All Products
Search
Document Center

Resource Access Management:Terms

Last Updated:Jun 26, 2024

This topic introduces the basic concepts that are used in Resource Access Management (RAM).

Terms for identity management

Term

Description

Alibaba Cloud account

Before you use Alibaba Cloud services, you must create an Alibaba Cloud account. The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for all the resources that it owns. The Alibaba Cloud account has full control over the resources.

By default, only the Alibaba Cloud account can access Alibaba Cloud resources. Other users can access resources only after being explicitly authorized by the Alibaba Cloud account. The Alibaba Cloud account is similar to the administrator or root user of an operating system.

To ensure the security of the Alibaba Cloud account, we recommend that you do not use the Alibaba Cloud account to log on to the Alibaba Cloud Management Console and do not create an AccessKey pair for the Alibaba Cloud account. We recommend that you create a RAM user for the Alibaba Cloud account and grant the RAM user the administrative rights. Then, you can use the RAM user to manage the resources.

account administrator

An account administrator has the permissions to manage all resources of the account. An account administrator can be an Alibaba Cloud account or a RAM user to which the AdministratorAccess policy is attached. We recommend that you use a RAM user as an account administrator. For more information, see Create an account administrator.

RAM administrator

A RAM administrator has the permissions to manage RAM resources of the RAM administrator. A RAM administrator can be an Alibaba Cloud account or a RAM user who is attached the AliyunRAMFullAccess policy. We recommend that you use a RAM user as a RAM administrator.

identity

RAM provides three types of identities: RAM user, RAM user group, and RAM role. RAM users and RAM user groups are physical identities. RAM roles are virtual identities.

default domain name

A unique identifier of an Alibaba Cloud account. Alibaba Cloud assigns a default domain name to each Alibaba Cloud account. The format of the default domain name is <AccountAlias>.onaliyun.com. <AccountAlias> indicates the alias of an Alibaba Cloud account. This unique identifier can be used for RAM user logon and single sign-on (SSO).

For more information, see View and modify the default domain name.

account alias

The alias of an Alibaba Cloud account. An account alias is also called an enterprise alias. The default value of an account alias is the ID of an Alibaba Cloud account. The value of <AccountAlias> in a default domain name is the account alias. The default domain name varies based on the account alias. When a RAM user logs on to the Alibaba Cloud Management Console, both the account alias or the default domain name can be used.

If an enterprise sets the alias of its Alibaba Cloud account to company1, the RAM user alice that belongs to the Alibaba Cloud account can use alice@company1 to log on to the Alibaba Cloud Management Console.

For more information, see View and modify the default domain name.

domain alias

A custom domain name that you can use to replace the default domain name. The custom domain name must be publicly resolvable. A domain alias is the alias of the default domain name.

Note

A custom domain can be used as a domain alias only after the ownership of the custom domain is verified. After the ownership is verified, you can use the domain alias to replace the default domain name in all scenarios in which the default domain name is required.

For more information, see Create and verify a domain alias.

RAM user

A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

  • An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.

  • RAM users do not own resources. Fees that are generated by RAM users are billed to the Alibaba Cloud accounts to which the RAM users belong. RAM users do not receive individual bills and cannot make payments.

  • RAM users are visible only to the Alibaba Cloud account to which they belong.

  • Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After authorization, RAM users can manage resources that are owned by the Alibaba Cloud accounts.

For more information, see Create a RAM user.

password

An identity credential that is used to log on to the Alibaba Cloud Management Console.

Note

You cannot query the logon password. We recommend that you change your password on a regular basis and keep your password confidential.

For more information, see Change the logon password of a RAM user.

AccessKey pair

An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

  • The AccessKey ID is used to identify a user.

  • The AccessKey secret is used to verify the identity of the user.

The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.

You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.

For more information, see Create an AccessKey pair.

MFA

A security enhancement that adds an extra layer of protection in addition to your username and password. Multi-factor authentication (MFA) enhances security for your account. If MFA is enabled for a RAM user, the RAM user must perform the following operations when the RAM user logs on to the Alibaba Cloud Management Console:

  1. Enter the username and password of your account.

  2. Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.

For more information, see Bind an MFA device to an Alibaba Cloud account and Bind an MFA device to a RAM user.

RAM user group

A physical identity that contains a group of RAM users. You can create RAM user groups to classify and authorize RAM users. This simplifies the management of RAM users and permissions.

  • If the permissions of a RAM user change, you need to only move the RAM user to a RAM user group with the required permissions. This does not affect other RAM users.

    For more information, see Create a user group.

  • If the permissions of a RAM user group change, you need to only modify the policies that are attached to the group. The changes to the policies apply to all RAM users in the RAM user group.

    For more information, see Grant permissions to a RAM user group.

RAM role

A virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token and use the STS token to access Alibaba Cloud resources as the RAM role.

RAM roles are classified into the following types based on trusted entities:

  • Alibaba Cloud account: This type of RAM role is used for cross-account access and temporary authorization. A RAM user that assumes this type of RAM role can belong only to a trusted Alibaba Cloud account. The trusted Alibaba Cloud account can be either the current Alibaba Cloud account or another Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

  • Alibaba Cloud service: This type of RAM role is used to authorize access across Alibaba Cloud services. Only trusted Alibaba Cloud services can assume this type of RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service and Service-linked roles.

  • Identity provider (IdP): This type of RAM role is used to implement SSO between Alibaba Cloud and a trusted IdP. Only users of a trusted IdP can assume this type of RAM role. For more information, see Create a RAM role for a trusted IdP.

