RAM authorization - Resource Access Management

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by IMS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate IMS is ram. You can grant permissions on IMS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

IMS defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
ram:AddFingerprintToOIDCProvider	AddFingerprintToOIDCProvider	Write	OIDCProvider acs:ram::{#accountId}:oidc-provider/{#OIDCProviderName}	ram:OidcIssuerUrl	None
ram:AddUserToGroup	AddUserToGroup	Write	Group acs:ram::{#accountId}:group/{#GroupName} User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:BindMFADevice	BindMFADevice	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:ChangePassword	ChangePassword	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:CreateAccessKey	CreateAccessKey	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:CreateAppSecret	CreateAppSecret	Write	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:CreateApplication	CreateApplication	Write	Application acs:ram::{#accountId}:application/*	None	None
ram:CreateGroup	CreateGroup	Write	Group acs:ram::{#accountId}:group/*	None	None
ram:CreateLoginProfile	CreateLoginProfile	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:CreateOIDCProvider	CreateOIDCProvider	Write	OIDCProvider acs:ram::{#accountId}:oidc-provider/*	ram:OidcIssuerUrl	None
ram:CreateSAMLProvider	CreateSAMLProvider	Write	SAMLProvider acs:ram::{#accountId}:saml-provider/*	None	None
ram:CreateUser	CreateUser	Write	User acs:ram::{#accountId}:user/*	None	None
ram:CreateVirtualMFADevice	CreateVirtualMFADevice	Write	MFADevice acs:ram::{#accountId}:mfa/*	None	None
ram:DeleteAccessKey	DeleteAccessKey	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:DeleteAppSecret	DeleteAppSecret	Write	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:DeleteApplication	DeleteApplication	Write	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:DeleteGroup	DeleteGroup	Write	Group acs:ram::{#accountId}:group/{#GroupName}	None	None
ram:DeleteLoginProfile	DeleteLoginProfile	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:DeleteOIDCProvider	DeleteOIDCProvider	Write	OIDCProvider acs:ram::{#accountId}:oidc-provider/{#OIDCProviderName}	ram:OidcIssuerUrl	None
ram:DeleteSAMLProvider	DeleteSAMLProvider	Write	SAMLProvider acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}	None	None
ram:DeleteUser	DeleteUser	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:DeleteVirtualMFADevice	DeleteVirtualMFADevice	Write	MFADevice acs:ram::{#accountId}:mfa/{#SerialNumber}	None	None
ram:DisableVirtualMFA	DisableVirtualMFA	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:GenerateCredentialReport	GenerateCredentialReport	Read	All Resources *	None	None
ram:GetAccessKeyLastUsed	GetAccessKeyLastUsed	Read	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:GetAccountMFAInfo	GetAccountMFAInfo	Read	All Resources *	None	None
ram:GetAccountSecurityPracticeReport	GetAccountSecurityPracticeReport	Read	All Resources *	None	None
ram:GetAccountSummary	GetAccountSummary	Read	All Resources *	None	None
ram:GetAppSecret	GetAppSecret	Read	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:GetApplication	GetApplication	Read	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:GetCredentialReport	GetCredentialReport	Read	All Resources *	None	None
ram:GetDefaultDomain	GetDefaultDomain	Read	All Resources *	None	None
ram:GetGroup	GetGroup	Read	Group acs:ram::{#accountId}:group/{#GroupName}	None	None
ram:GetLoginProfile	GetLoginProfile	Read	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:GetOIDCProvider	GetOIDCProvider	Read	OIDCProvider acs:ram::{#accountId}:oidc-provider/{#OIDCProviderName}	ram:OidcIssuerUrl	None
ram:GetPasswordPolicy	GetPasswordPolicy	Read	All Resources *	None	None
ram:GetSAMLProvider	GetSAMLProvider	Read	SAMLProvider acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}	None	None
ram:GetSecurityPreference	GetSecurityPreference	Read	All Resources *	None	None
ram:GetUser	GetUser	Read	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:GetUserMFAInfo	GetUserMFAInfo	Read	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:GetUserSsoSettings	GetUserSsoSettings	Read	All Resources *	None	None
ram:ListAccessKeys	ListAccessKeys	List	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:ListAppSecretIds	ListAppSecretIds	List	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:ListApplications	ListApplications	List	Application acs:ram::{#accountId}:application/*	None	None
ram:ListGroups	ListGroups	List	Group acs:ram::{#accountId}:group/*	None	None
ram:ListGroupsForUser	ListGroupsForUser	List	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:ListOIDCProviders	ListOIDCProviders	List	OIDCProvider acs:ram::{#accountId}:oidc-provider/*	None	None
ram:ListSAMLProviders	ListSAMLProviders	List	SAMLProvider acs:ram::{#accountId}:saml-provider/*	None	None
ram:ListUserBasicInfos	ListUserBasicInfos	List	User acs:ram::{#accountId}:user/*	None	None
ram:ListUsers	ListUsers	List	User acs:ram::{#accountId}:user/*	None	None
ram:ListUsersForGroup	ListUsersForGroup	List	Group acs:ram::{#accountId}:group/{#GroupName}	None	None
ram:ListVirtualMFADevices	ListVirtualMFADevices	List	MFADevice acs:ram::{#accountId}:mfa/*	None	None
ram:RemoveClientIdFromOIDCProvider	RemoveClientIdFromOIDCProvider	Write	OIDCProvider acs:ram::{#accountId}:oidc-provider/{#OIDCProviderName}	ram:OidcIssuerUrl	None
ram:RemoveUserFromGroup	RemoveUserFromGroup	Write	Group acs:ram::{#accountId}:group/{#GroupName} User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:SetDefaultDomain	SetDefaultDomain	Write	All Resources *	None	None
ram:SetPasswordPolicy	SetPasswordPolicy	Write	All Resources *	None	None
ram:SetSecurityPreference	SetSecurityPreference	Write	All Resources *	None	None
ram:SetUserSsoSettings	SetUserSsoSettings	Write	All Resources *	None	None
ram:UnbindMFADevice	UnbindMFADevice	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:UpdateAccessKey	UpdateAccessKey	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:UpdateApplication	UpdateApplication	Write	Application acs:ram::{#accountId}:application/{#AppName}	None	None
ram:UpdateGroup	UpdateGroup	Write	Group acs:ram::{#accountId}:group/{#GroupName}	None	None
ram:UpdateLoginProfile	UpdateLoginProfile	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:UpdateOIDCProvider	UpdateOIDCProvider	Write	OIDCProvider acs:ram::{#accountId}:oidc-provider/{#OIDCProviderName}	ram:OidcIssuerUrl	None
ram:UpdateSAMLProvider	UpdateSAMLProvider	Write	SAMLProvider acs:ram::{#accountId}:saml-provider/{#SAMLProviderName}	None	None
ram:UpdateUser	UpdateUser	Write	User acs:ram::{#accountId}:user/{#UserName}	None	None

Resource

IMS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN

No data

Condition

IMS defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to IMS. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
ram:OidcIssuerUrl		String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: