Integrate NIS with RAM

Overview

RAM uses permission control to regulate access from RAM users, RAM user groups, and RAM roles to a resource. A policy is a set of permissions. You can attach policies to RAM users, user groups, or RAM roles to grant them permissions on a resource.

Permissions

Alibaba Cloud accounts, RAM users, and resource creators have different default permissions.

• An Alibaba Cloud account is the resource owner and controls all permissions.
  • Each Alibaba Cloud resource has only one owner. The owner must be an Alibaba Cloud account and has complete control over the resource.
  • The resource owner is not necessarily the resource creator. For example, if a RAM user has permissions to create Alibaba Cloud resources, the resources created by this RAM user belong to the Alibaba Cloud account of the RAM user. The RAM user is the resource creator, but is not the resource owner.
• A RAM user has no permissions by default.
  • A RAM user is an identity that is used to manage resources. Before a RAM user can perform operations, the RAM user must be granted the required permissions by the Alibaba Cloud account. The required permissions must be granted by attaching one or more explicit allow policies.
  • A new RAM user can manage resources only after the RAM user is granted the required permissions.
• As a resource creator, a RAM user is not automatically granted the permissions on the created resources.
  • A RAM user can create resources after the RAM user is granted the required permissions.
  • To grant the RAM user the required permissions, the resource owner must attach one or more explicit allow policies to the RAM user.

Permission policy

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.

RAM supports the following two types of policies:

• System policy: System policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them. For more information about system policies, see System policies for NIS.

• Custom policy: If system policies cannot meet your business requirements, you can create custom policies to implement fine-grained permission management. For more information about custom policies, see NIS custom policies.

Attach policies to a RAM identity

After you create a policy, you can attach it to a RAM user, a RAM user group, or a RAM role to grant the permissions defined in the policy to the principal.

• You can attach one or more policies to a RAM user, a RAM user group, or a RAM role.

• The attached policies can be system policies or custom policies.

• If the attached policies are modified, the modifications automatically take effect. You do not need to attach the modified policies to RAM principals again.

Use a service-linked role

When you use NIS to access other cloud resources, NIS creates a corresponding service-linked role after you authorize NIS to access other cloud resources. The following table describes the service-linked role of NIS.

In most cases, when you use a specific feature, the related cloud service automatically creates or deletes the service-linked role after you grant permissions. You do not need to manually create or delete the service-linked role. A service-linked role simplifies the process of authorizing a cloud service to access other services and reduces the risks caused by misoperations.

If you no longer use NIS, you can delete the preceding service-linked role of NIS. For more information, see the Delete the service-linked role section of the Service-linked roles topic.