This topic introduces the basic concepts that are used in Resource Access Management (RAM).
Terms for identity management
Alibaba Cloud account
Before you use Alibaba Cloud services, you must create an Alibaba Cloud account. The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for all the resources that it owns. The Alibaba Cloud account has full control over the resources.
By default, only the Alibaba Cloud account can access Alibaba Cloud resources. Other users can access resources only after being explicitly authorized by the Alibaba Cloud account. The Alibaba Cloud account is similar to the administrator or root user of an operating system.
To ensure the security of the Alibaba Cloud account, we recommend that you do not use the Alibaba Cloud account to log on to the Alibaba Cloud Management Console and do not create an AccessKey pair for the Alibaba Cloud account. We recommend that you create a RAM user for the Alibaba Cloud account and grant the RAM user the administrative rights. Then, you can use the RAM user to manage the resources.
RAM provides three types of identities: RAM user, RAM user group, and RAM role. RAM users and RAM user groups are physical identities. RAM roles are virtual identities.
default domain name
A unique identifier of an Alibaba Cloud account. Alibaba Cloud assigns a default domain name to each Alibaba Cloud account. The format of the default domain name is
For more information, see View and modify the default domain name.
The alias of an Alibaba Cloud account. An account alias is also called an enterprise alias. The default value of an account alias is the
If an enterprise sets the alias of its Alibaba Cloud account to company1, the RAM user alice that belongs to the Alibaba Cloud account can use alice@company1 to log on to the Alibaba Cloud Management Console.
For more information, see View and modify the default domain name.
A custom domain name that you can use to replace the default domain name. The custom domain name must be publicly resolvable. A domain alias is the alias of the default domain name.
A custom domain can be used as a domain alias only after the ownership of the custom domain is verified. After the ownership is verified, you can use the domain alias to replace the default domain name in all scenarios in which the default domain name is required.
For more information, see Create and verify a domain alias.
A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:
For more information, see Create a RAM user.
An identity credential that is used to log on to the Alibaba Cloud Management Console.
You cannot query the logon password. We recommend that you change your password on a regular basis and keep your password confidential.
An identity credential that is used to verify access identities. Each AccessKey pair consists of an AccessKey ID and an AccessKey secret. You can use your AccessKey pair or Alibaba Cloud SDK to sign API requests that you send to Alibaba Cloud. The AccessKey ID and AccessKey secret are used for symmetric encryption and identity verification. After the identity is verified, you can manage Alibaba Cloud resources by calling operations.
An AccessKey ID is used in combination with an AccessKey secret. The AccessKey ID is used to identify a user, and the AccessKey secret is used to authenticate the key of the user.
The AccessKey secret is displayed only when you create an AccessKey pair, and is unavailable for subsequent queries. We recommend that you save the AccessKey secret for subsequent use.
For more information, see Create an AccessKey pair.
multi-factor authentication (MFA)
A security enhancement that adds an extra layer of protection in addition to your username and password. MFA enhances security for your account. If MFA is enabled for a RAM user, the RAM user must perform the following operations when the RAM user logs on to the Alibaba Cloud Management Console:
RAM user group
A physical identity that contains a group of RAM users. You can create RAM user groups to classify and authorize RAM users. This simplifies the management of RAM users and permissions.
A virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token. Then, the trusted entity can use the STS token to access Alibaba Cloud resources as the RAM role.
RAM roles are classified into the following types based on trusted entities:
service provider (SP)
An application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In some identity systems, such as OpenID Connect (OIDC) that do not comply with the SAML protocol, SP is known as the relying party of an IdP.
A RAM entity that provides identity management services. IdPs are classified into the following types:
Security Assertion Markup Language 2.0 (SAML 2.0)
A protocol that is designed for enterprise-level user identity authentication. SAML 2.0 is used for communication between an SP and an IdP. SAML 2.0 is a standard that enterprises use to implement SSO.
Alibaba Cloud supports SAML 2.0-based and OIDC-based SSO. This feature is also known as identity federation. Alibaba Cloud provides the following SSO methods:
The metadata file that is provided by your IdP. The metadata file is in the XML format in most cases. The metadata file contains the logon URLs, the public key that is used to verify SAML assertions, and the assertion format.
A core element that is defined in the SAML protocol. This element describes the authentication request and response. For example, the SAML assertion for an authentication response can contain user attributes.
A mutual trust relationship between an SP and an IdP. In most cases, the trust relationship is established by using public and private keys. An SP can obtain the SAML metadata of a trusted IdP. The metadata includes a public key. The SP uses the public key to verify the integrity of the SAML assertion that is issued by the IdP.
Terms for access control
Indicates whether a user is allowed to perform specific operations on a specific Alibaba Cloud resource. Permissions include Allow and Deny.
Operations include the following two types:
A set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. A policy is a type of simple language specification that describes a set of permissions. For more information, see Policy structure and syntax.
In RAM, a policy is a resource entity. RAM supports the following two types of policy:
You can attach one or more policies to RAM users, RAM user groups, and RAM roles. For more information, see Grant permissions to RAM users, Grant permissions to a RAM user group, and Grant permissions to a RAM role.
The subject to which a specific permission is granted. The authorized principal can be a RAM user, RAM user group, or RAM role.
The authorization effect. The effect is a basic element of a policy. Valid values are Allow and Deny.
The operation to be performed on a specific Alibaba Cloud resource. The action is a basic element of a policy. Valid values are the names of operations from Alibaba Cloud services.
The condition for the authorization to take effect. The condition is a basic element of a policy.
A manageable object that is provided by an Alibaba Cloud service. For example, objects can be OSS buckets and ECS instances.
Alibaba Cloud Resource Name (ARN)
A globally unique name that is used to identify a resource in Alibaba Cloud. When you grant permissions on a resource, you must specify the ARN of the resource in the