All Products
Search

This Product

    Virtual Private Cloud:Use VPC together with RAM

    Document Center

    Virtual Private Cloud:Use VPC together with RAM

    Last Updated:Dec 22, 2024

    Alibaba Cloud Resource Access Management (RAM) helps you manage user identities and permissions on resource access. If multiple employees or applications in your enterprise need to access Virtual Private Cloud (VPC) resources, you can use RAM to manage permissions in a centralized manner and grant different access permissions as needed. Before you use RAM to manage the permissions on Alibaba Cloud services, we recommend that you learn about the features of RAM that can work with Alibaba Cloud services. This topic describes how to use RAM together with Virtual Private Cloud.

    Overview

    RAM uses permission control to regulate access from RAM users, RAM user groups, and RAM roles to a resource. A policy is a set of permissions. You can attach policies to RAM users, user groups, or RAM roles to grant them permissions on a resource.

    Permissions

    The following section describes the permissions of an Alibaba Cloud account, RAM, and resource owner.

    • An Alibaba Cloud account is the resource owner and controls all permissions.

      • Each Alibaba Cloud resource has only one owner. The owner must be an Alibaba Cloud account and has complete control over the resource.

      • The resource owner is not necessarily the resource creator. For example, if a RAM identity has permissions to create Alibaba Cloud resources, the resources created by this RAM identity belong to the Alibaba Cloud account of the RAM identity. The RAM identity is the resource creator, but is not the resource owner.

    • A RAM identity is an operator and has no permissions by default.

      • A RAM identity is an operator that is used to manage resources. Before a RAM identity can perform operations, the RAM identity must be granted the required permissions by the Alibaba Cloud account. The required permissions must be granted by attaching one or more explicit allow policies.

      • A new RAM identity can manage resources by using the console and calling API operations only after the RAM identity is granted the required permissions.

    Permission policy

    A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.

    RAM supports the following two types of policy:

    • System policy: System policies are created and updated by Alibaba Cloud. You can use these policies but you cannot modify them. For more information, see System policies for VPC.

    • Custom policy: If system policies cannot meet your business requirements, you can create custom policies to implement fine-grained permission management. For more information, see Custom policies for VPC.

    Attach policies to a principal

    After you create a policy, you can attach it to a RAM user, a RAM user group, or a RAM role to grant the permissions defined in the policy to the principal.

    • You can attach one or more policies to a RAM user, a RAM user group, or a RAM role.

    • The attached policies can be system policies or custom policies.

    • If the attached policies are modified, the modifications automatically take effect. You do not need to attach the modified policies to RAM principals again.