All Products
Search

This Product

    Resource Access Management:Create an account administrator

    Document Center

    Resource Access Management:Create an account administrator

    Last Updated:Dec 25, 2023

    An Alibaba Cloud account has full management permissions on the resources within the account. You cannot impose limits such as limits on source IP addresses and time periods of access by using an Alibaba Cloud account. If an Alibaba Cloud account is shared by multiple users, you cannot identify a specific user in audit logs. If an Alibaba Cloud account is disclosed, security risks may occur. We recommend that you do not use an Alibaba Cloud account to perform daily O&M operations. You can create a Resource Access Management (RAM) user in RAM and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. You can use the account administrator to create multiple RAM users for permission management. You can create an account administrator by using the quick configuration or manual configuration method.

    Quick configuration

    Step 1: Create a RAM user and grant permissions to the RAM user

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. On the Overview page, click the Get Started tab.

    3. Click Account Administrator.

    4. View or modify the configuration information about the account administrator.

      By default, console access is enabled for the account administrator, and the system policy AdministratorAccess is attached to the account administrator. The account administrator has the permissions to manage all Alibaba Cloud resources.

    5. Click Perform.

    6. View the configuration progress. After the configuration is complete, save the username and password of the account administrator.

    Note

    You can modify the configurations of the account administrator that is created by using the quick configuration method in the RAM console.

    Step 2: Log on to the Alibaba Cloud Management Console as the account administrator

    1. Log on to the Alibaba Cloud Management Console with the account administrator.

      Note

      The logon portal for a RAM user is different from the logon portal for an Alibaba Cloud account. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

    2. On the RAM User Logon page, enter the username of the account administrator and click Next.

    3. Enter the logon password and click Log On.

    4. Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.

    Manual configuration

    Step 1: Create a RAM user

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

    5. In the Access Mode section, select an access mode and configure the required parameters.

      To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program. In this example, Console Access is selected.

      • Console Access

        If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. After you enable console access, you must configure the following parameters:

        • Set Logon Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

        • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

        • Enable MFA: specifies whether to enable MFA for the RAM user. For more information, see What is multi-factor authentication? After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user. We recommend that you enable MFA.

      • OpenAPI Access

        If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

        Important

        An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

    6. click OK.

    7. Complete security verification as prompted.

    Step 2: Grant permissions to the RAM user

    1. On the Users page, find the RAM user that you created in Step 1 and click Add Permissions in the Actions column.

    2. In the Add Permissions panel, grant permissions to the RAM user.

      1. Specify the Authorized Scope parameter.

        • Alibaba Cloud Account: The permissions take effect on all resources of the current Alibaba Cloud account. In this example, Alibaba Cloud Account is selected.

        • Specific Resource Group: The authorization takes effect on a specific resource group.

          Note

          If you set the Authorized Scope parameter to Specific Resource Group, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify the Principal parameter.

        The principal is the RAM user to whom you want to grant permissions.

      3. Select policies in the Select Policy section.

        In this example, the system policy AdministratorAccess is selected, which grants the permissions to manage all Alibaba Cloud resources.

    3. click OK.

    4. Click Complete.

    Step 3: Log on to the Alibaba Cloud Management Console as the RAM user

    1. Log on to the Alibaba Cloud Management Console with the account administrator.

      Note

      The logon portal for a RAM user is different from the logon portal for an Alibaba Cloud account. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

    2. On the RAM User Logon page, enter the username of the account administrator and click Next.

    3. Enter the logon password and click Log On.

    4. Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.