Supported actions resources and conditions for RAM - Resource Management

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Resource Management for RAM permission policies. The RAM code (RamCode) for Resource Management is resourcecenter,resourcemanager,tag,resourcesharing , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Resource Management. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
resourcemanager:DetachControlPolicy	DetachControlPolicy	update	Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}` ControlPolicy `acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId}` *Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListDelegatedAdministrators	ListDelegatedAdministrators	list	All Resource ``	None	None
resourcemanager:GetAccountDeletionCheckResult	GetAccountDeletionCheckResult	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:DisassociateMembers	DisassociateMembers	update	All Resource ``	None	None
resourcemanager:GetAccount	GetAccount	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:MoveAccount	MoveAccount	update	Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}` Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListHandshakesForAccount	ListHandshakesForAccount	list	All Resource ``	None	None
resourcemanager:CancelChangeAccountEmail	CancelChangeAccountEmail	update	All Resource ``	None	None
resourcemanager:BindSecureMobilePhone	BindSecureMobilePhone	update	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListFoldersForParent	ListFoldersForParent	list	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:EnableControlPolicy	EnableControlPolicy	update	ResourceDirectory `acs:resourcemanager::{#accountId}:policy/controlpolicy/`	None	None
resourcemanager:CheckAccountDelete	CheckAccountDelete	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:AssociateMembers	AssociateMembers	update	All Resource ``	None	None
resourcemanager:ListTagKeys	ListTagKeys	list	All Resource ``	None	None
resourcemanager:SendVerificationCodeForBindSecureMobilePhone	SendVerificationCodeForBindSecureMobilePhone	none	All Resource ``	None	None
resourcemanager:CreateControlPolicy	CreateControlPolicy	create	All Resource ``	None	None
resourcemanager:DeleteControlPolicy	DeleteControlPolicy	delete	*ControlPolicy `acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId}`	None	None
resourcemanager:ListDelegatedServicesForAccount	ListDelegatedServicesForAccount	list	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:GetAccountDeletionStatus	GetAccountDeletionStatus	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:AddMessageContact	AddMessageContact	create	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/*`	None	None
resourcemanager:RetryChangeAccountEmail	RetryChangeAccountEmail	update	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:GetMessageContact	GetMessageContact	get	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:UpdateControlPolicy	UpdateControlPolicy	update	*ControlPolicy `acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId}`	None	None
resourcemanager:PrecheckForConsolidatedBillingAccount	PrecheckForConsolidatedBillingAccount	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:TagResources	TagResources	update	All Resource ``	None	None
resourcemanager:UntagResources	UntagResources	update	All Resource ``	None	None
resourcemanager:DestroyResourceDirectory	DestroyResourceDirectory	delete	All Resource ``	None	None
resourcemanager:GetResourceDirectory	GetResourceDirectory	get	All Resource ``	None	None
resourcemanager:ListTargetAttachmentsForControlPolicy	ListTargetAttachmentsForControlPolicy	list	All Resource ``	None	None
resourcemanager:CreateFolder	CreateFolder	create	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:EnableResourceDirectory	EnableResourceDirectory	create	All Resource ``	None	None
resourcemanager:UpdateAccount	UpdateAccount	update	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:GetFolder	GetFolder	get	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:GetHandshake	GetHandshake	get	*Handshake `acs:resourcemanager::{#accountId}:handshake/{#HandshakeId}`	None	None
resourcemanager:DeregisterDelegatedAdministrator	DeregisterDelegatedAdministrator	delete	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:AttachControlPolicy	AttachControlPolicy	update	Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}` Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}` *ControlPolicy `acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId}`	None	None
resourcemanager:ListAccounts	ListAccounts	list	Account `acs:resourcemanager::{#accountId}:account/`	None	None
resourcemanager:ListHandshakesForResourceDirectory	ListHandshakesForResourceDirectory	list	Handshake `acs:resourcemanager::{#accountId}:handshake/`	None	None
resourcemanager:GetControlPolicy	GetControlPolicy	get	*ControlPolicy `acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId}`	None	None
resourcemanager:RegisterDelegatedAdministrator	RegisterDelegatedAdministrator	create	*DelegatedAdministrator `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:SendVerificationCodeForEnableRD	SendVerificationCodeForEnableRD	none	All Resource ``	None	None
resourcemanager:CancelMessageContactUpdate	CancelMessageContactUpdate	update	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:RemoveCloudAccount	RemoveCloudAccount	delete	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListTagResources	ListTagResources	list	All Resource ``	None	None
resourcemanager:SendPhoneVerificationForMessageContact	SendPhoneVerificationForMessageContact	none	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:ListAccountsForParent	ListAccountsForParent	list	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListAncestors	ListAncestors	list	All Resource ``	None	None
resourcemanager:SendEmailVerificationForMessageContact	SendEmailVerificationForMessageContact	none	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:ListTagValues	ListTagValues	list	All Resource ``	None	None
resourcemanager:ListAuthorizedFolders	ListAuthorizedFolders	list	All Resource ``	None	None
resourcemanager:GetControlPolicyEnablementStatus	GetControlPolicyEnablementStatus	get	ResourceDirectory `acs:resourcemanager::{#accountId}:policy/controlpolicy/`	None	None
resourcemanager:CancelHandshake	CancelHandshake	update	*Handshake `acs:resourcemanager::{#accountId}:handshake/{#HandshakeId}`	None	None
resourcemanager:ListMessageContactVerifications	ListMessageContactVerifications	list	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:InviteAccountToResourceDirectory	InviteAccountToResourceDirectory	create	Handshake `acs:resourcemanager::{#accountId}:handshake/` Folder `acs:resourcemanager:*:{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:UpdateFolder	UpdateFolder	update	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:AcceptHandshake	AcceptHandshake	update	*Handshake `acs:resourcemanager::{#accountId}:handshake/{#HandshakeId}`	None	None
resourcemanager:GetMessageContactDeletionStatus	GetMessageContactDeletionStatus	get	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:SetMemberDisplayNameSyncStatus	SetMemberDisplayNameSyncStatus	update	All Resource ``	None	None
resourcemanager:CreateResourceAccount	CreateResourceAccount	create	Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:ListAuthorizedAccounts	ListAuthorizedAccounts	list	All Resource ``	None	None
resourcemanager:DeleteMessageContact	DeleteMessageContact	delete	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:ListControlPolicies	ListControlPolicies	list	All Resource ``	None	None
resourcemanager:UpdateMessageContact	UpdateMessageContact	update	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId}`	None	None
resourcemanager:GetPayerForAccount	GetPayerForAccount	get	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:DisableControlPolicy	DisableControlPolicy	update	ResourceDirectory `acs:resourcemanager::{#accountId}:policy/controlpolicy/`	None	None
resourcemanager:SetMemberDeletionPermission	SetMemberDeletionPermission	update	All Resource ``	None	None
resourcemanager:DeleteAccount	DeleteAccount	delete	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None
resourcemanager:ChangeAccountEmail	ChangeAccountEmail	update	All Resource ``	None	None
resourcemanager:ListControlPolicyAttachmentsForTarget	ListControlPolicyAttachmentsForTarget	list	All Resource ``	None	None
resourcemanager:DeclineHandshake	DeclineHandshake	update	*Handshake `acs:resourcemanager::{#accountId}:handshake/{#HandshakeId}`	None	None
resourcemanager:ListTrustedServiceStatus	ListTrustedServiceStatus	list	All Resource ``	None	None
resourcemanager:ListMessageContacts	ListMessageContacts	list	MessageContact `acs:resourcemanager::{#accountId}:messagecontact/*`	None	None
resourcemanager:DeleteFolder	DeleteFolder	delete	*Folder `acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath}`	None	None
resourcemanager:UpdatePayerForAccount	UpdatePayerForAccount	update	*Account `acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}`	None	None

