Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Identity as a Service for RAM permission policies. The RAM code (RamCode) for Identity as a Service is eiam , and the supported authorization granularity is RESOURCE .
General structure of a policy
Permission policies support JSON format with the following general structure:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
} The following list describes the fields in the policy:
Version: Specifies the policy version number. It is fixed at 1.
Statement:
Effect: Specifies the authorization result. Valid values: Allow and Deny.
Action: Specifies one or more operations that are allowed or denied.
Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
Condition: Specifies the conditions for the authorization to take effect. This field is optional.
Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
Condition_key: Specifies the condition keys.
Condition_value: Specifies the condition values.
Action
The following table lists the actions defined by Identity as a Service. The table's columns are detailed below:
Action: The actions can be used in the
Actionelement of RAM permission policy statements to grant permissions to perform the operation.API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the
Resourceelement of the policy.For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the
Resourceelement of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.
|
Action |
API |
Access level |
Resource type |
Condition key |
Dependent action |
| eiam:EnableFederatedCredentialProvider | EnableFederatedCredentialProvider | update |
*FederatedCredentialProvider
|
None | None |
| eiam:SetPasswordExpirationConfiguration | SetPasswordExpirationConfiguration | update |
*Instance
|
None | None |
| eiam:EnableApplicationFederatedCredential | EnableApplicationFederatedCredential | update |
*ApplicationFederatedCredential
|
None | None |
| eiam:SetIdentityProviderUdPullConfiguration | SetIdentityProviderUdPullConfiguration | update |
*IdentityProvider
|
None | None |
| eiam:DisableUser | DisableUser | update |
*User
|
None | None |
| eiam:DeleteApplicationToken | DeleteApplicationToken | delete |
*ApplicationToken
|
None | None |
| eiam:GetFederatedCredentialProvider | GetFederatedCredentialProvider | get |
*FederatedCredentialProvider
|
None | None |
| eiam:ListGroups | ListGroups | list |
*Group
|
None | None |
| eiam:ListOrganizationalUnitsForResourceServer | ListOrganizationalUnitsForResourceServer | list |
*Application
|
None | None |
| eiam:GetPasswordInitializationConfiguration | GetPasswordInitializationConfiguration | get |
*Instance
|
None | None |
| eiam:SetApplicationGrantScope | SetApplicationGrantScope | update |
*Application
|
None | None |
| eiam:UpdateOrganizationalUnitParentId | UpdateOrganizationalUnitParentId | update |
*OrganizationalUnit
|
None | None |
| eiam:ListApplicationFederatedCredentialsForProvider | ListApplicationFederatedCredentialsForProvider | list |
*ApplicationFederatedCredential
|
None | None |
| eiam:GetCustomPrivacyPolicy | GetCustomPrivacyPolicy | get |
*CustomPrivacyPolicy
|
None | None |
| eiam:EnableConditionalAccessPolicy | EnableConditionalAccessPolicy | update |
*ConditionalAccessPolicy
|
None | None |
| eiam:UpdateResourceServerScope | UpdateResourceServerScope | update |
*ResourceServerScope
|
None | None |
| eiam:EnableApplicationSso | EnableApplicationSso | update |
*Application
|
None | None |
| eiam:EnableApplicationApiInvoke | EnableApplicationApiInvoke | update |
*Application
|
None | None |
| eiam:GetApplicationTemplate | GetApplicationTemplate | get |
*ApplicationTemplate
|
None | None |
| eiam:SetPasswordComplexityConfiguration | SetPasswordComplexityConfiguration | update |
*Instance
|
None | None |
| eiam:ObtainApplicationClientSecret | ObtainApplicationClientSecret | get |
*Secret
|
None | None |
| eiam:CreateBrand | CreateBrand | create |
*Brand
|
None | None |
| eiam:CheckInstanceForDelete | CheckInstanceForDelete | get |
*Instance
|
None | None |
| eiam:UpdateNetworkZoneDescription | UpdateNetworkZoneDescription | update |
*NetworkZone
|
None | None |
| eiam:UpdateInstanceDescription | UpdateInstanceDescription | update |
*Instance
|
None | None |
| eiam:CreateUser | CreateUser | create |
*User
|
None | None |
| eiam:DeleteApplication | DeleteApplication | delete |
*Application
|
None | None |
| eiam:CreateApplication | CreateApplication | create |
*Application
|
None | None |
| eiam:CreateDomain | CreateDomain | create |
*Domain
|
None | None |
| eiam:RemoveCustomPrivacyPoliciesFromBrand | RemoveCustomPrivacyPoliciesFromBrand | update |
*Brand