SP

An application that uses the identity management feature of an IdP to provide users with specific services. A service provider (SP) uses the user information that is provided by an IdP. In some identity systems, such as OpenID Connect (OIDC) that do not comply with the SAML protocol, SP is known as the relying party of an IdP.

IdP

A RAM entity that provides identity management services. IdPs are classified into the following types:

  • IdPs that use an on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

  • IdPs that use a cloud-based architecture, such as Azure AD, Google Workspace, Okta, and OneLogin.

SAML 2.0

A protocol that is designed for enterprise-level user identity authentication. Security Assertion Markup Language 2.0 (SAML 2.0) is used for communication between an SP and an IdP. SAML 2.0 is a standard that enterprises use to implement SSO.

SSO

Alibaba Cloud supports SAML 2.0-based and OIDC-based SSO. This feature is also known as identity federation. Alibaba Cloud provides the following SSO methods:

  • User-based SSO

    The RAM user identity that you can use to log on to the Alibaba Cloud Management Console is determined based on an SAML assertion. After you log on to the Alibaba Cloud Management Console, you can access Alibaba Cloud resources as a RAM user. For more information, see Overview of user-based SSO.

  • Role-based SSO

    Alibaba Cloud supports SAML 2.0-based SSO and OIDC-based SSO.

    • SAML 2.0-based SSO: The RAM role that you can use to log on to the Alibaba Cloud Management Console is determined based on a SAML assertion. After you log on to the Alibaba Cloud Management Console, you can use the RAM role specified in the SAML assertion to access Alibaba Cloud resources. For more information, see Overview

    • OIDC-based SSO: You can use an OIDC token that is issued by an IdP to call an Alibaba Cloud operation to assume a specific RAM role and use the OIDC token to obtain an STS token. Then, you can use the STS token to access Alibaba Cloud resources. For more information, see Overview of OIDC-based SSO.

metadata file

The metadata file that is provided by your IdP. The metadata file is in the XML format in most cases. The metadata file contains the logon URLs, the public key that is used to verify SAML assertions, and the assertion format.

SAML assertion

A core element that is defined in the SAML protocol. This element describes the authentication request and response. For example, the SAML assertion for an authentication response can contain user attributes.

trust

A mutual trust relationship between an SP and an IdP. In most cases, the trust relationship is established by using public and private keys. An SP can obtain the SAML metadata of a trusted IdP. The metadata includes a public key. The SP uses the public key to verify the integrity of the SAML assertion that is issued by the IdP.

Terms for access control

Term

Description

permission

Indicates whether a user is allowed to perform specific operations on a specific Alibaba Cloud resource. Permissions include Allow and Deny.

Operations include the following two types:

  • Resource management operations: the lifecycle management and O&M of Alibaba Cloud resources. These operations are performed by the Alibaba Cloud account that purchases the resources or by O&M staff in an organization. For example, an authorized user can create, stop, or restart Elastic Compute Service (ECS) instances, or create, modify, or delete Object Storage Service (OSS) buckets.

  • Resource using operations: operations on the core features of Alibaba Cloud resources. These operations are performed by R&D staff or applications in an organization. For example, an authorized user can perform operations in the operating system of an ECS instance, or upload or download data in OSS.

    Note
    • For elastic computing and database services, the permissions on resource management operations can be managed by using RAM. However, the permissions on resource using operations are managed in service instances. For example, the permissions on the operating systems are managed in ECS instances and the permissions on MySQL databases are managed in ApsaraDB RDS instances.

    • For storage services, such as OSS and Tablestore, both resource management operations and resource using operations can be managed by using RAM.

policy

A set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. A policy is a type of simple language specification that describes a set of permissions. For more information, see Policy structure and syntax.

In RAM, a policy is a resource entity. RAM supports the following two types of policy:

  • System policy: System policies are created and upgraded by Alibaba Cloud. You can use system policies but cannot modify them.

  • Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.

You can attach one or more policies to RAM users, RAM user groups, and RAM roles. For more information, see Grant permissions to RAM users, Grant permissions to a RAM user group, and Grant permissions to a RAM role.

principal

The subject to which a specific permission is granted. The authorized principal can be a RAM user, RAM user group, or RAM role.

effect

The authorization effect. The effect is a basic element of a policy. Valid values are Allow and Deny.

action

The operation to be performed on a specific Alibaba Cloud resource. The action is a basic element of a policy. Valid values are the names of operations from Alibaba Cloud services.

condition

The condition for the authorization to take effect. The condition is a basic element of a policy.

resource

A manageable object that is provided by an Alibaba Cloud service. For example, objects can be OSS buckets and ECS instances.

ARN

A globally unique name that is used to identify a resource in Alibaba Cloud. When you grant permissions on a resource, you must specify the Alibaba Cloud Resource Name (ARN) of the resource in the acs:<ram-code>:<region>:<account-id>:<relative-id> format.

  • acs: the initialism of Alibaba Cloud Service, which indicates the public cloud of Alibaba Cloud.

  • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.

  • region: information about the region. This parameter is set to an asterisk (*) for a global resource. A global resource can be accessed without the need to specify a region. For more information, see Regions and zones.

  • account-id: the ID of the Apsara Stack tenant account. For example, you can enter 123456789012****.

  • relative-id: the identifier of the service-related resource. The meaning of this element varies based on services. The format of the relative-id field is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an OSS object.