Resource

The following table lists the resources defined by Resource Management. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Account	acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath} acs:resourcemanager::{#accountId}:account/* acs:resourcemanager::{#accountId}:account/{#AccountId} acs:resourcemanager::{#accountId}:
ControlPolicy	acs:resourcemanager::{#accountId}:policy/controlpolicy/{#PolicyId} acs:resourcemanager::{#accountId}:policy/controlpolicy/*
Folder	acs:resourcemanager::{#accountId}:folder/{#ResourceDirectoryPath} acs:resourcemanager::{#accountId}:folder/{#FolderId} acs:resourcemanager::{#accountId}:folder/ acs:resourcemanager:*:{#accountId}:folder/{#ResourceDirectoryPath}
MessageContact	acs:resourcemanager::{#accountId}:messagecontact/{#MessageContactId} acs:resourcemanager::{#accountId}:messagecontact/*
ResourceDirectory	acs:resourcemanager::{#accountId}:policy/controlpolicy/*
Handshake	acs:resourcemanager::{#accountId}:handshake/{#HandshakeId} acs:resourcemanager::{#accountId}:handshake/* acs:resourcemanager::{#accountId}:handshake/
DelegatedAdministrator	acs:resourcemanager::{#accountId}:account/{#ResourceDirectoryPath}

Condition

The following table lists the product-level condition keys defined by Resource Management. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key	Description	Data type
resourcesharing:ResourceArn	The resource ARN. Example: acs:vpc:cn-shanghai:131993166204**:vswitch/vsw-7xv4sfwo86u2etl64**.	String
resourcesharing:RequestedAllowExternalTargets	Whether resources in the resource share can be shared with accounts outside the resource directory. Example: false.	Boolean
ram:ServiceName	Specifies the trusted service principal for service-linked role. Example: actiontrail.aliyuncs.com	String
resourcesharing:Target	Example values include: Resource Directory ID, the RDPath of a folder, or the RDPath of an account (within the resource directory), or the account ID (for accounts outside of the resource directory).	String
resourcesharing:RequestedResourceType	The resource type. Example: VSwitch.	String

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: