Application Real-Time Monitoring Service (ARMS) integrates with Resource Access Management (RAM) to control access to ARMS resources. With RAM, you create separate identities for team members, grant only the permissions each identity needs, and revoke access at any time -- without sharing your Alibaba Cloud account credentials.
How access control works
ARMS access control uses two core RAM concepts:
RAM users -- individual accounts for team members. Each RAM user has its own credentials and can access resources only after you explicitly grant permissions.
RAM roles -- identities that trusted entities can assume, including users from other Alibaba Cloud accounts. Roles enable cross-account access without credential sharing.
You control what each identity can do by attaching permission policies -- predefined or custom rules that specify allowed actions on ARMS resources.
When to use RAM users
Use RAM users when team members in your organization need different levels of access to ARMS.
Example: Your company runs Project-X on Alibaba Cloud, using Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets alongside ARMS. Developers, operators, and managers each need different permissions.
With RAM users, you can:
Create an independent account for each team member instead of sharing Alibaba Cloud account credentials.
Grant each RAM user only the permissions required for their role, following the principle of least privilege.
Revoke permissions or delete a RAM user account at any time.
Keep billing consolidated under the Alibaba Cloud account -- RAM users do not incur separate charges.
For setup instructions, see Use RAM users to manage permissions.
When to use RAM roles for cross-account access
Use RAM roles when one Alibaba Cloud account (Account A) needs to delegate resource management to another account (Account B). This is common when an external team handles operations and maintenance (O&M) on your behalf.
Example: Company A owns cloud resources such as ECS instances, RDS instances, SLB instances, and OSS buckets, but outsources monitoring and O&M to Company B.
With RAM roles, you can:
Authorize Company B to access Company A's ARMS resources through role assumption, without sharing account credentials.
Allow Company B to further delegate specific permissions to its own employees with fine-grained control.
Revoke cross-account access immediately if the business relationship ends.
For setup instructions, see Use a RAM role to access resources across Alibaba Cloud accounts.
System policies
ARMS provides two built-in system policies. Attach these to RAM users or RAM roles to grant access.
| Policy | Type | Description |
|---|---|---|
AliyunARMSFullAccess | System | Grants full access to all ARMS features, including read and write operations. |
AliyunARMSReadOnlyAccess | System | Grants read-only access to all ARMS features. |
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.