DocsICP FilingConsole
官方文档
首页

Overview of RAM policies

更新时间:
复制 MD 格式
产品详情
我的收藏

RAM policies are permission sets that control access to your Alibaba Cloud resources. They define which actions RAM principals can perform on specific resources and under what conditions.

How policies work

When a RAM principal (user or role) requests access to a resource, RAM evaluates all applicable policies. Two principles govern the evaluation:

  • Deny by default: By default, RAM principals have no permissions. Any request for an action that is not explicitly allowed by a policy is implicitly denied.

  • Explicit deny overrides allow: An explicit Deny statement always overrides any Allow statements for the same action, regardless of other granted permissions.

Policy structure and elements

A policy is a JSON document composed of one or more statements. Each statement includes the following core elements:

Element

Description

Effect

Specifies whether the statement results in an Allow or Deny.

Action/NotAction

The specific API operations that are allowed or denied (such as ecs:DescribeInstances and oss:GetObject).

Resource

The Alibaba Cloud resources that the action applies to, specified by their Alibaba Cloud Resource Name (ARN).

Condition

(Optional) Constraints that must be met for the statement to apply, such as source IP address or request time.

Principal

The entity (user, account, or service) that is allowed or denied access.

Note

This element is used in resource-based policies (such as an OSS bucket policy), but not in identity-based policies.

For more information, see Permission policy elements and Policy structure and syntax.

Policy types

RAM supports two types of policies:

  • System policies: Predefined by Alibaba Cloud for common use cases, such as AdministratorAccess or AliyunAccountCenterReadOnlyAccess. You can attach system policies to RAM principals but cannot modify them.

  • Custom policies: Policies you create and manage to define granular permissions tailored to your security requirements.

To grant permissions, you attach one or more policies to a RAM principal. For more information, see Manage RAM user permissions, Grant permissions to a RAM user group, and Manage permissions for a RAM role.

Ownership and permissions

  • Resource ownership: The Alibaba Cloud account owns all resources and has full control. Even if a RAM user creates a resource, ownership belongs to the account, not the user.

  • Principal permissions: RAM principals (users and roles) have no permissions by default. They can only perform actions explicitly allowed by attached policies.

Previous:RAM authorization scopesNext:Basic operations