All Products
Search
Document Center

CloudSSO:RAM authentication

Last Updated:May 19, 2022

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements such as Action, Resource, and Condition that are defined by CloudSSO. You can use the elements to create policies in RAM. The code (RamCode) that is used in RAM to indicate CloudSSO is cloudsso. You can grant permissions on CloudSSO at the resource level.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow and Deny.

  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.

  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.

  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.

    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.

    • Condition_key: specifies the condition keys.

    • Condition_value: specifies the condition values.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by CloudSSO. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a group of operations. The following list describes the columns in the table:
  • Operation: the value that you can use in the Action element to specify the operation on a resource.

  • API operation: the API operation that you can call to perform the operation.

  • Access level: the access level of each operation. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the operation.

  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the group of operations. To complete the group of operations, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation

API operation

Access level

Resource type

Condition key

Associated operation

cloudsso:AddExternalSAMLIdPCertificate

AddExternalSAMLIdPCertificate

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:AddPermissionPolicyToAccessConfiguration

AddPermissionPolicyToAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:AddUserToGroup

AddUserToGroup

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}

None

None

cloudsso:ClearExternalSAMLIdentityProvider

ClearExternalSAMLIdentityProvider

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:CreateAccessAssignment

CreateAccessAssignment

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}
Account
acs:resourcemanager::{#accountId}:account/{#AccountId}

None

None

cloudsso:CreateAccessConfiguration

CreateAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/*

None

None

cloudsso:CreateDirectory

CreateDirectory

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/*

None

None

cloudsso:CreateGroup

CreateGroup

Write
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/*

None

None

cloudsso:CreateSCIMServerCredential

CreateSCIMServerCredential

Write
SCIMServerCredential
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/scim-credential/*

None

None

cloudsso:CreateUser

CreateUser

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/*

None

None

cloudsso:DeleteAccessAssignment

DeleteAccessAssignment

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}
Account
acs:resourcemanager::{#accountId}:account/{#AccountId}

None

None

cloudsso:DeleteAccessConfiguration

DeleteAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:DeleteDirectory

DeleteDirectory

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:DeleteGroup

DeleteGroup

Write
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}

None

None

cloudsso:DeleteMFADeviceForUser

DeleteMFADeviceForUser

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:DeleteSCIMServerCredential

DeleteSCIMServerCredential

Write
SCIMServerCredential
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/scim-credential/{#CredentialId}

None

None

cloudsso:DeleteUser

DeleteUser

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:DeprovisionAccessConfiguration

DeprovisionAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:DisableService

DisableService

Write
All resources
acs:cloudsso::{#accountId}:*

None

None

cloudsso:EnableService

EnableService

Write
All resources
acs:cloudsso::{#accountId}:*

None

None

cloudsso:GetAccessConfiguration

GetAccessConfiguration

Read
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:GetDirectory

GetDirectory

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetDirectorySAMLServiceProviderInfo

GetDirectorySAMLServiceProviderInfo

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetDirectoryStatistics

GetDirectoryStatistics

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetExternalSAMLIdentityProvider

GetExternalSAMLIdentityProvider

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetGroup

GetGroup

Read
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}

None

None

cloudsso:GetMFAAuthenticationStatus

GetMFAAuthenticationStatus

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetSCIMSynchronizationStatus

GetSCIMSynchronizationStatus

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetServiceStatus

GetServiceStatus

Read
All resources
acs:cloudsso::{#accountId}:*

None

None

cloudsso:GetTask

GetTask

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetTaskStatus

GetTaskStatus

Read
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:GetUser

GetUser

Read
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:ListAccessAssignments

ListAccessAssignments

List
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/*
Account
acs:resourcemanager::{#accountId}:account/*
Account
acs:resourcemanager::{#accountId}:account/{#AccountId}
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/*
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/*

None

None

cloudsso:ListAccessConfigurationProvisionings

ListAccessConfigurationProvisionings

Read
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/*

None

None

cloudsso:ListAccessConfigurations

ListAccessConfigurations

List
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/*

None

None

cloudsso:ListDirectories

ListDirectories

List
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/*

None

None

cloudsso:ListExternalSAMLIdPCertificates

ListExternalSAMLIdPCertificates

List
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:ListGroupMembers

ListGroupMembers

List
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}

None

None

cloudsso:ListGroups

ListGroups

List
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/*

None

None

cloudsso:ListJoinedGroupsForUser

ListJoinedGroupsForUser

List
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:ListMFADevicesForUser

ListMFADevicesForUser

List
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:ListPermissionPoliciesInAccessConfiguration

ListPermissionPoliciesInAccessConfiguration

List
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:ListSCIMServerCredentials

ListSCIMServerCredentials

List
SCIMServerCredential
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/scim-credential/*

None

None

cloudsso:ListTasks

ListTasks

List
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:ListUsers

ListUsers

List
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/*

None

None

cloudsso:ProvisionAccessConfiguration

ProvisionAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:RemoveExternalSAMLIdPCertificate

RemoveExternalSAMLIdPCertificate

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:RemovePermissionPolicyFromAccessConfiguration

RemovePermissionPolicyFromAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:RemoveUserFromGroup

RemoveUserFromGroup

Write
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:ResetUserPassword

ResetUserPassword

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:SetExternalSAMLIdentityProvider

SetExternalSAMLIdentityProvider

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:SetMFAAuthenticationStatus

SetMFAAuthenticationStatus

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:SetSCIMSynchronizationStatus

SetSCIMSynchronizationStatus

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:UpdateAccessConfiguration

UpdateAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:UpdateDirectory

UpdateDirectory

Write
Directory
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}

None

None

cloudsso:UpdateGroup

UpdateGroup

Write
Group
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId}

None

None

cloudsso:UpdateInlinePolicyForAccessConfiguration

UpdateInlinePolicyForAccessConfiguration

Write
AccessConfiguration
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId}

None

None

cloudsso:UpdateSCIMServerCredentialStatus

UpdateSCIMServerCredentialStatus

Write
SCIMServerCredential
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/scim-credential/{#CredentialId}

None

None

cloudsso:UpdateUser

UpdateUser

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

cloudsso:UpdateUserStatus

UpdateUserStatus

Write
User
acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId}

None

None

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by CloudSSO. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Directory

acs:{#ramcode}:{#regionId}:{#accountId}:directory/{#DirectoryId}

AccessConfiguration

acs:{#ramcode}:{#regionId}:{#accountId}:accessconfiguration/{#DirectoryId}/{#AccessConfigurationId}

User

acs:{#ramcode}:{#regionId}:{#accountId}:user/{#DirectoryId}/{#UserId}

Group

acs:{#ramcode}:{#regionId}:{#accountId}:group/{#DirectoryId}/{#GroupId}

SCIMServerCredential

acs:{#ramcode}:{#regionId}:{#accountId}:scimservercredential/{#DirectoryId}/{#CredentialId}

Condition

CloudSSO does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Policy elements.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: