All Products
Search

This Product

    Simple Message Queue (formerly MNS):Grant permissions to a RAM user

    Document Center

    Simple Message Queue (formerly MNS):Grant permissions to a RAM user

    Last Updated:Mar 10, 2026

    Simple Message Queue (formerly MNS) supports resource-level access control through Resource Access Management (RAM). Create RAM users for your team members and grant each user only the permissions they need, instead of sharing your Alibaba Cloud account AccessKey pair.

    With RAM, you can:

    • Avoid exposing your Alibaba Cloud account credentials

    • Grant fine-grained, role-specific permissions to each team member

    • Revoke access or delete user accounts at any time

    • Centralize billing under the Alibaba Cloud account while delegating resource operations

    How it works

    1. Create RAM users for team members who need access to Simple Message Queue (formerly MNS) resources such as queues and topics.

    2. Attach permission policies that match each user's role -- for example, full access, read-only access, or a custom policy scoped to specific actions.

    3. Share logon credentials or AccessKey pairs with the RAM users so they can access the console or call API operations.

    Important

    Follow the principle of least privilege. Grant each RAM user only the minimum permissions required for their tasks.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account with RAM enabled

    • A RAM user that needs permissions. If you have not created one, see What is Resource Access Management?

    • RAM administrator privileges to assign policies

    Grant permissions from the Users page

    You can grant permissions from either the Users page or the Grants page. Both methods achieve the same result -- choose whichever fits your workflow.

    Start from a specific user and attach policies to them.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user and click Add Permissions in the Actions column. To grant permissions to multiple users at once, select the users and click Add Permissions at the bottom of the page.

      Users page with Add Permissions button

    4. In the Grant Permission panel, configure the following settings:

      1. Set Resource Scope.

        Important

        If you select ResourceGroup, make sure that the required cloud service supports resource groups. For details, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

        • Account: The policy applies to all resources under the current Alibaba Cloud account.

        • ResourceGroup: The policy applies only to resources in a specific resource group.

      2. Confirm the Principal. The current RAM user is selected by default.

      3. Select one or more policies under Policy.

        • System policies are predefined by Alibaba Cloud and cannot be modified. For supported services, see Services that work with RAM.

          Note

          The console flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless strictly necessary.

        • Custom policies are user-managed. Create, update, or delete them based on your requirements. See Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Grant permissions from the Grants page

    Start from the permissions view and select which users to authorize.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Permissions > Grants.

    3. On the Permission page, click Grant Permission.

      Grant Permission page

    4. In the Grant Permission panel, configure the following settings:

      1. Set Resource Scope.

        Important

        If you select Resource Group, make sure that the required cloud service supports resource groups. For details, see Services that work with Resource Group. For an example of resource-group-scoped authorization, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

        • Account: The policy applies to all resources under the current Alibaba Cloud account.

        • Resource Group: The policy applies only to resources in a specific resource group.

      2. Set the Principal. Select one or more RAM users to authorize.

      3. Select one or more access policies.

        • System policies are predefined by Alibaba Cloud and cannot be modified. For supported services, see Services that work with RAM.

          Note

          The console flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless strictly necessary.

        • Custom policies are user-managed. Create, update, or delete them based on your requirements. See Custom permission policy reference.

      4. Click Grant permissions.

    5. Click Close.

    What's next

    After granting permissions, share the RAM user's credentials with the team member so they can access Simple Message Queue (formerly MNS) resources.

    Log on to the console

    1. Open the RAM User Logon page in a browser.

    2. Enter the RAM user logon name and click Next, then enter the password and click Log On.

      Note

      The logon name uses the format <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. If no account alias is set, the Alibaba Cloud account ID is used by default.

    3. On the Alibaba Cloud Management Console page, navigate to the authorized product console.

    Call API operations

    Use the RAM user's AccessKey ID and AccessKey secret to authenticate API requests in your code.