*CustomPrivacyPolicy
|
None | None |
| eiam:GetApplicationProvisioningUserPrimaryOrganizationalUnit | GetApplicationProvisioningUserPrimaryOrganizationalUnit | get |
*Application
|
None | None |
| eiam:ListOrganizationalUnits | ListOrganizationalUnits | list |
*OrganizationalUnit
|
None | None |
| eiam:SetLoginRedirectApplicationForBrand | SetLoginRedirectApplicationForBrand | update |
*Brand
*Application
|
None | None |
| eiam:CreateOrganizationalUnit | CreateOrganizationalUnit | create |
*OrganizationalUnit
|
None | None |
| eiam:RevokeResourceServerScopesFromGroup | RevokeResourceServerScopesFromGroup | delete |
*Application
*Group
|
None | None |
| eiam:DeleteConditionalAccessPolicy | DeleteConditionalAccessPolicy | delete |
*ConditionalAccessPolicy
|
None | None |
| eiam:ListSynchronizationJobs | ListSynchronizationJobs | list |
*SynchronizationJob
|
None | None |
| eiam:EnableApplication | EnableApplication | update |
*Application
|
None | None |
| eiam:ListApplicationClientSecrets | ListApplicationClientSecrets | list |
*Secret
|
None | None |
| eiam:ListUsersForAuthorizationRule | ListUsersForAuthorizationRule | list |
*AuthorizationRule
|
None | None |
| eiam:SetInstanceControlConfiguration | SetInstanceControlConfiguration | update |
*Instance
|
None | None |
| eiam:UnlockUser | UnlockUser | update |
*User
|
None | None |
| eiam:ListCustomPrivacyPolicies | ListCustomPrivacyPolicies | list |
*Brand
|
None | None |
| eiam:UpdateApplicationInfo | UpdateApplicationInfo | update |
*Application
|
None | None |
| eiam:ListCloudAccounts | ListCloudAccounts | list |
*CloudAccount
|
None | None |
| eiam:ListNetworkAccessEndpointAvailableRegions | ListNetworkAccessEndpointAvailableRegions | get |
*All Resource
|
None | None |
| eiam:UpdateDomainIcpNumber | UpdateDomainIcpNumber | update |
*Domain
|
None | None |
| eiam:GetPasswordExpirationConfiguration | GetPasswordExpirationConfiguration | get |
*Instance
|
None | None |
| eiam:ListApplicationsForAuthorizationRule | ListApplicationsForAuthorizationRule | list |
*AuthorizationRule
|
None | None |
| eiam:CreateNetworkZone | CreateNetworkZone | create |
*NetworkZone
|
None | None |
| eiam:DeleteApplicationClientSecret | DeleteApplicationClientSecret | delete |
*Secret
|
None | None |
| eiam:DeleteCustomPrivacyPolicy | DeleteCustomPrivacyPolicy | delete |
*CustomPrivacyPolicy
|
None | None |
| eiam:RemoveApplicationFromAuthorizationRule | RemoveApplicationFromAuthorizationRule | delete |
*AuthorizationRule
*Application
|
None | None |
| eiam:GetApplicationSsoConfig | GetApplicationSsoConfig | get |
*Application
|
None | None |
| eiam:UpdateCloudAccountDescription | UpdateCloudAccountDescription | update |
*CloudAccount
|
None | None |
| eiam:UpdateOrganizationalUnit | UpdateOrganizationalUnit | update |
*OrganizationalUnit
|
None | None |
| eiam:DeleteCloudAccount | DeleteCloudAccount | delete |
*CloudAccount
|
None | None |
| eiam:DeleteResourceServerScope | DeleteResourceServerScope | delete |
*ResourceServerScope
|
None | None |
| eiam:ListNetworkZones | ListNetworkZones | list |
*NetworkZone
|
None | None |
| eiam:RemoveGroupFromAuthorizationRule | RemoveGroupFromAuthorizationRule | delete |
*AuthorizationRule
*Group
|
None | None |
| eiam:EnableApplicationToken | EnableApplicationToken | update |
*ApplicationToken
|
None | None |
| eiam:GetApplicationGrantScope | GetApplicationGrantScope | get |
*Application
|
None | None |
| eiam:ListConditionalAccessPoliciesForNetworkZone | ListConditionalAccessPoliciesForNetworkZone | list |
*ConditionalAccessPolicy
*NetworkZone
|
None | None |
| eiam:CreateIdentityProviderStatusCheckJob | CreateIdentityProviderStatusCheckJob | create |
*IdentityProvider
|
None | None |
| eiam:ListApplicationAccountsForUser | ListApplicationAccountsForUser | get |
*User
*ApplicationAccount
|
None | None |
| eiam:GetSynchronizationJob | GetSynchronizationJob | get |
*SynchronizationJob
|
None | None |
| eiam:ListGroupsForApplication | ListGroupsForApplication | list |
*Application
|
None | None |
| eiam:EnableApplicationM2MClient | EnableApplicationM2MClient | update |
*Application
|
None | None |
| eiam:GetIdentityProviderUdPushConfiguration | GetIdentityProviderUdPushConfiguration | get |
*IdentityProvider
|
None | None |
| eiam:CreateNetworkAccessEndpoint | CreateNetworkAccessEndpoint | create |
*NetworkAccessEndpoint
|
None | None |
| eiam:ListConditionalAccessPoliciesForUser | ListConditionalAccessPoliciesForUser | list |
*ConditionalAccessPolicy
|
None | None |
| eiam:DeleteCustomField | DeleteCustomField | delete |
*CustomField
|
None | None |
| eiam:ObtainApplicationToken | ObtainApplicationToken | get |
