DocsICP FilingConsole
官方文档
首页

Quick start: Create a RAM user and grant permissions

更新时间:
复制 MD 格式
产品详情
我的收藏

This guide walks you through how to quickly create a RAM user and securely grant permissions for fine-grained access control over your cloud resources.

Why use RAM users?

An Alibaba Cloud account is similar to the root user in a Linux system. It has unlimited permissions and is not recommended for daily use. When multiple employees in your organization need to collaborate on cloud resources, we recommend that you use Resource Access Management (RAM) to create multiple RAM users under your Alibaba Cloud account and grant each user only the minimum permissions required for their tasks.

Item

Alibaba Cloud account

RAM user

Role

The owner of cloud resources, with full ownership and the highest level of permissions.

A user of resources and services. Permissions are granted by the Alibaba Cloud account (or a RAM user with administrator permissions). A RAM user is typically mapped to a specific person or application.

Owns cloud resources

Yes

No. Resources are owned by the Alibaba Cloud account.

Default permissions

Full permissions, which cannot be restricted.

No permissions by default. Permissions must be granted by the Alibaba Cloud account or a RAM user with administrator permissions.

Recommended use

For critical administrative tasks only, such as granting permissions, payment, and account management.

For daily tasks such as development, operations, and deployment.

Procedure

  1. Create a RAM user: Use Get Started in the console to create a RAM User with Auditing Administrator permissions.

  2. Log on as the RAM user: Log on to the console as the newly created RAM user and complete the initial setup.

  3. Verify the RAM user's permissions: Verify that the permissions were granted successfully.

Step 1: Create a RAM user

Quickly create a user and grant permissions

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. On the Overview page, click Get Started > Cloud functional users > Show All Workflows, and select your target scenario.

    This topic uses the Auditing Administrator scenario as an example. The Auditing Administrator has full permissions for configuration audit, ActionTrail, and Log Service, and can view the status of all Alibaba Cloud resources.

    The Workflow Preview on the left shows the steps for the Auditing Administrator scenario: Create a user, create user logon settings, create a user group, add the user to the user group, create a custom policy, and attach the policy to the user group.

  3. View or modify the configuration parameters.

    You can view all preset parameters, but only a subset are modifiable. Refer to the console to see which parameters you can change.

  4. Click Perform.

  5. View the configuration progress. After the configuration is complete, save the RAM username and logon password.

Note

  1. For a RAM user created through the quick start, you can later modify their configuration in the RAM console. For more information, see Modify the basic information of a RAM user.

  2. To create a RAM user and manage permissions manually, see Create a RAM user, Manage RAM user permissions, and Remove permissions from a RAM user.

Set an account alias (recommended)

The default logon name for a RAM user is <UserName>@<AccountAlias>.onaliyun.com, where <AccountAlias>.onaliyun.com is the Default Domain of the Alibaba Cloud account and <AccountAlias> is the account alias. By default, the account alias is the Account ID of the Alibaba Cloud account. We recommend that you set an easy-to-remember account alias for your Alibaba Cloud account before creating RAM users. This replaces the 16-digit Account ID and simplifies tasks such as RAM user logon.

To modify the Default Domain, follow these steps:

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Settings > Domain. Click Default Domain next to the Edit to modify it.

Note

  • Only an Alibaba Cloud account or a RAM user with RAM administrator permissions can set or modify the default domain name.

  • An account alias takes effect immediately after it is set. The logon names of all new RAM users will use this alias by default.

Step 2: Log on as the RAM user

  1. Use one of the following URLs to log on to the console as a RAM user. To avoid repeatedly entering the account's Default Domain, use the dedicated logon URL.

    General logon URL

    Log on to the Alibaba Cloud Management Console as the newly created RAM user.

    Note

    The logon page for RAM users is different from the logon page for Alibaba Cloud accounts. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

    Dedicated logon URL

    You can get the logon URL for RAM users from the Overview page of the RAM console. Using this URL allows a RAM user to log on to the Alibaba Cloud Management Console without entering the account's Default Domain.

    In the Basic Information section, find the Logon URL in the format https://signin.aliyun.com/{default domain name}/login.htm. Click Copy Logon URL on the right.

  2. On the RAM User Logon page, enter the RAM username and click Next.

  3. Enter the password for the RAM user and click Log On.

  4. The first time you log on, you must bind a multi-factor authentication (MFA) device. For subsequent logons, you will be prompted to enter an MFA code. For more information, see Bind an MFA device for a RAM user.

  5. Reset the RAM user password: By default, a RAM user created by using the Get Started wizard must reset their password upon first logon.

Step 3: Verify permissions

The Auditing Administrator you created has full permissions for configuration audit, ActionTrail, and Log Service, and can also view the status of all Alibaba Cloud resources. The following examples use ActionTrail and RAM to verify the permissions.

  1. After you log on to the console as the RAM user, hover over the profile picture in the upper-right corner to view the user's information.

    The panel displays information such as the RAM user's logon email address, account ID, current identity, enterprise alias, and Alibaba Cloud account ID.

  2. Go to the ActionTrail console and try to perform an operation.

    For example, in the left-side navigation pane, choose Events > Event Query to view the event records of all services.

  3. Go to the RAM console.

    1. In the left-side navigation pane, choose Identities > Users to view the created RAM users.

    2. Repeat the steps in Create a RAM user. You will receive an access denied error.

Troubleshoot common permission issues

If a RAM user encounters an access denied error when accessing a cloud resource, see How do I troubleshoot an access denied error?

Related topics

For more information, see the following topics:

Previous:RAM use casesNext:Quick start: Create and use an AccessKey pair