Avoid accessing Data Management (DMS) and Data Disaster Recovery directly with your Alibaba Cloud account. Instead, use Resource Access Management (RAM) users or RAM roles. This limits the blast radius of any accidental or unauthorized operation and lets you apply fine-grained access control across your team.
Choose an identity type
RAM provides three identity primitives. Use the table below to decide which fits your situation.
| Identity type | What it is | Best for |
|---|---|---|
| RAM user | A named identity with permanent credentials — either a username/password or an AccessKey pair | Individual team members (console access) and application processes (API access) |
| RAM user group | A collection of RAM users that share the same permission policies | Managing permissions for teams or job functions at scale |
| RAM role | A virtual identity with no permanent credentials; grants temporary access via Security Token Service (STS) tokens | Cross-account access, automated workloads, and federated identity scenarios |
RAM users
A RAM user can be created by an Alibaba Cloud account or by any RAM user or RAM role that already has administrator permissions. Once granted the appropriate policies, the RAM user can sign in to the Alibaba Cloud Management Console or call API operations on resources within that account.
Separate human users from service accounts
When you create a RAM user, set the Access Mode parameter to one of the following:
| Access mode | Credential type | Use for |
|---|---|---|
| Console Access | Username and password | Human team members who sign in interactively |
| Using permanent AccessKey to access | AccessKey pair | Applications and automated processes that call APIs |
Mixing both modes on a single RAM user is possible, but creates unnecessary risk. Keep human users and service accounts separate so that a compromised application credential cannot be used to sign in to the console, and vice versa.
Security checklist for RAM users
Follow these practices to reduce your exposure:
Start with an admin RAM user. Use your Alibaba Cloud account to create a RAM user with administrator permissions, then use that RAM user to create and manage all other RAM users.
Enable multi-factor authentication (MFA) for console users. We recommend that you enable MFA for every RAM user that has console access, especially those with elevated permissions.
Apply least privilege. Grant only the permissions required for a specific task. Avoid attaching broad policies like
AdministratorAccessto regular users. For DMS-specific policies, see DMS custom policies.Never embed credentials in code. Hardcoding an AccessKey ID or AccessKey secret in source code risks exposing it through version control or log files. Use STS tokens or environment variables instead.
Enable single sign-on (SSO) if your organization has an existing identity provider. SSO lets RAM users authenticate through your enterprise identity system rather than managing separate Alibaba Cloud passwords. See Overview of user-based SSO for setup details.
Related topics: Overview of RAM users and Credential security solutions
RAM user groups
Group RAM users by job function so you can manage permissions at the group level rather than on each individual user. For example, a group for your DBA team can hold the database write policy, while a read-only analytics group holds a narrower policy. When someone joins, add them to the right group — no per-user policy changes needed.
The following example shows how to design groups for a DMS team:
| Group | Typical members | Policy scope |
|---|---|---|
| DMS administrators | Senior DBAs, platform owners | Full DMS management permissions |
| DMS read-write | Application developers | Read and write access to specific databases |
| DMS read-only | Analysts, auditors | Read-only access to specific databases |
Managing group permissions
Grant permissions to the group, not to individual users inside it, so the permission set stays consistent.
When a team member changes roles, remove them from their current group and add them to the appropriate one before their last day in the old role.
Revoke a group's permissions as soon as they are no longer needed.
Related topics: Overview of a RAM user group
RAM roles
A RAM role is a virtual identity with no permanent credentials — it has no logon password and no AccessKey pair. To use a RAM role, a trusted entity must assume it. After assuming the role, the trusted entity receives an STS token, which grants access to Alibaba Cloud resources as that role for a limited period.
This makes RAM roles suitable for:
Automated workloads — a service or pipeline that needs temporary access without storing long-lived credentials.
Cross-account access — granting an entity in another Alibaba Cloud account controlled access to resources in yours.
Federated access — allowing users authenticated by an external identity provider to assume a RAM role and access Alibaba Cloud resources.
Security checklist for RAM roles
Lock down the trusted entity on creation. Changing the trusted entity of a RAM role after the fact risks permission loss or unintended privilege escalation. Decide on the trusted entity before you create the role, test it thoroughly, and avoid modifying it in production.
Set an appropriate STS token validity period. An STS token is valid for at most the maximum session duration configured on the RAM role. Set both values as short as your workload allows to reduce the window of exposure if a token is compromised.
To assume a RAM role, the trusted entity calls the AssumeRole API operation and receives a temporary STS token.
Enable SSO for RAM roles if your organization uses a federated identity system. This lets employees sign in through your enterprise identity provider and assume RAM roles directly, without managing separate Alibaba Cloud identities. See Role-based SSO for details.
Related topics: RAM role overview, Assume a RAM role, and Specify the maximum session duration for a RAM role