Resource Access Management (RAM) allows you to manage permissions and control access to Alibaba Cloud resources. You can create RAM users and RAM roles, and grant them permissions on resources without having to share the AccessKey pair of your Alibaba Cloud account. This greatly improves the security of your Alibaba Cloud account.


The following examples describe how to use RAM to implement access control in different scenarios.

  • Grant permissions to a RAM user

    Enterprise A wants to migrate a project named Project-X to Alibaba Cloud. The enterprise has purchased a variety of Alibaba Cloud services, such as Express Connect services, Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Multiple employees need to perform operations on these cloud resources. Different employees require different permissions to fulfill their duties. Enterprise A has the following requirements:

    • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create different RAM user accounts for the employees and grant different permissions to these accounts.
    • The RAM users can perform operations on resources only after they are granted the corresponding permissions. Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.
    • No bills are generated for each RAM user. Instead, the resources used by a RAM user are metered and billed as a part of the resources used by the Alibaba Cloud account of Enterprise A.

    The authorization management feature of RAM can be used to grant different permissions to RAM users and manage resources in a centralized manner. For more information about RAM users, see What is a RAM user?

  • Use a RAM role to access Express Connect resources that belong to another Alibaba Cloud account

    Account A belongs to Enterprise A. Account B belongs to Enterprise B. Enterprise A has purchased a variety of cloud resources for business use, such as ECS instances and Express Connect services.

    • Enterprise A wants to focus on its business systems and entrusts tasks such as cloud resource O&M, monitoring, and management to Enterprise B.
    • Enterprise B is allowed to grant access permissions on the Express Connect resources owned by Enterprise A to one or more employees. This way, Enterprise B can implement fine-grained control on the Express Connect resources of Enterprise A.
    • When the entrustment relationship between Enterprise A and Enterprise B is terminated, Enterprise A can revoke the permissions granted to Enterprise B at any time.

    The RAM roles created by Enterprise A can be used to authorize the RAM users of Enterprise B to access the resources that belong to Enterprise A. For more information about RAM roles, see RAM role overview.


You can attach different policies to RAM users. This way, you can implement the access control of RAM users on different cloud resources.

The system policies supported by Express Connect include AliyunExpressConnectFullAccess and AliyunExpressConnectReadOnlyAccess.
Policy name Description Scenario
AliyunExpressConnectFullAccess Permissions to manage Express Connect.
  • RAM users can log on to the Express Connect console and perform all operations in the console.
  • RAM users can call all API operations of Express Connect.
AliyunExpressConnectReadOnlyAccess Read-only permissions on Express Connect.
  • RAM users can log on to the Express Connect console and view all pages in the console. However, RAM users cannot perform add, create, or delete operations.
  • RAM users can call the query API operations of Express Connect.

In addition to the system policies described in the preceding table, Express Connect also supports custom policies. For more information about custom policies, see Policies and examples.