*ApplicationToken
|
None | None |
| eiam:UpdateGroup | UpdateGroup | update |
*Group
|
None | None |
| eiam:CreateCloudAccountRole | CreateCloudAccountRole | create |
*CloudAccountRole
|
None | None |
| eiam:GetApplicationFederatedCredential | GetApplicationFederatedCredential | get |
*ApplicationFederatedCredential
|
None | None |
| eiam:UpdateUserPassword | UpdateUserPassword | update |
*User
|
None | None |
| eiam:UpdateAuthorizationRuleDescription | UpdateAuthorizationRuleDescription | update |
*AuthorizationRule
|
None | None |
| eiam:EnableClientPublicKey | EnableClientPublicKey | update |
*ClientPublicKey
|
None | None |
| eiam:SetInstanceGlobalizationConfig | SetInstanceGlobalizationConfig | update |
*Instance
|
None | None |
| eiam:UpdateNetworkAccessEndpointName | UpdateNetworkAccessEndpointName | update |
*NetworkAccessEndpoint
|
None | None |
| eiam:ListActionTrackEventTypes | ListActionTrackEventTypes | list |
*Instance
|
None | None |
| eiam:RevokeApplicationFromGroups | RevokeApplicationFromGroups | delete |
*Application
|
None | None |
| eiam:DisableApplicationApiInvoke | DisableApplicationApiInvoke | update |
*Application
|
None | None |
| eiam:UpdateGroupDescription | UpdateGroupDescription | update |
*Group
|
None | None |
| eiam:UpdateApplicationDescription | UpdateApplicationDescription | update |
*Application
|
None | None |
| eiam:CreateApplicationFederatedCredential | CreateApplicationFederatedCredential | create |
*ApplicationFederatedCredential
|
None | None |
| eiam:DisableApplicationResourceServer | DisableApplicationResourceServer | update |
*Application
|
None | None |
| eiam:EnableDomainProxyToken | EnableDomainProxyToken | update |
*DomainProxyToken
|
None | None |
| eiam:DisableClientPublicKey | DisableClientPublicKey | update |
*ClientPublicKey
|
None | None |
| eiam:UpdateApplicationAdvancedConfig | UpdateApplicationAdvancedConfig | update |
*Application
|
None | None |
| eiam:EnableIdentityProviderUdPull | EnableIdentityProviderUdPull | update |
*IdentityProvider
|
None | None |
| eiam:DeleteNetworkAccessEndpoint | DeleteNetworkAccessEndpoint | delete |
*NetworkAccessEndpoint
|
None | None |
| eiam:AddGroupToAuthorizationRule | AddGroupToAuthorizationRule | create |
*AuthorizationRule
*Group
|
None | None |
| eiam:UpdateAuthorizationRuleApplicationAttachment | UpdateAuthorizationRuleApplicationAttachment | update |
*AuthorizationRule
*Application
|
None | None |
| eiam:UpdateApplicationClientSecretExpirationTime | UpdateApplicationClientSecretExpirationTime | update |
*Secret
|
None | None |
| eiam:DisableCustomPrivacyPolicy | DisableCustomPrivacyPolicy | update |
*CustomPrivacyPolicy
|
None | None |
| eiam:DisableResourceServerCustomSubject | DisableResourceServerCustomSubject | update |
*Application
|
None | None |
| eiam:ObtainDomainProxyToken | ObtainDomainProxyToken | get |
*DomainProxyToken
|
None | None |
| eiam:AuthorizeResourceServerScopesToOrganizationalUnit | AuthorizeResourceServerScopesToOrganizationalUnit | create |
*Application
*OrganizationalUnit
|
None | None |
| eiam:GetDomainDnsChallenge | GetDomainDnsChallenge | get |
*Domain
|
None | None |
| eiam:DisableIdentityProviderAdvancedAbility | DisableIdentityProviderAdvancedAbility | update |
*IdentityProvider
|
None | None |
| eiam:GetForgetPasswordConfiguration | GetForgetPasswordConfiguration | get |
*AuthenticationSource
|
None | None |
| eiam:GetNetworkZone | GetNetworkZone | get |
*NetworkZone
|
None | None |
| eiam:GetCustomField | GetCustomField | get |
*CustomField
|
None | None |
| eiam:GetCloudAccountRole | GetCloudAccountRole | get |
*CloudAccountRole
|
None | None |
| eiam:ListUserAuthnSourceMappings | ListUserAuthnSourceMappings | list |
*User
*IdentityProvider
|
None | None |
| eiam:ListApplicationFederatedCredentials | ListApplicationFederatedCredentials | list |
*ApplicationFederatedCredential
|
None | None |
| eiam:ListGroupsForResourceServer | ListGroupsForResourceServer | list |
*Application
|
None | None |
| eiam:UpdateConditionalAccessPolicyDescription | UpdateConditionalAccessPolicyDescription | update |
*ConditionalAccessPolicy
|
None | None |
| eiam:UpdateApplicationRole | UpdateApplicationRole | update |
*ApplicationRole
|
None | None |
| eiam:SetUserPrimaryOrganizationalUnit | SetUserPrimaryOrganizationalUnit | update |
*User
|
None | None |
| eiam:GetPasswordHistoryConfiguration | GetPasswordHistoryConfiguration | get |
*Instance
|
None | None |
| eiam:DeleteApplicationRole | DeleteApplicationRole | delete |
*ApplicationRole
|
None | None |
| eiam:UpdateNetworkZone | UpdateNetworkZone | update |
