DocsICP FilingConsole
官方文档
首页

Manage RAM user permissions

更新时间:
复制 MD 格式
产品详情
我的收藏

Newly created RAM users have no permissions by default. You must grant permissions before a RAM user can access or manage Alibaba Cloud resources within your authorization scope. This topic covers how to grant, view, and revoke RAM user permissions, with security best practices and troubleshooting guidance.

Core concepts

Understand these concepts before granting permissions:

  • Permission policy types

    A permission policy is a set of access permissions. RAM supports two types. You can attach multiple policies to a RAM user at once. Always follow the principle of least privilege.

  • Authorization behavior and limits

    • Effective immediately: Permissions take effect instantly. No waiting period or re-login is required.

    • Quantity limits: Each RAM user has a maximum number of attachable system and custom policies. For details, see Limitations.

    • Resource group constraints: Verify that the target cloud service, operation, and resource type support resource-group-level authorization. For details, see Cloud services that support resource group-level authorization.

Grant permissions to a RAM user

Console

The RAM console offers two entry points, both supporting single and batch authorization:

  • Users page: The principal is auto-selected based on the users you choose. Best for user-centric workflows.

  • Grants page: You manually select principals and can view all authorization records across your account. Best for permission-centric workflows.

Note

Tip: For large-scale management, add RAM users with identical responsibilities to a user group, then grant permissions to the group. Navigate to Identities > User Groups to manage groups.

From the Users page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the target RAM user and click Actions column > Attach Policy.

    You can also select multiple RAM users and click Attach Policy below the user list for batch authorization.

  4. In the Grant Permission panel, configure the following settings:

    • Resource scope:

      • Account level: Permissions apply to all resources in your Alibaba Cloud account.

      • Resource group level: Permissions apply only within the specified resource group. After logging on, the RAM user must switch to the authorized resource group in the top navigation bar.

        Note

        1. The system marks high-risk system policies (such as AdministratorAccess and AliyunRAMFullAccess) with a warning indicator. These policies typically grant full control over all cloud resources or full management of RAM. Grant these policies with caution.

        2. For resource group authorization examples, see Control access to ECS instances with resource groups.

    • Principal:

      The principal is the RAM user receiving permissions. From the Users page, the system auto-selects the current user. From the Grants page, you must manually select the user. Batch selection is supported.

    • Permission policy:

      • System policy: Search and select. Filter by product name (e.g., ECS, OSS), access level (e.g., ReadOnly, FullAccess), or full policy name.

      • Custom policy: You must Create a custom policy before you can grant it.

    • (Optional) Description: Enter the authorization reason or scenario for audit purposes.

    • Click Confirm.

  5. Review the authorization result and click Close.

From the Grants page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Grants page, click Grant Permission.

  4. In the Grant Permission panel, select the principal and configure the same settings as described above.

  5. Review the authorization result and click Close.

OpenAPI

Grant a custom policy

  1. Call CreatePolicy to create a custom policy. For policy syntax, see Permission policy elements and Overview of sample policies.

  2. Call AttachPolicyToUser to grant the policy at the account level (set PolicyType to Custom).

    Alternatively, call AttachPolicy to grant the policy at the resource group level.

Grant a system policy

View RAM user permissions

Console

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the target RAM user name.

  4. Click the Permissions tab to view Individual and Group Permissions.

Note

To assess actual permission usage (last access time, idle policies, or over-privileged access), check the Permission Audit (Beta) tab on the user details page, or Access Analysis on the RAM overview page.

OpenAPI

Call ListPoliciesForUser to query the account-level authorization list for a specified RAM user. This operation does not return resource-group-level authorizations.

Revoke RAM user permissions

Note

Important: Before revoking permissions, check the Permission Audit (Beta) tab to verify the last usage time, or review Access Analysis on the RAM overview page to identify idle policies. This prevents accidentally removing active permissions.

Console

Two entry points:

  • Users page: Revoke policies from the user details page. Best for user-centric cleanup.

  • Grants page: Revoke from the full authorization records list. Best for permission-centric cleanup.

From the Users page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the target RAM user name.

  4. Click the Permissions tab. In the Individual section, find the target policy and click Actions column > Revoke Permission.

  5. In the Revoke Permission dialog box, confirm the Principal and Permission Policy details, then click Revoke Permission.

From the Grants page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Grants page, click Actions column > Revoke Permission for the target authorization record.

    You can also select multiple records and click Revoke Permission below the list for batch revocation.

  4. In the Revoke Permission dialog box, click Revoke Permission.

OpenAPI

Call DetachPolicyFromUser to revoke a specified permission policy from a RAM user.

Security best practices

  1. Follow the principle of least privilege. Grant only the minimum permissions required for the task.

    1. Example 1: Manage specific ECS instances

      • Incorrect: Grant AdministratorAccess or AliyunECSFullAccess.

      • Correct: Create a custom policy that restricts Resource to specific instance IDs. For an example, see Allow managing a specific ECS instance.

    2. Example 2: All permissions except billing

      • Incorrect: Grant AdministratorAccess.

      • Correct: Create a custom policy with an explicit deny statement for "Action": "bss:*","bssapi:*","efc:*" "Effect": "Deny". For an example, see Allow managing all resources except billing.

  2. Audit permissions regularly. Use Governance Detection on the RAM overview page to find AccessKeys unused for 90 days and idle RAM users. Use Access Analysis (Beta) to detect over-privileged identities.

  3. Use high-risk policies with caution. Grant AliyunRAMFullAccess and similar policies only when necessary (e.g., for RAM administrators), and monitor all operations by those users.

  4. Prefer RAM roles for temporary access. For short-term authorization (CI/CD pipelines, cross-account access, or third-party operations), create a RAM role and use STS to issue temporary credentials instead of attaching long-lived policies to RAM users. Temporary credentials expire automatically.

FAQ

Can a RAM user view their own permissions?

No. RAM users cannot view their own permission policy list by default. Workarounds:

  • Trial access: Attempt the desired action. An "insufficient permissions" error indicates missing permissions.

  • Contact your administrator: Ask the Alibaba Cloud account owner or a RAM user with AliyunRAMFullAccess to check from the RAM console.

Can a RAM user purchase cloud products?

Yes, if the user has been granted the required purchasing permissions. See What permissions does a RAM user need to purchase resources?.

Individual spending limits or separate billing for RAM users are not supported. All charges are consolidated under the Alibaba Cloud account.

How do I grant temporary, revocable permissions to a RAM user?

Do not attach long-lived policies for temporary needs. Instead, create a RAM role with the required permissions, then have the RAM user call AssumeRole via STS to obtain time-limited credentials. For details, see Assume a RAM role.

Temporary credentials expire automatically. This approach works well for CI/CD, cross-account delegation, and third-party operations.

How do I troubleshoot "permission denied" errors for a RAM user?

Navigate to Permissions > Permission Diagnosis in the RAM console. Paste the diagnostic ciphertext (AccessDeniedDetail.EncodedDiagnosticMessage from the error response) or the Request ID, then click Start Diagnosis. The system decodes the denial reason — including the matched policy, condition, or explicit deny — to help you identify the issue.

Troubleshoot access denied errors.

Previous:Manage RAM user informationNext:Console logon