When you first access a third-party application as an Alibaba Cloud account, a RAM user, or a RAM role, you must install and authorize it.
Prerequisites
You must use an Alibaba Cloud account (primary account) or a RAM administrator (a RAM user with the AliyunRAMFullAccess permission) to perform these authorizations.
Authorize and install a third-party application
When you first access a third-party application, review the authorization scope, which consists of a required scope and an optional scope. Then, click Grants to grant the requested permissions. This action also installs the application.
After an Alibaba Cloud account (primary account) or a RAM administrator authorizes a third-party application, all RAM users within that account can access the application without authorizing it again.
After authorization, the application can access your identity and permission information. If the authorization scope includes permissions for specific cloud services, the application uses your identity to access Alibaba Cloud resources.
Required scope
The required scope includes data and permissions that the application needs to function. It is selected by default and cannot be deselected. To deny these permissions, reject the authorization request. If this prevents you from using the application, contact the application provider.
Optional scope
The optional scope includes data and permissions that the application requests but does not require. You can selectively grant or deny these permissions.
View authorization
After you authorize a third-party application, you can view its name, ID, creation time, and update time in the RAM console. Click an application name to view its details and authorization scope.
-
Log on to the RAM console.
-
In the left-side navigation pane, choose .
-
Click the Third-party Applictions tab, and then click the name of the target application to view its authorization details.
Revoke authorization
If you no longer want a third-party application to access your account, you can revoke its authorization.
-
Log on to the RAM console.
-
In the left-side navigation pane, choose .
-
Click the Third-party Applictions tab. In the row of the target application, click Delete Application in the Actions column.
-
In the Delete Application dialog box, click Delete Application.
Re-authorize
To change the authorization scope, revoke the application's authorization first, and then access the application again to reauthorize it.
Provision an official application directly
Official applications are third-party applications that can also be provisioned directly by a RAM administrator from the RAM console. When you access an official application for the first time, you must complete the same authorization and installation process. After provisioning, the administrator must assign users to the official application. Assigned users must still authorize the application on first access to grant it access to their identity and permission information.
To provision an official application:
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
Click the Third-party Applictions tab, and then click Provision Official Application.
-
In the Provision Official Application dialog box, select the target official application, and then click OK.
NoteThe available official applications are listed in the console. For example: OpenAPI MCP Server.