*NetworkZone
|
None | None |
| eiam:GetNetworkAccessEndpoint | GetNetworkAccessEndpoint | get |
*NetworkAccessEndpoint
|
None | None |
| eiam:RenewFreeLicenseEndTime | RenewFreeLicenseEndTime | update |
*Instance
|
None | None |
| eiam:ListDomains | ListDomains | list |
*Domain
|
None | None |
| eiam:ListResourceServersForUser | ListResourceServersForUser | list |
*User
|
None | None |
| eiam:GetGroup | GetGroup | get |
*Group
|
None | None |
| eiam:ListAuthorizationRules | ListAuthorizationRules | list |
*AuthorizationRule
|
None | None |
| eiam:UpdateApplicationRoleDescription | UpdateApplicationRoleDescription | update |
*ApplicationRole
|
None | None |
| eiam:RevokeResourceServerScopesFromOrganizationalUnit | RevokeResourceServerScopesFromOrganizationalUnit | delete |
*Application
*OrganizationalUnit
|
None | None |
| eiam:ListUsers | ListUsers | list |
*User
|
None | None |
| eiam:GenerateDownloadUrlForSynchronizationJob | GenerateDownloadUrlForSynchronizationJob | none |
*SynchronizationJob
|
None | None |
| eiam:ListGroupsForAuthorizationRule | ListGroupsForAuthorizationRule | list |
*AuthorizationRule
|
None | None |
| eiam:RunSynchronizationJob | RunSynchronizationJob | create |
*SynchronizationJob
|
None | None |
| eiam:DisableApplicationToken | DisableApplicationToken | update |
*ApplicationToken
|
None | None |
| eiam:UnbindUserAuthnSourceMapping | UnbindUserAuthnSourceMapping | update |
*User
*IdentityProvider
|
None | None |
| eiam:DeleteUsers | DeleteUsers | delete |
*User
|
None | None |
| eiam:DeleteNetworkZone | DeleteNetworkZone | delete |
*NetworkZone
|
None | None |
| eiam:ListApplicationRoles | ListApplicationRoles | list |
*ApplicationRole
|
None | None |
| eiam:DeleteFederatedCredentialProvider | DeleteFederatedCredentialProvider | delete |
*FederatedCredentialProvider
|
None | None |
| eiam:DeleteDomainProxyToken | DeleteDomainProxyToken | delete |
*DomainProxyToken
|
None | None |
| eiam:ListCustomPrivacyPoliciesForBrand | ListCustomPrivacyPoliciesForBrand | list |
*Brand
|
None | None |
| eiam:CheckApplicationProvisioningUserPrimaryOrganizationalUnit | CheckApplicationProvisioningUserPrimaryOrganizationalUnit | none |
*Application
|
None | None |
| eiam:ListAuthorizationRulesForApplication | ListAuthorizationRulesForApplication | list |
*Application
|
None | None |
| eiam:EnableUser | EnableUser | update |
*User
|
None | None |
| eiam:SetApplicationProvisioningUserPrimaryOrganizationalUnit | SetApplicationProvisioningUserPrimaryOrganizationalUnit | update |
*Application
|
None | None |
| eiam:UpdateApplicationFederatedCredentialDescription | UpdateApplicationFederatedCredentialDescription | update |
*ApplicationFederatedCredential
|
None | None |
| eiam:ListUsersForGroup | ListUsersForGroup | get |
*Group
|
None | None |
| eiam:CreateGroup | CreateGroup | create |
*Group
|
None | None |
| eiam:GetDomain | GetDomain | get |
*Domain
|
None | None |
| eiam:ListOrganizationalUnitParents | ListOrganizationalUnitParents | get |
*OrganizationalUnit
|
None | None |
| eiam:GetCloudAccount | GetCloudAccount | get |
*CloudAccount
|
None | None |
| eiam:DeleteInstance | DeleteInstance | delete |
*Instance
|
None | None |
| eiam:CreateClientPublicKey | CreateClientPublicKey | none |
*ClientPublicKey
|
None | None |
| eiam:ListAuthorizationRulesForGroup | ListAuthorizationRulesForGroup | list |
*Group
|
None | None |
| eiam:DisableIdentityProviderUdPull | DisableIdentityProviderUdPull | update |
*IdentityProvider
|
None | None |
| eiam:DisableApplicationFederatedCredential | DisableApplicationFederatedCredential | update |
*ApplicationFederatedCredential
|
None | None |
| eiam:CreateIdentityProvider | CreateIdentityProvider | create |
*IdentityProvider
|
None | None |
| eiam:AddApplicationAccountToUser | AddApplicationAccountToUser | create |
*User
*ApplicationAccount
|
None | None |
| eiam:ListNetworkAccessEndpointAvailableZones | ListNetworkAccessEndpointAvailableZones | get |
*All Resource
|
None | None |
| eiam:GetOrganizationalUnit | GetOrganizationalUnit | get |
*OrganizationalUnit
|
None | None |
| eiam:ListNetworkAccessEndpoints | ListNetworkAccessEndpoints | get |
*NetworkAccessEndpoint
|
None | None |
| eiam:CreateCloudAccount | CreateCloudAccount | create |
*CloudAccount
|
None | None |
| eiam:DeleteAuthorizationRule | DeleteAuthorizationRule | delete |
*AuthorizationRule
|
None | None |
| eiam:EnableCustomField | EnableCustomField | update |
*CustomField
|
None | None |
| eiam:EnableAuthorizationRule | EnableAuthorizationRule | update |
*AuthorizationRule
|
None | None |
| eiam:DeleteBrand | DeleteBrand | delete |
*Brand
|
