Application Real-Time Monitoring Service (ARMS) integrates with Resource Access Management (RAM) to let you control who can access your resources and what operations they can perform. You can grant fine-grained permissions, avoid security risks caused by the exposure of Alibaba Cloud account keys, and revoke permissions at any time.
RAM provides two access control mechanisms for ARMS:
| Mechanism | Purpose | When to use |
|---|---|---|
| RAM users | Create individual accounts with independent credentials and assign permissions based on each person's role. | Multiple team members need different levels of access to the same Alibaba Cloud resources. |
| RAM roles | Delegate access across Alibaba Cloud accounts without sharing credentials. | An external team (such as a partner or managed service provider) manages your Alibaba Cloud resources. |
Grant permissions with RAM users
If your organization runs multiple Alibaba Cloud services -- such as ECS instances, ApsaraDB RDS instances, SLB instances, and OSS buckets -- and different team members need different levels of access, use RAM users to:
Create a separate account for each team member with independent credentials.
Grant each RAM user only the permissions required for their duties.
Revoke permissions or delete a RAM user at any time.
All costs are billed to the Alibaba Cloud account. RAM users do not incur separate charges.
For setup instructions, see Use RAM users to manage permissions.
Delegate access with RAM roles
If an external organization handles operations and maintenance (O&M), monitoring, or management for your Alibaba Cloud resources, use RAM roles to:
Authorize the external organization to access specific resources.
Allow the external organization to assign fine-grained permissions to its own employees.
Revoke the authorization at any time if the relationship ends.
For setup instructions, see Use a RAM role to access resources across Alibaba Cloud accounts.
System policies
ARMS provides the following system policies. Attach these policies to RAM users or RAM roles to grant the corresponding permissions.
| Policy | Type | Description |
|---|---|---|
| AliyunARMSFullAccess | System | Grants full read and write access to all ARMS features. |
| AliyunARMSReadOnlyAccess | System | Grants read-only access to all ARMS features. |
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.