What is a RAM user?

A Resource Access Management (RAM) user is a physical identity. You can create RAM users for an Alibaba Cloud account and authorize the RAM users to access different resources. If multiple users in your enterprise need to simultaneously access resources, you can create multiple RAM users and assign the least permissions to the RAM users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces security risks.

A RAM user is a physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

A RAM user can be created by an Alibaba Cloud account. In this case, the RAM user belongs to the Alibaba Cloud account. A RAM user can also be created by a RAM user or a RAM role that has administrative rights. In this case, the RAM user belongs to the Alibaba Cloud account that creates the RAM user or the RAM role.
A RAM user does not own resources. Resource usage fees of the RAM user are billed to the Alibaba Cloud account to which the RAM user belongs. A RAM user does not receive individual bills and cannot make payments.
Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After RAM users are authorized, the RAM users can access resources that are owned by the Alibaba Cloud accounts.
RAM users have independent passwords or AccessKey pairs for logon.
An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.

RAM user types

RAM users are classified into the following types based on the creation method:

Manual creation: a RAM user that is created in the RAM console. For more information, see Create a RAM user.
CloudSSO synchronization: a RAM user that is created by using the RAM user provisioning feature of CloudSSO. You must log on to the CloudSSO user portal as a CloudSSO user and then use this type of RAM user to access the Alibaba Cloud Management Console. You cannot use this type of RAM user to log on to the Alibaba Cloud Management Console by using the username and password of the RAM user. You can delete this type of RAM user only after you delete the RAM user provisioning. For more information, see Create a RAM user provisioning.

Procedure

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
Create a RAM user.
For more information, see Create a RAM user.
Configure logon parameters.
You can configure both logon passwords and AccessKey pairs for RAM users. For security purposes, we recommend that you configure either a logon password or an AccessKey pair for a RAM user. If a RAM user is an application, the RAM user must call operations to access resources. In this case, you need to create only an AccessKey pair for the RAM user. If a RAM user is an employee, the RAM user must log on to the Alibaba Cloud Management Console to access resources. In this case, you need to configure only a logon password for the RAM user.
- Logon to the Alibaba Cloud Management Console
  You must enable logon to the Alibaba Cloud Management Console, configure a console logon password, and configure a password policy for the RAM user. You can also change the console logon password and enable multi-factor authentication (MFA) based on your business requirements. For more information, see Manage console logon settings for a RAM user, Configure a password policy for RAM users, Change the logon password of a RAM user, and Bind an MFA device to a RAM user.
  Note
  If user-based single sign-on (SSO) is enabled, you do not need to enable logon to the Alibaba Cloud Management Console for the RAM user. The RAM user can log on to the Alibaba Cloud Management Console by using user-based SSO. For more information, see Overview of user-based SSO.
- API calls
  You must create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
Grant permissions to the RAM user.
You can grant different RAM users the permissions to access different resources. For more information, see Grant permissions to RAM users.
Use the RAM user to log on to the Alibaba Cloud Management Console or call operations by using an AccessKey pair.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user and API overview.

Best practices

Enterprises that have multiple Alibaba Cloud resources can use RAM to manage identities, user permissions, and resources. For more information, see Use RAM to manage user permissions and resources.

Limits

For more information about the limits of using RAM users, see Limits.