None | None |
| eiam:SetDefaultDomain | SetDefaultDomain | update |
*Domain
|
None | None |
| eiam:GetIdentityProviderStatusCheckJob | GetIdentityProviderStatusCheckJob | get |
*IdentityProvider
|
None | None |
| eiam:ListApplicationAccounts | ListApplicationAccounts | list |
*ApplicationAccount
|
None | None |
| eiam:GetConditionalAccessPolicy | GetConditionalAccessPolicy | get |
*ConditionalAccessPolicy
|
None | None |
| eiam:ListBrands | ListBrands | list |
*Brand
|
None | None |
| eiam:CreateAuthorizationRule | CreateAuthorizationRule | create |
*AuthorizationRule
|
None | None |
| eiam:GetResourceServerScope | GetResourceServerScope | get |
*ResourceServerScope
|
None | None |
| eiam:GetInstanceQuota | GetInstanceQuota | get |
*Instance
|
None | None |
| eiam:ExecIdentityProviderMetadataUrlResolution | ExecIdentityProviderMetadataUrlResolution | get |
*Instance
|
None | None |
| eiam:RevokeApplicationFromUsers | RevokeApplicationFromUsers | delete |
*Application
|
None | None |
| eiam:DisableIdentityProviderAuthn | DisableIdentityProviderAuthn | update |
*IdentityProvider
|
None | None |
| eiam:SetIdentityProviderAuthnConfiguration | SetIdentityProviderAuthnConfiguration | update |
*IdentityProvider
|
None | None |
| eiam:ListOrganizationalUnitsForApplication | ListOrganizationalUnitsForApplication | list |
*Application
|
None | None |
| eiam:UpdateApplicationSsoFormParams | UpdateApplicationSsoFormParams | update |
*Application
|
None | None |
| eiam:AddUserToOrganizationalUnits | AddUserToOrganizationalUnits | create |
*User
|
None | None |
| eiam:RevokeResourceServerScopesFromClient | RevokeResourceServerScopesFromClient | delete |
*Application
|
None | None |
| eiam:EnableResourceServerCustomSubject | EnableResourceServerCustomSubject | update |
*Application
|
None | None |
| eiam:UpdateAuthorizationRuleUserAttachment | UpdateAuthorizationRuleUserAttachment | update |
*AuthorizationRule
*User
|
None | None |
| eiam:CreateApplicationRole | CreateApplicationRole | create |
*ApplicationRole
|
None | None |
| eiam:SetApplicationResourceServerIdentifier | SetApplicationResourceServerIdentifier | update |
*Application
|
None | None |
| eiam:DeleteAuthorizationResource | DeleteAuthorizationResource | delete |
*AuthorizationResource
|
None | None |
| eiam:DisableInitDomainAutoRedirect | DisableInitDomainAutoRedirect | update |
*Domain
|
None | None |
| eiam:RevokeResourceServerScopesFromUser | RevokeResourceServerScopesFromUser | delete |
*Application
*User
|
None | None |
| eiam:DeleteWebAuthnAuthenticator | DeleteWebAuthnAuthenticator | delete |
*Authenticator
|
None | None |
| eiam:EnableInternalAuthenticationSource | EnableInternalAuthenticationSource | update |
*AuthenticationSource
|
None | None |
| eiam:EnableCloudAccountRole | EnableCloudAccountRole | update |
*CloudAccountRole
|
None | None |
| eiam:AddUsersToGroup | AddUsersToGroup | create |
*Group
|
None | None |
| eiam:DeleteIdentityProvider | DeleteIdentityProvider | delete |
*IdentityProvider
|
None | None |
| eiam:CheckInstanceModuleStatus | CheckInstanceModuleStatus | get |
*Instance
|
None | None |
| eiam:AuthorizeResourceServerToClient | AuthorizeResourceServerToClient | update |
*Application
|
None | None |
| eiam:AuthorizeResourceServerScopesToGroup | AuthorizeResourceServerScopesToGroup | create |
*Application
*Group
|
None | None |
| eiam:DisableCustomField | DisableCustomField | update |
*CustomField
|
None | None |
| eiam:ListClientPublicKeys | ListClientPublicKeys | list |
*ClientPublicKey
|
None | None |
| eiam:UpdateAuthorizationRule | UpdateAuthorizationRule | update |
*AuthorizationRule
|
None | None |
| eiam:GetAuthorizationResource | GetAuthorizationResource | get |
*AuthorizationResource
|
None | None |
| eiam:GetUser | GetUser | get |
*User
|
None | None |
| eiam:ListApplicationsForUser | ListApplicationsForUser | list |
*User
|
None | None |
| eiam:AuthorizeResourceServerScopesToClient | AuthorizeResourceServerScopesToClient | create |
*Application
|
None | None |
| eiam:GetInstanceLicense | GetInstanceLicense | get |
*Instance
|
None | None |
| eiam:DeleteClientPublicKey | DeleteClientPublicKey | delete |
*ClientPublicKey
|
None | None |
| eiam:SetPrimaryClientPublicKey | SetPrimaryClientPublicKey | update |
*ClientPublicKey
|
None | None |
| eiam:AuthorizeApplicationToUsers | AuthorizeApplicationToUsers | update |
*Application
|
None | None |
| eiam:AuthorizeResourceServerScopesToUser | AuthorizeResourceServerScopesToUser | create |
*Application
*User
|
None | None |
| eiam:CreateCustomField | CreateCustomField | create |
*CustomField
|
None | None |
