This topic describes the permissions and policies of Alibaba Cloud. To grant different permissions to Resource Access Management (RAM) identities on Alibaba Cloud resources, you can attach different policies to the RAM identities.
Permission
Permissions are specified by a statement within a policy that allows or denies access of RAM identities to a specific Alibaba Cloud resource. RAM identities are RAM users, RAM user groups, and RAM roles. The following list describes the details:
An Alibaba Cloud account is the resource owner and controls all permissions.
Each Alibaba Cloud resource has only one owner. The owner must be an Alibaba Cloud account and has complete control over the resource.
The resource owner is not necessarily the resource creator. For example, if a RAM identity has permissions to create Alibaba Cloud resources, the resources created by this RAM identity belong to the Alibaba Cloud account of the RAM identity. The RAM identity is the resource creator, but is not the resource owner.
A RAM identity is an operator and has no permissions by default.
A RAM identity is an operator that is used to manage resources. Before a RAM identity can perform operations, the RAM identity must be granted the required permissions by the Alibaba Cloud account. The required permissions must be granted by attaching one or more explicit allow policies.
A new RAM identity can manage resources by using the console and calling API operations only after the RAM identity is granted the required permissions.
Policy
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.
RAM supports the following two types of policy:
System policy: System policies are created and upgraded by Alibaba Cloud. You can use system policies but cannot modify them.
Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.
You can attach one or more policies to RAM identities. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.
Grant permissions to RAM identities
To grant permissions to a RAM identity, you must attach one or more policies to the RAM identity.
The attached policies can be system policies or custom policies.
If the attached policies are modified, the new policies automatically take effect. You do not need to attach the new policies to RAM identities.