Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions.

Features

Centralized management of identities and permissions

  • Centralized access control
    • You can manage RAM users and the passwords or AccessKey pairs of the RAM users in a centralized manner. You can also bind multi-factor authentication (MFA) devices to RAM users.
    • You can manage the permissions of RAM users to access Alibaba Cloud resources in a centralized manner.
    • You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP addresses.
  • External identity integration
    • You can implement single sign-on (SSO). Alibaba Cloud supports user-based SSO and role-based SSO for identity providers (IdPs). You can log on to Alibaba Cloud by using an identity in the IdP system of your enterprise. For more information, see SSO overview.
    • You can map a CloudSSO user to RAM by using System for Cross-domain Identity Management (SCIM). This way, a RAM user who has the same name as the CloudSSO user is created in RAM. For more information, see What is CloudSSO?.

Fine-grained permission management and diverse policies

  • Diverse policies

    RAM provides various system policies that meet the requirements of O&M engineers. If the system policies cannot meet your business requirements, you can use a GUI to create custom policies in an efficient manner.

  • Fine-grained permission management
    • You can grant access permissions to RAM users, RAM user groups, and RAM roles at the resource and operation levels.
    • You can create fine-grained resource access control policies based on the source IP address of requests, date and time, and resource tags.
    • You can set the authorization scope to the entire Alibaba Cloud account or a specified resource group.

Centralized management of identities and permissions for multiple accounts by using CloudSSO

CloudSSO is integrated with Alibaba Cloud Resource Directory to provide unified multi-account identity management and access control. For more information about Resource Directory, see Resource Directory overview. You can configure settings once in CloudSSO to manage identities and permissions for multiple Alibaba Cloud accounts in a centralized manner and implement SSO access. To achieve centralized management, you can use the CloudSSO directory that is independent of RAM to manage identities. CloudSSO reuses the system policies and the syntax of custom policies in RAM to manage permissions. When a CloudSSO user accesses an account in a resource directory, the user assumes the RAM role of the account to implement SSO access.

Free of charge

RAM is free of charge. You can use RAM after your Alibaba Cloud account passes real-name verification.

Benefits

RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users on Alibaba Cloud resources. RAM allows you to keep your Alibaba Cloud account and password strictly confidential in the scenario in which multiple users in your enterprise must manage cloud resources in a collaborative manner. RAM also allows you to grant the users the minimum required permissions to ensure high security.

Common scenarios

ScenarioDescription
Use RAM to manage user permissions and resources

Enterprise A wants to migrate a project named Project-X to Alibaba Cloud. The enterprise has purchased several types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Multiple employees must manage these cloud resources, and different employees require different permissions to fulfill their duties.

Enterprise A has the following requirements:

  • To ensure security, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees.
  • Enterprise A wants to create different RAM users for the employees and grant different permissions to the RAM users. The employees are granted only the permissions that are required to fulfill their duties.
  • The RAM users can only manage resources after they are granted the required permissions. All the operations that are performed by the RAM users can be audited.
  • Enterprise A can revoke the permissions that are granted to the RAM users and delete the RAM users at any time.
  • Resource fees of RAM users are billed to the Alibaba Cloud account to which the RAM users belong.
Use an STS token for authorizing a mobile app to access Alibaba Cloud resources

Enterprise A develops a mobile app and activates OSS. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the necessary permissions to the mobile app. Then, the mobile app can upload data to and download data from OSS.

Enterprise A has the following requirements:

  • Direct data transmission: The mobile app directly uploads data to or downloads data from OSS. The app server of the enterprise does not need to transfer data between the mobile app and OSS.
  • Security control: AccessKey pairs are not saved on mobile devices. Mobile devices are controlled by app users and cannot provide trusted operating environments.
  • Risk control: Security risks are minimized. During direct access to OSS, each app client is authorized based on the principle of least privilege, and the access duration is under strict control.
Use a RAM role to grant permissions across Alibaba Cloud accounts

Enterprise A purchases multiple types of Alibaba Cloud resources, such as ECS instances, ApsaraDB RDS instances, SLB instances, and OSS buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.

Enterprise A has the following requirements:

  • Enterprise A serves only as a cloud resource owner. Enterprise A can authorize Enterprise B to perform O&M operations, monitor, and manage specified cloud resources of Enterprise A.
  • If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on cloud resources of Enterprise A. The RAM user credentials can be assigned to employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Use RAM to authorize applications to access Alibaba Cloud resourcesEnterprise A purchases ECS instances and wants to deploy its applications on these ECS instances. The applications must use AccessKey pairs to call the operations of other Alibaba Cloud services.
Use RAM to create and authorize resource groups

A gaming enterprise is developing three gaming projects. Each project requires various cloud resources. Enterprise A has an Alibaba Cloud account and more than 100 Elastic Compute Service (ECS) instances that belong to the Alibaba Cloud account.

Enterprise A has the following requirements:

  • Independent project management: Project managers can manage their own project members and the permissions that the project members require to accessing cloud resources.
  • Separate bills: The financial department of the enterprise requires that each project receives separate bills.
  • Shared bottom-layer network: The enterprise requires a shared bottom-layer network for its cloud resources.

How to use RAM

After you create an Alibaba Cloud account, you can use RAM to manage user identities and resource access permissions by using one of the following methods:

  • RAM console

    RAM provides an interactive web console. You can log on to the RAM console to use the features of RAM.

  • API operations and SDKs

    RAM provides RESTful API operations and SDKs for multiple programming languages to facilitate secondary development.

    Alibaba Cloud provides OpenAPI Explorer to simplify API usage. You can use OpenAPI Explorer to debug API operations and dynamically generate SDK sample code.