| eiam:CreateAuthorizationResource | CreateAuthorizationResource | create |
*AuthorizationResource
|
None | None |
| eiam:CreateConditionalAccessPolicy | CreateConditionalAccessPolicy | create |
*ConditionalAccessPolicy
|
None | None |
| eiam:UnbindTotpAuthenticator | UnbindTotpAuthenticator | update |
*User
|
None | None |
| eiam:RevokeResourceServerFromClient | RevokeResourceServerFromClient | delete |
*Application
|
None | None |
| eiam:ListAuthorizationResources | ListAuthorizationResources | list |
*Instance
|
None | None |
| eiam:GetPasswordComplexityConfiguration | GetPasswordComplexityConfiguration | get |
*Instance
|
None | None |
| eiam:GetApplication | GetApplication | get |
*Application
|
None | None |
| eiam:UpdateCloudAccountRoleDescription | UpdateCloudAccountRoleDescription | update |
*CloudAccountRole
|
None | None |
| eiam:DisableAuthorizationRule | DisableAuthorizationRule | update |
*AuthorizationRule
|
None | None |
| eiam:RevokeApplicationFromOrganizationalUnits | RevokeApplicationFromOrganizationalUnits | delete |
*Application
|
None | None |
| eiam:CreateInstanceTrialLicense | CreateInstanceTrialLicense | create |
*Instance
|
None | None |
| eiam:DisableApplicationClientSecret | DisableApplicationClientSecret | update |
*Secret
|
None | None |
| eiam:GetIdentityProviderUdPullConfiguration | GetIdentityProviderUdPullConfiguration | get |
*IdentityProvider
|
None | None |
| eiam:UpdateApplicationTokenExpirationTime | UpdateApplicationTokenExpirationTime | update |
*ApplicationToken
|
None | None |
| eiam:ListIdentityProvidersForNetworkAccessEndpoint | ListIdentityProvidersForNetworkAccessEndpoint | get |
*NetworkAccessEndpoint
|
None | None |
| eiam:CreateInstance | CreateInstance | create |
*Instance
|
None | None |
| eiam:GetApplicationProvisioningConfig | GetApplicationProvisioningConfig | get |
*Application
|
None | None |
| eiam:AuthorizeApplicationToOrganizationalUnits | AuthorizeApplicationToOrganizationalUnits | create |
*Application
|
None | None |
| eiam:ListApplications | ListApplications | list |
*Application
|
None | None |
| eiam:DeleteCloudAccountRole | DeleteCloudAccountRole | delete |
*CloudAccountRole
|
None | None |
| eiam:CreateFederatedCredentialProvider | CreateFederatedCredentialProvider | create |
*FederatedCredentialProvider
|
None | None |
| eiam:GetServiceQuota | GetServiceQuota | get |
*All Resource
|
None | None |
| eiam:UpdateApplicationAuthorizationType | UpdateApplicationAuthorizationType | update |
*Application
|
None | None |
| eiam:EnableBrand | EnableBrand | update |
*Brand
|
None | None |
| eiam:RemoveApplicationAccountFromUser | RemoveApplicationAccountFromUser | delete |
*User
*ApplicationAccount
|
None | None |
| eiam:DisableDomainProxyToken | DisableDomainProxyToken | update |
*DomainProxyToken
|
None | None |
| eiam:UpdateFederatedCredentialProvider | UpdateFederatedCredentialProvider | update |
*FederatedCredentialProvider
|
None | None |
| eiam:GenerateFileImportTemplate | GenerateFileImportTemplate | update |
*Instance
|
None | None |
| eiam:GetInstanceModuleInfo | GetInstanceModuleInfo | get |
*Instance
|
None | None |
| eiam:RemoveUserFromAuthorizationRule | RemoveUserFromAuthorizationRule | delete |
*AuthorizationRule
*User
|
None | None |
| eiam:EnableApplicationProvisioning | EnableApplicationProvisioning | update |
*Application
|
None | None |
| eiam:UpdateConditionalAccessPolicy | UpdateConditionalAccessPolicy | update |
*ConditionalAccessPolicy
|
None | None |
| eiam:UpdateCustomPrivacyPolicy | UpdateCustomPrivacyPolicy | update |
*CustomPrivacyPolicy
|
None | None |
| eiam:ListApplicationsForNetworkZone | ListApplicationsForNetworkZone | list |
*NetworkZone
*Application
|
None | None |
| eiam:EnableInitDomainAutoRedirect | EnableInitDomainAutoRedirect | update |
*Domain
|
None | None |
| eiam:ListUsersForResourceServer | ListUsersForResourceServer | list |
*Application
|
None | None |
| eiam:UpdateAuthorizationRuleGroupAttachment | UpdateAuthorizationRuleGroupAttachment | update |
*AuthorizationRule
*Group
|
None | None |
| eiam:ListEventTypes | ListEventTypes | list |
*All Resource
|
None | None |
| eiam:ListApplicationsForOrganizationalUnit | ListApplicationsForOrganizationalUnit | list |
*OrganizationalUnit
|
None | None |
| eiam:SetApplicationProvisioningConfig | SetApplicationProvisioningConfig | update |
*Application
|
None | None |
| eiam:ListApplicationsForNetworkAccessEndpoint | ListApplicationsForNetworkAccessEndpoint | get |
*NetworkAccessEndpoint
|
None | None |
| eiam:UpdateOrganizationalUnitDescription | UpdateOrganizationalUnitDescription | update |
*OrganizationalUnit
|
