How does ARMS grant different permissions to RAM users? - Application Real-Time Monitoring Service

Sharing your Alibaba Cloud account credentials with team members exposes all account resources to security risks. Resource Access Management (RAM) lets you create separate user identities with only the Application Real-Time Monitoring Service (ARMS) permissions each person or application needs -- enforcing least-privilege access without sharing your Alibaba Cloud account credentials.

ARMS permission policies

ARMS provides two system policies. Choose one based on the access level required:

Policy	What it allows	Typical use case
`AliyunARMSFullAccess`	View, edit, and delete instances across all ARMS sub-services	Administrators who configure monitoring tasks, manage alerts, and maintain ARMS resources
`AliyunARMSReadOnlyAccess`	View instance information across all ARMS sub-services (no edit or delete operations)	Team members who only need to view dashboards, traces, and monitoring data

Note

AliyunARMSFullAccess already includes all read permissions. Do not attach both policies to the same RAM user.

Important

To grant read-only access scoped to a specific resource group, attach both AliyunARMSReadOnlyAccess and the ReadTraceApp permission. Without ReadTraceApp, ARMS cannot display the application list for that resource group.

Prerequisites

Before you begin, make sure that you have:

Activated ARMS. For more information, see Activate ARMS
An activated RAM service. For more information, see Activate RAM

Step 1: Create a RAM user

Log on to the RAM console with an Alibaba Cloud account or a RAM user that has administrative privileges.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.

In the User Account Information section, configure the following parameters:

Parameter	Description
Logon Name	Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name	Up to 128 characters.
Tag	Click the edit icon to add one or more key-value tags for organizing and managing the RAM user.

Note

To create multiple RAM users at once, click Add User.

In the Access Mode section, select an access mode.

Select one access mode per RAM user to keep human and programmatic access separate:

Console Access -- for team members who access the Alibaba Cloud Management Console.

Parameter	Description
Set Console Password	Select Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the password policy requirements.
Password Reset	Specify whether the RAM user must reset the password at next logon.
Enable MFA	Enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, bind an MFA device.

Using permanent AccessKey to access -- for applications that call API operations.

The system generates an AccessKey ID and AccessKey secret automatically.
Important
- The AccessKey secret is displayed only at creation time. Back it up immediately -- it cannot be retrieved later.
- Permanent AccessKey pairs pose security risks if leaked. For production workloads, use temporary credentials from Security Token Service (STS). For more information, see Best practices for using access credentials to call API operations.

Click OK.
Complete the security verification as prompted.

Step 2: Grant ARMS permissions to the RAM user

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
Find the target RAM user and click Add Permissions in the Actions column.

Note
To grant permissions to multiple RAM users at once, select the RAM users and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
1. Set Resource Scope:
  - Account: The policy applies to all resources under the current Alibaba Cloud account.
  - ResourceGroup: The policy applies only to resources in a specific resource group. Verify that ARMS supports resource groups before selecting this option. For more information, see Services that work with Resource Group.
2. Verify the Principal. The current RAM user is selected by default.
3. Select a Policy:
  - System policies: Created by Alibaba Cloud. You can use but cannot modify these policies. Version updates are maintained by Alibaba Cloud. Select AliyunARMSFullAccess or AliyunARMSReadOnlyAccess based on your requirements. For more information, see Services that work with RAM.
    
    Note
    The system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Follow the principle of least privilege -- grant only the permissions each RAM user needs.
  - Custom policies: Define fine-grained permissions tailored to your requirements. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

Next steps

After creating and authorizing a RAM user, share the credentials with the team member.

Log on to the console as a RAM user

Go to the RAM user logon page.

Enter the RAM user logon name in one of the following formats and click Next:

Format	Example	When to use
`<UserName>@<AccountAlias>.onaliyun.com`	`alice@company.onaliyun.com`	Default domain name
`<UserName>@<AccountAlias>`	`alice@company`	Account alias
`<UserName>@<DomainAlias>`	`alice@example.com`	Custom domain alias (if configured)

For more information about <AccountAlias> and <DomainAlias>, see Terms, View and modify the default domain name, and Create and verify a domain alias.

Enter the password and click Log On.
(Optional) If MFA is enabled, complete the MFA verification. For more information, see MFA overview and Bind an MFA device to a RAM user.

Call API operations with the RAM user AccessKey pair

Specify the RAM user's AccessKey ID and AccessKey secret in your API calls. For more information, see Obtain an AccessKey pair.