All Products
Search

This Product

    Managed Service for Grafana:Grant ARMS permissions to RAM users

    Document Center

    Managed Service for Grafana:Grant ARMS permissions to RAM users

    Last Updated:Mar 11, 2026

    Resource Access Management (RAM) lets you create separate user identities with scoped permissions, so your team can access Managed Service for Grafana without sharing your Alibaba Cloud account credentials. This avoids exposing your account's AccessKey pair -- a single point of compromise that puts all resources at risk.

    With RAM users, you can:

    • Grant each team member only the permissions they need (least privilege).

    • Separate human users (console access) from programmatic users (API access).

    Permission model

    Managed Service for Grafana is a sub-service of Application Real-Time Monitoring Service (ARMS). Permissions are managed through RAM policies at the ARMS level.

    ARMS provides two system policies:

    Policy Access level Scope
    AliyunARMSFullAccess Full access View, edit, and delete instances across all ARMS sub-services, including Grafana. Already includes read-only permissions -- do not also attach AliyunARMSReadOnlyAccess.
    AliyunARMSReadOnlyAccess Read-only View instance information across all ARMS sub-services. Cannot modify or delete any resources.
    Important

    To grant read-only access to all ARMS features within a specific resource group, attach both the AliyunARMSReadOnlyAccess policy and the ReadTraceApp permission to that resource group. Without ReadTraceApp, ARMS cannot display the application list for the authenticated resource group.

    Prerequisites

    Before you begin, make sure that you have:

    • An activated ARMS service. For more information, see Activate ARMS

    • An activated RAM service. For more information, see Activate RAM

    Step 1: Create a RAM user

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user that has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

      Create User button

    4. In the User Account Information section, configure the following parameters:

      Parameter Description
      Logon Name Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_).
      Display Name Up to 128 characters.
      Tag Click the edit icon to add one or more tag key-value pairs for managing the RAM user.
      Note

      Click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select an access mode. Select only one mode per RAM user to separate human identities from programmatic identities.

      • Console Access -- For team members who work in the Alibaba Cloud console using a username and password.

        Parameter Description
        Set Console Password Select Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
        Password Reset Specify whether the RAM user must reset the password on next logon.
        Enable MFA Enable multi-factor authentication (MFA). After enabling, bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.

      • Using permanent AccessKey to access -- For applications and scripts that call APIs.

        The system automatically generates an AccessKey ID and AccessKey secret. If you select OpenAPI Access, the system creates the AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.

        Important

        The AccessKey secret is displayed only at creation time. Copy and store it securely -- you cannot retrieve it later.

        An AccessKey pair is a permanent credential. If leaked, all resources under the account are at risk. For short-lived credentials, use Security Token Service (STS) tokens instead. For more information, see Best practices for using access credentials to call API operations.

    6. Click OK.

    7. Complete the security verification as prompted.

    Step 2: Grant permissions to the RAM user

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. Find the target RAM user and click Add Permissions in the Actions column.

      Add Permissions action

      Note

      To grant the same permissions to multiple RAM users at once, select the users first, then click Add Permissions at the bottom of the page.

    4. In the Grant Permission panel, configure the following parameters:

      1. Resource Scope -- Choose the scope of the authorization:

        • Account: The permissions apply to all resources under the current Alibaba Cloud account.

        • ResourceGroup: The permissions apply only to a specific resource group.

        Important

        If you select ResourceGroup, verify that the target cloud service supports resource groups. For more information, see Services that work with Resource Group. For a step-by-step example, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

      2. Principal -- Automatically set to the selected RAM user.

      3. Policy -- Select one or more policies to attach:

        • System policies: Predefined by Alibaba Cloud. You can use but cannot modify them. For more information, see Services that work with RAM.

          Note

          The system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless necessary.

        • Custom policies: Policies you create and maintain. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Log on as a RAM user

    After creating and authorizing the RAM user, share the logon credentials with the team member. The access method depends on the access mode you configured.

    Console access

    1. Go to the RAM User Logon page.

    2. Enter the RAM user logon name in one of the following formats, then click Next.

      RAM User Logon page

      Format Example When to use
      <UserName>@<AccountAlias>.onaliyun.com username@company-alias.onaliyun.com Default domain name. For more information, see Terms and View and modify the default domain name.
      <UserName>@<AccountAlias> username@company-alias Account alias. For more information, see Terms.
      <UserName>@<DomainAlias> username@example.com Custom domain alias. For more information, see Terms and Create and verify a domain alias.

    3. Enter the logon password and click Log On.

    4. (Optional) If MFA is enabled, complete the MFA verification. For more information, see MFA overview and Bind an MFA device to a RAM user.

    API access

    To call API operations as the RAM user, specify the RAM user's AccessKey ID and AccessKey secret in your requests. For more information about RAM-related terms, see Terms.