RAM Authentication & ARN Policy Overview for Hyperledger Fabric - Blockchain as a Service - Alibaba Cloud - Blockchain as a Service

Resource Access Management (RAM) lets you grant RAM users and Security Token Service (STS) token holders precise access to Blockchain as a Service (BaaS) resources. Use RAM authentication to manage team member access, share resources across Alibaba Cloud accounts, or delegate access between cloud services.

For background on RAM, see the RAM documentation and RAM API reference.

Authorizable resource types

Hyperledger Fabric resources in BaaS use the following ARN (Alibaba Cloud Resource Name) formats in authorization policies:

Resource type	ARN format
Consortium	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
Organization	`acs:baas:$regionId:$accountId:organization/$organizationId`
Channel	`acs:baas:*:$accountId:channel/$channelId`
Chaincode	`acs:baas:*:$accountId:chaincode/$chaincodeId`

ARN field reference:

$regionId: Region where the resource is located.
$accountId: ID of the Alibaba Cloud account that owns the resource.
$consortiumId / $organizationId / $channelId / $chaincodeId: Resource ID in BaaS.

Note Channels and chaincode are global resources. Set $regionId to * for these resource types.

APIs authorized by default

The following APIs are accessible to all RAM users and STS token holders without an explicit policy:

API
CheckFabricConsortiumDomain
CheckFabricOrganizationDomain
DescribeTasks
DescribeRootDomain
DescribeFabricConsortiumConfig
DescribeFabricConsortiumSpecs
DescribeFabricOrganizationSpecs
DescribeFabricInviter
DescribeFabricChaincodeUploadPolicy
AcceptFabricInvitation

Authorizable APIs

The following table lists all APIs that require explicit authorization. The Access level column indicates the impact of each action to help you apply the least privilege principle:

List: Returns a collection of resources. Low impact.
Read: Returns details of a specific resource, or downloads artifacts. Low impact.
Write: Creates, modifies, or deletes resources. Higher impact — scope permissions carefully.

API	Access level	Resource ARN
CreateFabricOrganization	Write	`acs:baas:$regionId:$accountId:organization/*`
DescribeFabricOrganization	Read	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricOrganizationDeletable	Read	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricOrganizations	List	`acs:baas::$accountId:organization/`
DescribeFabricCandidateOrganizations	List	`acs:baas::$accountId:organization/`
CreateFabricChannel	Write	`acs:baas::$accountId:channel/` `acs:baas:$regionId:$accountId:consortium/$consortiumId`
DescribeFabricOrganizationChannels	List	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricConsortiumChannels	List	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
CreateFabricChannelMember	Write	`acs:baas:*:$accountId:channel/$channelId`
DescribeFabricChannelMembers	List	`acs:baas:*:$accountId:channel/$channelId`
JoinFabricChannel	Write	`acs:baas:*:$accountId:channel/$channelId`
CreateFabricConsortium	Write	`acs:baas:$regionId:$accountId:consortium/*`
CreateFabricConsortiumMember	Write	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
ConfirmFabricConsortiumMember	Write	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
DescribeFabricOrganizationMembers	List	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricOrganizationPeers	List	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricConsortiums	List	`acs:baas::$accountId:consortium/`
DescribeFabricConsortiumAdminStatus	Read	`acs:baas::$accountId:consortium/`
DescribeFabricConsortiumMembers	List	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
DescribeFabricConsortiumMemberApproval	Read	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
DescribeFabricConsortiumOrderers	List	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
DescribeFabricConsortiumDeletable	Read	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
CreateFabricChaincode	Write	`acs:baas::$accountId:chaincode/` `acs:baas:*:$accountId:channel/$channelId` `acs:baas:$regionId:$accountId:consortium/$consortiumId` `acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricOrganizationChaincodes	List	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricConsortiumChaincodes	List	`acs:baas:$regionId:$accountId:consortium/$consortiumId`
DeleteFabricChaincode	Write	`acs:baas:*:$accountId:chaincode/$chaincodeId`
InstallFabricChaincode	Write	`acs:baas:*:$accountId:chaincode/$chaincodeId` `acs:baas:$regionId:$accountId:organization/$organizationId`
InstantiateFabricChaincode	Write	`acs:baas:*:$accountId:chaincode/$chaincodeId` `acs:baas:$regionId:$accountId:organization/$organizationId`
UpgradeFabricChaincode	Write	`acs:baas:*:$accountId:chaincode/$chaincodeId` `acs:baas:$regionId:$accountId:organization/$organizationId`
SynchronizeFabricChaincode	Write	`acs:baas:*:$accountId:chaincode/$chaincodeId` `acs:baas:$regionId:$accountId:organization/$organizationId`
CreateFabricOrganizationUser	Write	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricOrganizationUsers	List	`acs:baas:$regionId:$accountId:organization/$organizationId`
ResetFabricOrganizationUserPassword	Write	`acs:baas:$regionId:$accountId:organization/$organizationId`
DownloadFabricOrganizationSDK	Read	`acs:baas:$regionId:$accountId:organization/$organizationId`
DescribeFabricInvitationCode	Read	`acs:baas:$regionId:$accountId:consortium/$consortiumId`

Note APIs that operate on channels or chaincode require * as the region in the corresponding resource ARN, because channels and chaincode are global resources. Permissions granted on a consortium or organization resource do not automatically extend to channels or chaincode associated with that resource — include each resource type explicitly in the policy.

Policy examples

Example 1: Read-only access

Grants read access to all BaaS resources and the ability to download organization SDKs. Suitable for auditors or team members who need to view blockchain status without making changes.

{
  "Statement": [
    {
      "Sid": "ReadAllBaaSResources",
      "Action": ["baas:Describe*", "baas:DownloadFabricOrganizationSDK"],
      "Effect": "Allow",
      "Resource": "acs:baas:*:*:*"
    }
  ],
  "Version": "1"
}

Example 2: Chaincode management

Grants full chaincode lifecycle permissions — upload, install, instantiate, upgrade, and delete — across all organizations, consortiums, and channels. Suitable for chaincode administrators.

{
  "Statement": [
    {
      "Sid": "ManageAllChaincodes",
      "Action": "baas:*Chaincode",
      "Effect": "Allow",
      "Resource": [
        "acs:baas:*:*:chaincode/*",
        "acs:baas:*:*:organization/*",
        "acs:baas:*:*:consortium/*",
        "acs:baas:*:*:channel/*"
      ]
    }
  ],
  "Version": "1"
}

Example 3: Fine-grained access for a chaincode developer

Combines read-only access across all resources with chaincode management permissions scoped to specific consortiums, organizations, and channels. Applies the least privilege principle.

Replace $consortiumId, $organizationId, and $channelId with the actual resource IDs from BaaS.

Note Channel and chaincode ARNs must use * as the region, regardless of the region specified for the consortium or organization. Permissions on a consortium or organization do not cascade to associated channels or chaincode — you must list each resource type separately.

{
  "Statement": [
    {
      "Sid": "ReadAllBaaSResources",
      "Action": ["baas:Describe*", "baas:DownloadFabricOrganizationSDK"],
      "Effect": "Allow",
      "Resource": "acs:baas:*:*:*"
    },
    {
      "Sid": "ManageChaincodeInScopedResources",
      "Action": "baas:*Chaincode",
      "Effect": "Allow",
      "Resource": [
        "acs:baas:*:*:chaincode/*",
        "acs:baas:*:*:organization/$organizationId",
        "acs:baas:*:*:consortium/$consortiumId",
        "acs:baas:*:*:channel/$channelId"
      ]
    }
  ],
  "Version": "1"
}