None | None |
| eiam:GetClientPublicKey | GetClientPublicKey | get |
*ClientPublicKey
|
None | None |
| eiam:AddCustomPrivacyPoliciesToBrand | AddCustomPrivacyPoliciesToBrand | update |
*Brand
*CustomPrivacyPolicy
|
None | None |
| eiam:ListInstances | ListInstances | get |
*Instance
|
None | None |
| eiam:RemoveUsersFromGroup | RemoveUsersFromGroup | delete |
*Group
|
None | None |
| eiam:SetWebAuthnConfiguration | SetWebAuthnConfiguration | update |
*Instance
|
None | None |
| eiam:UpdateUserDescription | UpdateUserDescription | update |
*User
|
None | None |
| eiam:BindUserAuthnSourceMapping | BindUserAuthnSourceMapping | update |
*User
*IdentityProvider
|
None | None |
| eiam:GetLoginRedirectApplicationForBrand | GetLoginRedirectApplicationForBrand | get |
*Brand
|
None | None |
| eiam:ListApplicationSupportedProvisionProtocolTypes | ListApplicationSupportedProvisionProtocolTypes | list |
*Application
|
None | None |
| eiam:DisableApplication | DisableApplication | update |
*Application
|
None | None |
| eiam:EnableCustomPrivacyPolicy | EnableCustomPrivacyPolicy | update |
*CustomPrivacyPolicy
|
None | None |
| eiam:DeleteOrganizationalUnit | DeleteOrganizationalUnit | delete |
*OrganizationalUnit
|
None | None |
| eiam:ListCloudAccountRoles | ListCloudAccountRoles | list |
*CloudAccountRole
|
None | None |
| eiam:EnableApplicationResourceServer | EnableApplicationResourceServer | update |
*Application
|
None | None |
| eiam:SetPasswordInitializationConfiguration | SetPasswordInitializationConfiguration | update |
*Instance
|
None | None |
| eiam:AuthorizeApplicationToGroups | AuthorizeApplicationToGroups | create |
*Application
|
None | None |
| eiam:ListEiamInstances | ListEiamInstances | list |
*Instance
|
None | None |
| eiam:GetIdentityProvider | GetIdentityProvider | get |
*IdentityProvider
|
None | None |
| eiam:ListIdentityProviders | ListIdentityProviders | list |
*IdentityProvider
|
None | None |
| eiam:DisableFederatedCredentialProvider | DisableFederatedCredentialProvider | update |
*FederatedCredentialProvider
|
None | None |
| eiam:DeleteDomain | DeleteDomain | delete |
*Domain
|
None | None |
| eiam:CreateCustomPrivacyPolicy | CreateCustomPrivacyPolicy | create |
*CustomPrivacyPolicy
|
None | None |
| eiam:DisableBrand | DisableBrand | update |
*Brand
|
None | None |
| eiam:UpdateCloudAccount | UpdateCloudAccount | update |
*CloudAccount
|
None | None |
| eiam:GetApplicationAdvancedConfig | GetApplicationAdvancedConfig | get |
*Application
|
None | None |
| eiam:DeleteOrganizationalUnitChildren | DeleteOrganizationalUnitChildren | delete |
*OrganizationalUnit
|
None | None |
| eiam:ListApplicationsForGroup | ListApplicationsForGroup | get |
*Group
|
None | None |
| eiam:GenerateUploadAuth | GenerateUploadAuth | update |
*Instance
|
None | None |
| eiam:ListNetworkAccessPaths | ListNetworkAccessPaths | list |
*NetworkAccessPath
|
None | None |
| eiam:ListFederatedCredentialProviders | ListFederatedCredentialProviders | list |
*FederatedCredentialProvider
|
None | None |
| eiam:SetApplicationProvisioningScope | SetApplicationProvisioningScope | update |
*Application
|
None | None |
| eiam:ListEiamRegions | ListEiamRegions | none |
*All Resource
|
None | None |
| eiam:UpdateFederatedCredentialProviderDescription | UpdateFederatedCredentialProviderDescription | update |
*FederatedCredentialProvider
|
None | None |
| eiam:ListUsersForApplication | ListUsersForApplication | list |
*Application
|
None | None |
| eiam:GetApplicationProvisioningScope | GetApplicationProvisioningScope | get |
*Application
|
None | None |
| eiam:ListAuthorizationRulesForUser | ListAuthorizationRulesForUser | list |
*User
|
None | None |
| eiam:DeleteApplicationFederatedCredential | DeleteApplicationFederatedCredential | delete |
*ApplicationFederatedCredential
|
None | None |
| eiam:GetInstanceControlConfiguration | GetInstanceControlConfiguration | get |
*Instance
|
None | None |
| eiam:EnableApplicationClientSecret | EnableApplicationClientSecret | update |
*Secret
|
None | None |
| eiam:SetIdentityProviderUdPushConfiguration | SetIdentityProviderUdPushConfiguration | update |
*IdentityProvider
|
None | None |
| eiam:DisableApplicationProvisioning | DisableApplicationProvisioning | update |
*Application
|
None | None |
| eiam:DisableInternalAuthenticationSource | DisableInternalAuthenticationSource | update |
*AuthenticationSource
|
None | None |
| eiam:ListRegions | ListRegions | get |
*All Resource
|
None | None |
| eiam:ListApplicationTokens | ListApplicationTokens | list |
*ApplicationToken
|
None | None |
| eiam:AddApplicationToAuthorizationRule | AddApplicationToAuthorizationRule | create |
*AuthorizationRule
*Application
|
None | None |
| eiam:GetApplicationRole | GetApplicationRole | get |
*ApplicationRole
|
None | None |
| eiam:DeleteGroup | DeleteGroup | delete |
*Group
|
None | None |
| eiam:DisableConditionalAccessPolicy | DisableConditionalAccessPolicy | update |
*ConditionalAccessPolicy
|
None | None |
| eiam:UpdateDomainBrand | UpdateDomainBrand | update |
*Domain
|
None | None |
| eiam:ListConditionalAccessPoliciesForApplication | ListConditionalAccessPoliciesForApplication | list |
*Application
*ConditionalAccessPolicy
|
None | None |
| eiam:ListGroupsForUser | ListGroupsForUser | get |
*User
|
None | None |
| eiam:CreateDomainProxyToken | CreateDomainProxyToken | create |
*DomainProxyToken
|
None | None |
| eiam:UpdateApplicationFederatedCredential | UpdateApplicationFederatedCredential | update |
*ApplicationFederatedCredential
|
None | None |
| eiam:GetInstanceTrialStatus | GetInstanceTrialStatus | get |
*Instance
|
None | None |
| eiam:GenerateOauthToken | GenerateOauthToken | none |
*Application
|
None | None |
| eiam:DisableApplicationSso | DisableApplicationSso | update |
*Application
|
None | None |
| eiam:EnableIdentityProviderAuthn | EnableIdentityProviderAuthn | update |
*IdentityProvider
|
None | None |
| eiam:SetForgetPasswordConfiguration | SetForgetPasswordConfiguration | update |
*Instance
|
None | None |
| eiam:GetInstance | GetInstance | get |
*Instance
|
None | None |
| eiam:ListDomainProxyTokens | ListDomainProxyTokens | list |
*DomainProxyToken
|
None | None |
| eiam:GetBrand | GetBrand | get |
*Brand
|
None | None |
| eiam:UpdateUser | UpdateUser | update |
*User
|
None | None |
| eiam:GetRootOrganizationalUnit | GetRootOrganizationalUnit | get |
*Instance
|
None | None |
| eiam:DisableCloudAccountRole | DisableCloudAccountRole | update |
*CloudAccountRole
|
None | None |
| eiam:RemoveUserFromOrganizationalUnits | RemoveUserFromOrganizationalUnits | delete |
*User
|
None | None |
| eiam:UpdateIdentityProvider | UpdateIdentityProvider | update |
*IdentityProvider
|
None | None |
| eiam:CreateApplicationToken | CreateApplicationToken | create |
*ApplicationToken
|
None | None |
| eiam:CreateResourceServerScope | CreateResourceServerScope | create |
*ResourceServerScope
|
None | None |
| eiam:AddUserToAuthorizationRule | AddUserToAuthorizationRule | create |
*AuthorizationRule
*User
|
None | None |
| eiam:GetIdentityProviderAdvancedConfiguration | GetIdentityProviderAdvancedConfiguration | get |
*IdentityProvider
|
None | None |
| eiam:SetApplicationSsoConfig | SetApplicationSsoConfig | create |
*Application
|
None | None |
| eiam:CreateApplicationClientSecret | CreateApplicationClientSecret | create |
*Secret
|
None | None |
| eiam:EnableIdentityProviderAdvancedAbility | EnableIdentityProviderAdvancedAbility | update |
*IdentityProvider
|
None | None |
| eiam:DeleteUser | DeleteUser | delete |
*User
|
None | None |
| eiam:UpdateBrand | UpdateBrand | update |
*Brand
|
None | None |
| eiam:GetInstanceGlobalizationConfig | GetInstanceGlobalizationConfig | get |
*Instance
|
None | None |
| eiam:DisableApplicationM2MClient | DisableApplicationM2MClient | update |
*Application
|
None | None |
| eiam:ListConditionalAccessPolicies | ListConditionalAccessPolicies | list |
*ConditionalAccessPolicy
|
None | None |
| eiam:SetPasswordHistoryConfiguration | SetPasswordHistoryConfiguration | get |
*Instance
|
None | None |
| eiam:GetAuthorizationRule | GetAuthorizationRule | get |
*AuthorizationRule
|
None | None |
Resource
The following table lists the resources defined by Identity as a Service. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:
acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).
Resource type |
ARN |
| FederatedCredentialProvider |
|
| Instance |
|
| ApplicationFederatedCredential |
|
| IdentityProvider |
|
| User |
|
| ApplicationToken |
|
| Group |
|
| Application |
|
| OrganizationalUnit |
|
| CustomPrivacyPolicy |
|
| ConditionalAccessPolicy |
|
| ResourceServerScope |
|
| ApplicationTemplate |
|
| Secret |
|
| Brand |
|
| NetworkZone |
|
| Domain |
|
| SynchronizationJob |
|
| AuthorizationRule |
|
| CloudAccount |
|
| ApplicationAccount |
|
| NetworkAccessEndpoint |
|
| CustomField |
|
| CloudAccountRole |
|
| ClientPublicKey |
|
| DomainProxyToken |
|
| AuthenticationSource |
|
| ApplicationRole |
|
| AuthorizationResource |
|
| Authenticator |
|
| NetworkAccessPath |
|
Condition
Identity as a Service does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.
How to create custom RAM policies?
You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: