RAM authorization - Identity as a Service - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by EIAM. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate EIAM is [{"popCode":"Eiam","ramCodes":["eiam"]},{"popCode":"Eiam-inner","ramCodes":[]}]. You can grant permissions on EIAM at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

EIAM defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
eiam:ListOrganizationalUnitsForApplication	ListOrganizationalUnitsForApplication	list	All Resources *	None	None
eiam:DisableApplication	DisableApplication		Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:AuthorizeApplicationToUsers	AuthorizeApplicationToUsers	Write	All Resources *	None	None
eiam:EnableUser	EnableUser	update	All Resources *	None	None
eiam:CreateApplication	CreateApplication	create	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/*	None	None
eiam:UpdateOrganizationalUnitDescription	UpdateOrganizationalUnitDescription	update	All Resources *	None	None
eiam:SetPasswordInitializationConfiguration	SetPasswordInitializationConfiguration	update	All Resources *	None	None
eiam:EnableApplicationProvisioning	EnableApplicationProvisioning	Write	All Resources *	None	None
eiam:GetForgetPasswordConfiguration	GetForgetPasswordConfiguration	get	All Resources *	None	None
eiam:SetApplicationGrantScope	SetApplicationGrantScope		Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:AuthorizeApplicationToOrganizationalUnits	AuthorizeApplicationToOrganizationalUnits	Write	All Resources *	None	None
eiam:ListApplicationClientSecrets	ListApplicationClientSecrets	list	All Resources *	None	None
eiam:RevokeApplicationFromOrganizationalUnits	RevokeApplicationFromOrganizationalUnits	Write	All Resources *	None	None
eiam:DeleteInstance	DeleteInstance	delete	Instance acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
eiam:EnableApplicationApiInvoke	EnableApplicationApiInvoke	Write	All Resources *	None	None
eiam:RemoveUsersFromGroup	RemoveUsersFromGroup	delete	All Resources *	None	None
eiam:UpdateOrganizationalUnit	UpdateOrganizationalUnit	update	All Resources *	None	None
eiam:ListOrganizationalUnits	ListOrganizationalUnits	get	All Resources *	None	None
eiam:UpdateUserDescription	UpdateUserDescription	update	All Resources *	None	None
eiam:DeleteOrganizationalUnitChildren	DeleteOrganizationalUnitChildren	Write	All Resources *	None	None
eiam:GetPasswordComplexityConfiguration	GetPasswordComplexityConfiguration	get	All Resources *	None	None
eiam:UpdateOrganizationalUnitParentId	UpdateOrganizationalUnitParentId	update	All Resources *	None	None
eiam:ListGroupsForApplication	ListGroupsForApplication	list	All Resources *	None	None
eiam:ListRegions	ListRegions	get	All Resources *	None	None
eiam:CreateOrganizationalUnit	CreateOrganizationalUnit	create	All Resources *	None	None
eiam:DeleteUser	DeleteUser	delete	All Resources *	None	None
eiam:ListGroupsForUser	ListGroupsForUser	get	All Resources *	None	None
eiam:UpdateGroup	UpdateGroup	update	All Resources *	None	None
eiam:SetApplicationProvisioningConfig	SetApplicationProvisioningConfig	Write	All Resources *	None	None
eiam:DeleteOrganizationalUnit	DeleteOrganizationalUnit	delete	All Resources *	None	None
eiam:GetPasswordInitializationConfiguration	GetPasswordInitializationConfiguration	get	All Resources *	None	None
eiam:ListApplications	ListApplications	list	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/*	None	None
eiam:AuthorizeApplicationToGroups	AuthorizeApplicationToGroups	Write	All Resources *	None	None
eiam:RevokeApplicationFromUsers	RevokeApplicationFromUsers	Write	All Resources *	None	None
eiam:DeleteApplicationClientSecret	DeleteApplicationClientSecret	Write	All Resources *	None	None
eiam:GetOrganizationalUnit	GetOrganizationalUnit	get	All Resources *	None	None
eiam:SetForgetPasswordConfiguration	SetForgetPasswordConfiguration	Write	All Resources *	None	None
eiam:ListUsersForGroup	ListUsersForGroup	get	All Resources *	None	None
eiam:UpdateApplicationDescription	UpdateApplicationDescription		Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:ListGroups	ListGroups	get	All Resources *	None	None
eiam:GetApplicationGrantScope	GetApplicationGrantScope	get	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:UpdateInstanceDescription	UpdateInstanceDescription	update	Instance acs:eiam:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
eiam:GetApplicationSsoConfig	GetApplicationSsoConfig	get	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:SetPasswordHistoryConfiguration	SetPasswordHistoryConfiguration	update	All Resources *	None	None
eiam:CreateApplicationClientSecret	CreateApplicationClientSecret	Write	All Resources *	None	None
