All Products
Search
Document Center

Security Center:Alibaba Cloud identities and permissions

Last Updated:Jun 08, 2026

Learn about the user identities and permission model that govern access to Alibaba Cloud resources.

Identities

Alibaba Cloud supports two types of user identities: entity user identities and virtual user identities.

Entity user identities

An entity user identity has a fixed ID and credentials (logon password or AccessKey pair) tied to a person, enterprise, or application. Entity user identities include Alibaba Cloud accounts and Resource Access Management (RAM) users. You can access cloud resources in two ways:

  • Log on to the console with a username, password, and multi-factor authentication (MFA).

  • Call APIs with an AccessKey pair.

Alibaba Cloud accounts and RAM users differ in scope and permissions.

Alibaba Cloud account

Features

  • Has root or administrative permissions for the cloud operating system.

  • Serves as the billing entity with full control over all owned resources.

Usage notes

Avoid using the Alibaba Cloud account to access cloud resources unless necessary.

Best practice: Create a RAM user with administrative permissions, then use that RAM user to create and manage other RAM users.

RAM user

Features

  • A RAM user must receive permissions from the Alibaba Cloud account or a RAM administrator before accessing resources.

  • A RAM user does not own resources and cannot be billed independently. The parent Alibaba Cloud account owns and pays for all resources, and the RAM user is visible only within that account.

Usage notes

Create a RAM user for each operator or application that needs access to cloud resources.

Note

Group RAM users with shared responsibilities into a RAM user group and grant permissions at the group level.

Virtual user identities

A virtual user identity has no fixed credentials. A RAM role is a virtual identity assumed by a trusted entity, which receives a temporary Security Token Service (STS) token to access authorized resources.

RAM roles support these trusted entity types.

Trusted entity

Scenario

References

Alibaba Cloud account

Cross-account access and temporary authorization. Only RAM users under the trusted Alibaba Cloud account (current or another account) can assume the role.

Create a RAM role for a trusted Alibaba Cloud account

Alibaba Cloud service

Cross-service resource access. Only trusted Alibaba Cloud services can assume the role.

Create a RAM role for a trusted Alibaba Cloud service

Identity provider

SSO integration. Only users from the trusted identity provider can assume the role.

Create a RAM role for a trusted identity provider

Permissions

A permission specifies whether to allow or deny operations on specific resources under certain conditions.

Entity user identity permissions

Entity user identity

Default permission

Requires authorization

Authorization details

Alibaba Cloud account

Has all permissions on its resources.

No

  • An Alibaba Cloud account has full control over its resources.

  • Any other user must be granted permissions by the Alibaba Cloud account to access its cloud resources.

RAM user

No permissions

Yes. No permissions until explicitly granted.

Grant permissions by attaching access policies to identities in RAM. An access policy defines the authorized resources, allowed actions, and conditions.

RAM supports two types of access policies:

  • System policies: Predefined by Alibaba Cloud. You can use but not modify them.

  • Custom policies: Created, updated, and maintained by you.

Attach an access policy to a RAM user or RAM user group to grant permissions. Manage permissions for a RAM user. Grant permissions to a RAM user group.

Virtual user identity permissions

A RAM role has no permissions by default.

After you specify a trusted entity, attach an access policy so the role can access resources through the console and API.

Attach an access policy to a RAM role to grant permissions. Manage permissions for a RAM role.

References