All Products
Search

This Product

    Domain Names:Authorize a RAM user to manage domains

    Document Center

    Domain Names:Authorize a RAM user to manage domains

    Last Updated:Jun 21, 2026

    For fine-grained access control and improved account security, you can use Resource Access Management (RAM) to grant a RAM user permissions to manage your domain names. The authorized RAM user can then manage the specified domain names. This topic describes how to authorize a RAM user to manage domain names.

    Prerequisites

    You have an existing RAM user. For more information, see Create a RAM user.

    Background information

    Resource Access Management (RAM) is an Alibaba Cloud service for resource access control. You can use RAM to authorize a RAM user to manage domain names. RAM supports both system policies and custom policies. The only available system policy for domain names is AliyunDomainFullAccess, which grants full management permissions. If this system policy is too permissive, you can create a custom policy for more fine-grained access control.

    Note

    This topic shows how to create two custom policies: one for read-only permissions and another for managing a specific domain name. To create other types of custom policies, see Create a custom policy.

    Grant full access by attaching a system policy

    You can attach the AliyunDomainFullAccess system policy to a RAM user in the RAM console. This policy grants the RAM user permissions to manage all domain name resources that belong to your Alibaba Cloud account. This grants the highest level of permission for domain name management.

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, in the User Login Name list, click Attach Policy in the Actions column of the target RAM user.

    4. In the Attach Policy panel, configure the authorization settings.

      1. For Authorization Scope, select Account.

        Note

        The system automatically specifies the Principal.

      2. Select {type}.

      3. In the search box, enter domain to find domain-related system policies.

      4. Select AliyunDomainFullAccess.

      5. Click OK.

    Grant read-only permissions by creating a custom policy

    You can create a custom policy in the RAM console to grant read-only permissions to a RAM user. This allows the authorized RAM user to view domain names that belong to the Alibaba Cloud account but not manage them.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON Editor tab.

    4. Enter the following policy script in the editor and click OK. 

      {
   "Version": "1",
   "Statement": [
     {
       "Action": [
         "domain:Query*"
       ],
       "Resource": "acs:domain:*:*:*",
       "Effect": "Allow"
     }
    ]
}

    5. Specify the Policy Type and an optional Description.

      The Policy Name is required. It must be 128 characters or less and can contain only letters, digits, and hyphens (-).

      For more information about related settings, see Create a custom policy on the JSON editor tab.

    6. Click OK.

      You can view the custom policy that you created in one of the following ways:

      • Method 1: On the Policies page, select {type} from the Policy Type drop-down list.

      • Method 2: In the Attach Policy panel, select {type}.

    Grant permissions to manage a single domain

    You can create a custom policy in the RAM console to authorize a RAM user to manage a single domain name. This allows the authorized RAM user to manage only a specific domain name, such as example.com.

    Note

    • Authorization is supported only for the actions listed in the policy. For more information about the authorization rules for each action, see Domain API authorization rules.

    • After authorization, the RAM user can log on to the Alibaba Cloud Domain Names console and view all domain names that belong to the Alibaba Cloud account. However, the RAM user can manage only the specific domain name for which permissions are granted.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON Editor tab.

    4. Enter the following policy script in the editor. Replace example.com with your domain name. Then, click OK. 

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
      "domain:DnsModification",
      "domain:SecuritySetting",
      "domain:RealNameVerificationOperation",
      "domain:DnsHostModification",
      "domain:CreateOrderActivate",
      "domain:CreateOrderRenew",
      "domain:CreateOrderRedeem",
      "domain:CreateOrderTransfer",
      "domain:DomainTransferInOperation",
      "domain:DomainTransferOutOperation",
      "domain:QualificationAuditOperation",
      "domain:EnsSetting",
      "domain:DnsSecSetting",
      "domain:SaveArtExtension",
      "domain:CreateOrderPendingDelete"
      ],
      "Resource": "acs:domain:*:*:domain/example.com",
      "Effect": "Allow"
    },
    {
      "Action": [
      "domain:Query*"
      ],
      "Resource": "acs:domain:*:*:*",
      "Effect": "Allow"
    }
  ]
}

    5. Specify the Policy Type and an optional Description.

      The Policy Name is required. It must be 128 characters or less and can contain only letters, digits, and hyphens (-).

      For more information about related settings, see Create a custom policy on the JSON editor tab.

    6. Click OK.

      You can view the custom policy that you created in one of the following ways:

      • Method 1: On the Policies page, select {type} from the Policy Type drop-down list.

      • Method 2: In the Attach Policy panel, select {type}.

    Next steps

    Log on to the console with the authorized RAM user account. For more information, see Log on to the Alibaba Cloud console as a RAM user.