All Products
Search

This Product

    :Create a RAM user as an account administrator

    Document Center

    :Create a RAM user as an account administrator

    Last Updated:Jun 20, 2026

    You can create a RAM user as an account administrator to perform cloud operations instead of using your root user. The account administrator has the AdministratorAccess permission and can manage all cloud resources in your account.

    Why create an account administrator

    An Alibaba Cloud account, also known as the root user, has unrestricted access to all resources in the account, and this level of permission cannot be reduced. If the root user is shared, tracing actions in audit logs to a specific individual becomes difficult. Leaked credentials also pose a significant, hard-to-track security risk. As a security best practice, do not use your root user for daily management and operational tasks. Instead, create a RAM user, grant it the AdministratorAccess permission, and use it as an account administrator. This user can manage all cloud resources while mitigating the risks associated with the root user. You can create separate administrator accounts for different personnel and immediately freeze a compromised account.

    Create an account administrator

    Quick creation

    Step 1: Create and authorize the administrator

    1. Sign in to the RAM console as the root user. On the Overview page, click Get Started > Account Administrator.

    2. Review the configuration parameters for the Account Administrator and click Perform.

      By default, console access is enabled for the account administrator, and the AdministratorAccess system policy is attached. This gives the user permission to manage all cloud resources.

      The default username is administrator, and the Reset password at next logon option is selected.

    3. After the configuration is complete, save the RAM username and password for the account administrator.

    Note

    After creating the account administrator, you can modify its settings in the RAM console.

    Step 2: Sign in as a RAM user

    1. Use the newly created RAM user to sign in to the Alibaba Cloud Management Console.

      Note

      The sign-in page for a RAM user is different from the sign-in page for a root user. For more information, see Sign in to the Alibaba Cloud Management Console as a RAM user.

    2. On the RAM User Logon page, enter the RAM username and click Next.

    3. Enter the password for the RAM user and click Log On.

      Note

      To enhance the security of your RAM user, you can bind an MFA device for secondary authentication during console sign-ins or when you perform sensitive operations. This provides an extra layer of protection beyond a username and password. For more information, see Bind an MFA device for a RAM user.

    Manual creation

    Step 1: Create a RAM user

    1. Sign in to the RAM console as the root user. In the left-side navigation pane, choose Identities > Users. Then, click Create User.

    2. Create a RAM user. In the User Account Information section, set the Logon Name and Display Name to administrator. In the Access Mode section, select Console Access. For the password settings, select Automatically generate password, and select the Reset password at next logon checkbox. For Multi-factor Authentication (MFA), select MFA is required. Then, click OK.

    3. Complete the security verification as prompted on the screen.

    Step 2: Grant permissions

    1. On the Users page, find the target RAM user and click Actions in the Grant Permissions column.

    2. In the Grant Permission panel, attach the AdministratorAccess system policyPolicies to the RAM user. This permission policy allows the user to manage all cloud resources.

      Set Resource Scope to Account Level. Then, click Confirm Authorization.

    Step 3: Sign in as a RAM user

    1. Use the newly created RAM user to sign in to the Alibaba Cloud Management Console.

      Note

      The sign-in page for a RAM user is different from the sign-in page for a root user. For more information, see Sign in to the Alibaba Cloud Management Console as a RAM user.

    2. On the RAM User Logon page, enter the RAM username and click Next.

    3. Enter the password for the RAM user and click Log On.

      Note

      To enhance the security of your RAM user, you can bind an MFA device for secondary authentication during console sign-ins or when you perform sensitive operations. This provides an extra layer of protection beyond a username and password. For more information, see Bind an MFA device for a RAM user.