All Products
Search
Document Center

Security Center:Identities and permissions

Last Updated:Apr 19, 2024

This topic describes the concepts of identities and permissions in Alibaba Cloud services.

Identities

Alibaba Cloud identities can be classified as physical entities and virtual entities.

Physical entities

A physical entity has a fixed ID and identity credential. It is used to represent a person, a company, or an application. The identity credentials of a physical entity can be a logon password or an AccessKey pair. A physical entity can be an Alibaba Cloud account or a Resource Access Management (RAM) user. A physical entity can access the Alibaba Cloud resources by using following methods:

  • Access cloud resources through the console by using a username and password, or the multi-factor authentication (MFA) method.

  • Access cloud resources by using an AccessKey pair.

Alibaba cloud accounts and RAM users have different features. Take note of the following items before you access Alibaba Cloud resources.

Alibaba Cloud account

Features

  • An Alibaba Cloud account has the root or administrator permissions on the operating system of cloud resources.

  • An Alibaba Cloud account has full control over all the resources purchased under the account, and the bills for the resources are aggregated under the account.

Usage notes

For security reasons, we recommend that you do not use your Alibaba Cloud account to directly manage cloud resources.

Instead, we recommend that you use your Alibaba Cloud account to create a RAM user and grant administrator permissions to the RAM user (hereinafter referred to as the administrative user). Then, you can use the administrative user to create and manage other RAM users.

RAM user

Features

  • Before a RAM user can log on to the cloud service console or call API operations, it must be authorized by an Alibaba Cloud account or the administrative user. After authorization, the RAM user can manage resources that are owned by the Alibaba Cloud account.

  • RAM users do not own resources and cannot be billed independently. Bills generated by the RAM users are aggregated to the Alibaba Cloud account to which the RAM users belong. RAM users can be viewed only within the Alibaba Cloud accounts to which they belong.

Usage notes

A RAM user represents a physical entity that manages cloud resources, such as an O&M engineer or an application. We recommend that you use RAM users to access and manage cloud resources.

Note

You can use RAM user groups to categorize and authorize RAM users. This helps efficiently manage RAM users and their permissions.

Virtual entities

A virtual entity does not have a fixed identity credential, for example, a logon password or an AccessKey pair. A RAM role is considered as a virtual entity. You need to assume a RAM role with a RAM user of a trusted Alibaba Cloud account before you use the RAM role. After you use a trusted entity to assume a RAM role, you obtain a Security Token Service (STS) token of the RAM role. Then, you can use the STS token to access the resources on which the RAM role has permissions.

RAM roles are classified into three types based on trusted entities.

Trusted entity

Description

Reference

Alibaba Cloud account

This type of RAM role is used for cross-account access and temporary authorization. It can be assumed only by a RAM user that belongs to a trusted Alibaba Cloud account. The trusted Alibaba Cloud account can be either the current Alibaba Cloud account or another Alibaba Cloud account.

Create a RAM role for a trusted Alibaba Cloud account

Alibaba Cloud service

This type of RAM role is used to authorize the access across Alibaba Cloud services. It can be assumed only by trusted Alibaba Cloud services.

Create a RAM role for a trusted Alibaba Cloud service

Identity provider (IdP)

This type of RAM role is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP. It can be assumed only by users of a trusted IdP.

Create a RAM role for a trusted IdP

Permissions

Permissions are used to control the access of different user identities to specific resources. You can use permissions to control whether to allow or deny specific operations on specific resources.

Permissions of physical entities

Physical entity

Default permission

Authorization

Description

Alibaba Cloud account

Full permissions on resources

Not required.

An Alibaba Cloud account has full control and permissions over the resources that it owns. Other users, such as RAM users, can access resources only after being authorized by an Alibaba Cloud account.

RAM user

None

RAM users can access and use cloud resources in the console or by calling API operations only after they are authorized.

Alibaba Cloud implements authorization by attaching policies to RAM identities. A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.

RAM supports the following two types of policies:

  • System policies: created and managed by Alibaba Cloud. You can use these policies whereas you cannot modify the policies.

  • Custom policies: created and managed by customers.

You can attach a policy to a RAM user or a RAM user group to grant it the access permissions specified in the policy. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM user group.

Permissions of virtual entities

RAM roles of Alibaba Cloud do not have any permissions by default.

RAM roles can access and use cloud resources in the console or by calling API operations only after they are assumed by trusted entities and authorized.

You can attach a policy to a RAM role to grant it the access permissions specified in the policy. For more information, see Grant permissions to a RAM role.

References