All Products
Search

This Product

    Mobile Platform as a Service:Implement application-level access control for RAM users

    Document Center

    Mobile Platform as a Service:Implement application-level access control for RAM users

    Last Updated:Jan 23, 2026

    This topic describes how to implement application-level access control for Resource Access Management (RAM) users.

    Prerequisites

    1. You have an Alibaba Cloud account. If you do not have one, see Account Registration.

    2. You have a RAM user. If you do not have one, see Create a RAM user.

      Note

      For RAM account configuration, please refer to Configuring permissions.

    Procedure

    1. Grant a RAM user permissions to access the mPaaS console.

      1. Log on to the RAM console with your Alibaba Cloud account.

      2. In the navigation pane on the left, under Identities, click Users.

      3. Select the RAM user that requires access to the mPaaS console and click Add Permissions.

      4. On the Add Permissions page, search for the AliyunMPAASFullAccess permission. Click the permission to add it, and then click OK. The RAM user can now access all applications created by the root account. If you do not need to further restrict access for this user, skip the following steps.

    2. Add a resource isolation policy for the RAM user.

      1. Log on to the RAM console with your Alibaba Cloud account.

      2. In the navigation pane on the left, under Permission Management, click Policies.

      3. Click Create Policy.

      4. Set the Mode to JSON.

        Note

        mPaaS does not currently support the visual editor.

      5. Edit the policy content. You can use the following examples for RAM policy for accessing a specified app and RAM policy for accessing all mPaaS apps. When you use the rule for specific applications, replace the App ID in the rule with the App ID of the application that you want to authorize. To authorize multiple applications, separate their App IDs with commas (,).

        • RAM rule to access specific applications:

          {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:FilterApp"
  ],
  "Resource": "*",
  "Effect": "Deny",
  "Condition": {
      "StringNotEquals": {
           "mpaas:AppId": [
              "ONEXCBAD96A290957",
              "..."
          ]
      }
  }
},
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

        • RAM rule to access all applications:

          {
"Version": "1",
"Statement": [
{
  "Action": [
      "mpaas:*"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
]
}

      6. Click Next: Edit basic information.

      7. Enter a policy name and a description, and then click OK.

      8. In the navigation pane on the left, under Identities, click Users.

      9. Select the RAM user that requires access to the mPaaS console and click Add Permissions.

      10. On the Add Permissions page, search for the custom policy that you just created. Click the policy to add it, and then click OK. The resource isolation policy is now attached to the RAM user.