All Products
Search
Document Center

Resource Access Management:Identify overprivileged access

Last Updated:Jun 20, 2026

This topic describes how to use the overprivileged access analyzer to identify identities with excessive permissions in your resource directory or current account.

Overview

What is the overprivileged access analyzer

The overprivileged access analyzer identifies and displays identities with excessive permissions in your resource directory or current account. It continuously monitors all RAM identities (RAM users and RAM roles) in your resource directory or current account and generates findings for identities that have overprivileged access. Findings include super administrator users/roles, privileged users/roles, inactive users/roles, and overprivileged users/roles. Each finding also provides details about the permissions granted to the identity and the most recent access activity for those permissions.

  • Super administrator users/roles: RAM identities (RAM users or RAM roles) that have full resource management permissions in the account. For example, a RAM user or RAM role granted the AdministratorAccess policy.

  • Privileged users/roles: RAM identities (RAM users or RAM roles) that hold high-risk privileges. These identities can often escalate their own permissions or those of other RAM identities to gain higher access privileges. For the current list of supported privileges, see Privilege list.

  • Inactive users/roles: RAM identities (RAM users or RAM roles) that have had no permission-related activity during the specified Unused Access Age.

  • Overprivileged users/roles: RAM identities (RAM users or RAM roles) that hold service-level or action-level permissions unused during the specified Unused Access Age.

Supported scope of the overprivileged access analyzer

The overprivileged access analyzer reviews permission audit data for all RAM identities (excluding service-linked roles) in your resource directory or current account and uses this data to generate findings. The permission audit feature provides information about the permissions granted to each RAM identity and the most recent time those permissions were used. Therefore, the policy types, Alibaba Cloud services, and audit granularity supported by the overprivileged access analyzer match those of the permission audit feature. For details, see Permission audit overview.

Create an overprivileged access analyzer

  1. Log on to the Resource Access Management (RAM) console as a RAM administrator.

  2. In the navigation pane on the left, choose Access Analysis > Analyzers.

  3. Click Create Analyzer, set the analysis type to Over-privileged Access, enter an analyzer name, configure the unused access period and analysis scope, then click Create analyzer.

    The Unused Access Age defines the timeframe for determining unused permissions. Valid values range from 1 to 180 days. The default value is 90 days. For example, if you set the Unused Access Age to 90, any permission unused for more than 90 days is considered inactive.

    Note

    You can create analyzers with an analysis scope of Resource Directory only under a ResourceDirectory management account.

    Select a region when creating the analyzer (findings are not affected by region). After creation, the system automatically creates the service-linked role AliyunServiceRoleForAccessAnalyzer.

After you create the analyzer, it begins scanning RAM identities and their permissions. Wait a few moments before viewing the findings.

View and manage overprivileged access findings

View findings

You can view findings on the Analyzers or Findings page.

On the analyzer details page, the Basic information section shows the analyzer name, status, analysis type (such as Overprivileged), analysis scope (such as Current account), creation time, ARN, last analysis time, and unused access period (for example, 90 days). Below this section are two tabs: Findings and Archive rules. On the Findings tab, filter by Finding status (such as Pending) to view a table that lists finding ID, resource, resource owner, accessed/granted services, finding status, update time, and actions. Each row indicates the finding type (for example, Inactive role or Privileged user).

Analysis Results page:

  • Graphical view

    The Data Overview tab shows statistics for Pending findings, including counts and percentages for categories such as super administrator users, super administrator roles, privileged users, privileged roles, inactive users, inactive roles, overprivileged users, and overprivileged roles. A donut chart visualizes the distribution across these categories.

    For ResourceDirectory: The top five member accounts with the highest number of pending findings in the resource directory are also displayed.

  • List style

    On the Access analytics > Findings page, select a target analyzer on the left (for example, Test-1 of type Overprivileged) and switch to the Findings list tab on the right. Filter results using criteria such as Finding status equal to Pending. The findings table includes columns for Finding ID, Resource, Resource owner, Accessed/Granted services, Finding status, Update time, and Actions. It displays findings for inactive roles along with counts of accessed and granted services. You can perform the Archive finding action on any result.

Filter findings

You can filter findings by multiple criteria such as resource, resource type, resource owner, finding status, and finding type to quickly locate relevant results.

Note

The available filter options depend on what is shown in the console interface.

For example, to quickly view overprivileged access findings for RAM users:

Set Filter key to Resource type, Match method to Equals, and Filter value to Resource Access Management - User. Add another condition where Finding status equals Pending, then click the search button to apply the filters.

The query results may include Super User, Privileged User, Inactive User, and Over-Privileged User. To narrow results further, add another filter condition (Filter key set to Finding type, Match method set to Equals) to show only findings of type Over-Privileged User.

View finding details

In the findings list, click a Finding ID to view its details.

The finding details page has two sections: basic information and detailed information. The basic information section shows fields such as Finding type, Finding status, Resource type, and Analyzer name. The detailed information section shows the identity’s Creation time, Last access time, and the ratio of Accessed/Granted services. At the bottom, a table compares accessed and granted actions by service. A Rescan button appears in the upper-right corner.

For each finding, you can:

  • If the permission behavior matches your expectations, click Archive to archive it immediately.

  • If the permission behavior does not match your expectations, click Go for Governance (for resources in the current account) or Copy Resource URL (for resources outside the current account) to navigate to the appropriate page for remediation.

Automatically archive the findings

In addition to manually archiving individual findings, you can create archive rules to automatically archive findings that do not require governance.

Create and save archive rules on the Findings page. New findings that match a rule's criteria are automatically archived.

On the Findings List page, set filter criteria by using the filter key, match type, and filter value dropdowns, then click Save as Archive Rule.

This rule does not apply to existing findings. To apply it retroactively, go to the details page of an Analyzers and click Apply Archive Rule in the Actions column of the archive rules list.

Privilege list

RAM identities (RAM users or RAM roles) with high-risk operation permissions are identified as privileged users/roles. The following table lists the currently supported privilege actions.

Cloud Products

High-risk operation

Access Control

ram:AddUserToGroup

ram:AttachPolicyToGroup

ram:AttachPolicyToRole

ram:AttachPolicyToUser

ram:CreateAccessKey

ram:CreatePolicyVersion

ram:DeletePolicy

ram:DeletePolicyVersion

ram:DetachPolicyFromGroup

ram:DetachPolicyFromRole

ram:DetachPolicyFromUser

ram:RemoveUserFromGroup

ram:SetDefaultPolicyVersion

ram:UpdateAccessKey

ram:UpdateRole

ram:CreateLoginProfile

ram:UpdateLoginProfile

ram:SetSecurityPreference

ram:RestoreAccessKeyFromRecycleBin

ram:SetUserSsoSettings

ram:CreateSAMLProvider

ram:UpdateSAMLProvider

ram:UpdateOIDCProvider

ram:AddClientIdToOIDCProvider

ram:AddFingerprintToOIDCProvider

Resource Management

ram:AttachPolicy

ram:DetachPolicy

resourcemanager:EnableResourceDirectory

resourcemanager:CreateResourceAccount

resourcemanager:InviteAccountToResourceDirectory

resourcemanager:UpdateAccount

resourcemanager:DisableControlPolicy

resourcemanager:UpdateControlPolicy

resourcemanager:DeleteControlPolicy

resourcemanager:AttachControlPolicy

resourcemanager:DetachControlPolicy

resourcemanager:RegisterDelegatedAdministrator

CloudSSO

cloudsso:EnableDelegateAccount

cloudsso:UpdateUserStatus

cloudsso:ResetUserPassword

cloudsso:SetLoginPreference

cloudsso:AddUserToGroup

cloudsso:RemoveUserFromGroup

cloudsso:SetExternalSAMLIdentityProvider

cloudsso:AddExternalSAMLIdPCertificate

cloudsso:AddPermissionPolicyToAccessConfiguration

cloudsso:RemovePermissionPolicyFromAccessConfiguration

cloudsso:UpdateInlinePolicyForAccessConfiguration

cloudsso:ProvisionAccessConfiguration

cloudsso:DeprovisionAccessConfiguration

cloudsso:CreateAccessAssignment

cloudsso:DeleteAccessAssignment

cloudsso:CreateSCIMServerCredential

cloudsso:UpdateSCIMServerCredentialStatus

cloudsso:SetSCIMSynchronizationStatus