PowerUserAccess is a service system policy that is managed by Alibaba Cloud. You can attach the PowerUserAccess policy to a Resource Access Management (RAM) identity, such as a RAM user, RAM user group, and RAM role. The PowerUserAccess policy: Provides full access to Alibaba Cloud services and resources, but does not allow managing RAM identities and their permissions, managing resource directories and resource sharing relationships, or modifying funds account information.
Policy details
Type: service system policy
Creation time: 09:48:58 on June 27, 2025
Update time: 02:26:00 on September 17, 2025
Current version: v2
Policy content
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"ram:*",
"ims:*",
"resourcemanager:*",
"resourcesharing:*",
"cloudsso:*",
"bss:ModifyAccount",
"bss:ModifyBillingAccount",
"bss:ModifyPaymentRelationship",
"bssapi:ModifyAccountRelation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:ListUserBasicInfos",
"ram:ListRoles",
"ram:CreateServiceLinkedRole",
"ram:DeleteServiceLinkedRole",
"ram:GetServiceLinkedRoleDeletionStatus",
"ram:CheckServiceLinkedRoleExistence",
"resourcemanager:GetAccount",
"resourcemanager:GetFolder",
"resourcemanager:GetResourceDirectory",
"resourcemanager:ListAccounts",
"resourcemanager:ListFoldersForParent",
"resourcemanager:ListAccountsForParent"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:CreateResourceGroup",
"ram:DeleteResourceGroup",
"ram:UpdateResourceGroup",
"ram:LookupResourceGroupEvents",
"ram:EnableAssociatedTransfer",
"ram:DisableAssociatedTransfer",
"ram:UpdateAssociatedTransferSetting",
"ram:ListAssociatedTransferSetting",
"resourcemanager:EnableAutoGrouping",
"resourcemanager:DisableAutoGrouping",
"resourcemanager:UpdateAutoGroupingConfig",
"resourcemanager:GetAutoGroupingStatus",
"resourcemanager:CreateAutoGroupingRule",
"resourcemanager:DeleteAutoGroupingRule",
"resourcemanager:UpdateAutoGroupingRule",
"resourcemanager:ListAutoGroupingRules",
"resourcemanager:GetAutoGroupingRule",
"resourcemanager:EnableResourceGroupNotification",
"resourcemanager:DisableResourceGroupNotification",
"resourcemanager:GetResourceGroupNotificationSetting",
"resourcemanager:UpdateResourceGroupAdminSetting",
"resourcemanager:GetResourceGroupAdminSetting"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:CreateRole",
"ram:AttachPolicyToRole"
],
"Resource": "acs:ram:*:*:role/*",
"Condition": {
"ForAllValues:StringEquals": {
"ram:TrustedPrincipalTypes": "Service"
}
}
},
{
"Effect": "Allow",
"Action": [
"ram:AttachPolicyToRole",
"ram:ListPolicies"
],
"Resource": "acs:ram:*:system:policy/*"
},
{
"Effect": "Allow",
"Action": [
"ram:TagResources",
"ram:UntagResources",
"ram:ListTagResources"
],
"Resource": "acs:ram:*:*:resourcegroup/*"
}
]
}