All Products
Search
Document Center

CloudSSO:Access configuration overview

Last Updated:Jun 02, 2026

Access configurations define the permissions and session settings that CloudSSO users receive when accessing accounts in a resource directory.

Elements

Each access configuration includes:

  • Session duration: how long a CloudSSO user's session lasts when accessing an account through this access configuration.

  • Relay state: the initial page displayed when a CloudSSO user accesses an account through this access configuration.

  • Permissions: the set of permissions granted to a CloudSSO user on a resource directory account.

    • System policy: reuses existing Resource Access Management (RAM) system policies.

    • Inline policy: custom policies written in RAM policy syntax that apply only to this access configuration.

First-time provisioning

To assign access permissions on an account to a user or group, you specify an access configuration. If the access configuration has not been provisioned before, CloudSSO creates the following resources:

  • A RAM role named AliyunReservedSSO-<Access configuration name> is created. For example, provisioning TestAccessConfiguration creates a RAM role named AliyunReservedSSO-TestAccessConfiguration.

  • If an inline policy exists, a RAM custom policy named AliyunReservedSSO-<Access configuration name>-InlinePolicy is created. For example, an inline policy in TestAccessConfiguration creates AliyunReservedSSO-TestAccessConfiguration-InlinePolicy.

  • All system policies and inline-policy-derived custom policies are attached to the RAM role.

  • If no access permissions on the account are yet assigned to a CloudSSO user, an identity provider (IdP) named AliyunReservedSSO-<ID of the CloudSSO directory> is created to enable role-based SSO. For example, if the directory ID is d-x0h0w370****, an IdP named AliyunReservedSSO-d-x0h0w370**** is created.

You can view these RAM roles, custom policies, and IdPs in the RAM console, but you cannot modify or delete them.

Assign access permissions on the accounts in a resource directory.

Re-provision an access configuration

If you make any of the following changes to a provisioned access configuration, you must manually re-provision it. These changes are not automatically applied to the account.

  • A system policy is added or removed.
  • An inline policy is created, modified, or deleted.
Note If the session duration and relay state are modified, you do not need to re-provision the access configuration.

Re-provision an access configuration.

De-provision an access configuration

You can de-provision an access configuration from a resource directory account in the following scenarios:

  • When you remove access permissions from the last CloudSSO identity that uses an access configuration, you can de-provision it at the same time.

  • From the list of access configurations provisioned for an account, de-provision any that are no longer needed.

  • From the list of accounts where an access configuration is provisioned, de-provision it from accounts that no longer need it.

De-provision an access configuration.

References