eiam:DeleteApplication	DeleteApplication	delete	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:DisableUser	DisableUser	update	All Resources *	None	None
eiam:EnableApplication	EnableApplication		Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:SetPasswordComplexityConfiguration	SetPasswordComplexityConfiguration	update	All Resources *	None	None
eiam:GetApplicationProvisioningConfig	GetApplicationProvisioningConfig	get	All Resources *	None	None
eiam:ListApplicationsForOrganizationalUnit	ListApplicationsForOrganizationalUnit	list	All Resources *	None	None
eiam:GetPasswordExpirationConfiguration	GetPasswordExpirationConfiguration	get	All Resources *	None	None
eiam:SetPasswordExpirationConfiguration	SetPasswordExpirationConfiguration	update	All Resources *	None	None
eiam:AddUsersToGroup	AddUsersToGroup	create	All Resources *	None	None
eiam:DisableApplicationApiInvoke	DisableApplicationApiInvoke	Write	All Resources *	None	None
eiam:DisableApplicationProvisioning	DisableApplicationProvisioning	Write	All Resources *	None	None
eiam:DeleteGroup	DeleteGroup	delete	All Resources *	None	None
eiam:RevokeApplicationFromGroups	RevokeApplicationFromGroups	Write	All Resources *	None	None
eiam:ListApplicationsForUser	ListApplicationsForUser	list	All Resources *	None	None
eiam:GetRootOrganizationalUnit	GetRootOrganizationalUnit	get	All Resources *	None	None
eiam:CreateGroup	CreateGroup	create	All Resources *	None	None
eiam:SetUserPrimaryOrganizationalUnit	SetUserPrimaryOrganizationalUnit	update	All Resources *	None	None
eiam:ListInstances	ListInstances	get	Instance acs:eiam:{#regionId}:{#accountId}:instance/*	None	None
eiam:GetApplication	GetApplication	get	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:UpdateApplicationAuthorizationType	UpdateApplicationAuthorizationType	Write	All Resources *	None	None
eiam:GetGroup	GetGroup	get	All Resources *	None	None
eiam:ListUsers	ListUsers	get	All Resources *	None	None
eiam:GetPasswordHistoryConfiguration	GetPasswordHistoryConfiguration	get	All Resources *	None	None
eiam:UpdateUser	UpdateUser	update	All Resources *	None	None
eiam:EnableApplicationClientSecret	EnableApplicationClientSecret	Write	All Resources *	None	None
eiam:GetInstance	GetInstance		Instance acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
eiam:UpdateUserPassword	UpdateUserPassword	update	All Resources *	None	None
eiam:CreateInstance	CreateInstance	create	Instance acs:eiam:{#regionId}:{#accountId}:instance/*	None	None
eiam:SetApplicationSsoConfig	SetApplicationSsoConfig	create	Application acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}	None	None
eiam:UnlockUser	UnlockUser	update	All Resources *	None	None
eiam:DisableApplicationClientSecret	DisableApplicationClientSecret	Write	All Resources *	None	None
eiam:ObtainApplicationClientSecret	ObtainApplicationClientSecret	Read	All Resources *	None	None
eiam:RemoveUserFromOrganizationalUnits	RemoveUserFromOrganizationalUnits	delete	All Resources *	None	None
eiam:UpdateGroupDescription	UpdateGroupDescription	update	All Resources *	None	None
eiam:ListUsersForApplication	ListUsersForApplication	list	All Resources *	None	None
eiam:CreateUser	CreateUser	create	All Resources *	None	None
eiam:AddUserToOrganizationalUnits	AddUserToOrganizationalUnits	create	All Resources *	None	None
eiam:GetUser	GetUser	get	All Resources *	None	None

Resource

EIAM defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
Application	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}
DomainProxyToken	acs:eiam:{#regionId}:{#accountId}:instance/${#InstanceId}/domain/${#DomainId}/domainproxytoken/${#DomainProxyTokenId}
DomainProxyToken	acs:eiam:{#regionId}:{#accountId}:*
Domain	acs:eiam:{#regionId}:{#accountId}:instance/${#InstanceId}/domain/${#DomainId}
Application	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/*
Application	acs:eiam:{#regionId}:{#accountId}:*
Instance	acs:eiam:{#regionId}:{#accountId}:*
Instance	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}
IdentityProvider	acs:eiam:{#regionId}:{#accountId}:*
ConditionalAccessPolicy	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/conditionalaccesspolicy/{#ConditionalAccessPolicyId}
NetworkZone	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/networkzone/{#NetworkZoneId}
ConditionalAccessPolicy	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/conditionalaccesspolicy/*
Domain	acs:eiam:{#regionId}:{#accountId}:*
NetworkAccessEndpoint	acs:eiam:{#regionId}:{#accountId}:*
DomainProxyToken
NetworkZone	acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/networkzone/*
Instance	acs:eiam:{#regionId}:{#accountId}:instance/*

Condition

EIAM does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: