All Products
Search

This Product

    CloudSSO:RAM user provisioning overview

    Document Center

    CloudSSO:RAM user provisioning overview

    Last Updated:Jun 10, 2026

    Learn how Resource Access Management (RAM) user provisioning works in CloudSSO, including the workflow and usage limits.

    How it works

    CloudSSO users access resources in a resource directory account through either RAM role-based logon or RAM user-based logon. This topic covers the RAM user-based method. With RAM user provisioning, CloudSSO creates a RAM user with the same username as the CloudSSO user in the target account, allowing access to that account's resources.

    Access method

    Description

    Scenario

    References

    RAM user-based logon

    Create a RAM user provisioning to let a CloudSSO user log on to the Alibaba Cloud Management Console as a RAM user within a resource directory account and access that account's resources.

    Resources that cannot be accessed by assuming RAM roles.

    Create a RAM user provisioning

    RAM role-based logon

    Create and assign an access configuration to let a CloudSSO user log on to the Alibaba Cloud Management Console through single sign-on (SSO) as a RAM role within a resource directory account and access that account's resources.

    Resources that can be accessed by assuming RAM roles.

    Procedure

    1. In the CloudSSO console, use the management account of the resource directory to create a RAM user provisioning.

      A RAM user with the same username as the CloudSSO user is created in the selected member. For more information, see Step 1: Create a RAM user provisioning.

    2. Use the management account to access the member and grant permissions to the RAM user.

      A RAM user has no permissions by default. Grant the required permissions before the RAM user can access resources. For more information, see Step 2: Grant permissions to the RAM user.

    3. The CloudSSO user accesses the member's resources as the RAM user.

      For more information, see Step 3: Use the CloudSSO user to access Alibaba Cloud resources.

    Limits

    • You must log on to the CloudSSO user portal first, then use the provisioned RAM user to access the Alibaba Cloud Management Console. Direct logon with the RAM user's username and password is not supported.

    • You cannot delete a provisioned RAM user while a RAM user provisioning event exists. Delete the provisioning event first. Delete a RAM use provisioning.