitoring roles that only need to view resource configurations |
For more granular access control, create custom policies. For details, see Custom policies for ApsaraMQ for RocketMQ.