As an administrator, you can view and interpret RAM user details, modify basic user information, and manage user tags in the Resource Access Management (RAM) console.
View RAM user information
When performing permission audits, troubleshooting access issues, or handling routine administration, you need a clear picture of each RAM user's identity, security settings, group memberships, permissions, and activity history.
Console
-
Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has the
AliyunRAMFullAccesspolicy. -
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, click the target RAM user name to open the user details page.
-
On the details page, the following modules are available across different sections and tabs:
Module
Contents and purpose
Related operations
Basic Information
Logon name, display name, user ID, creation time, and other identity attributes.
Authentication
Console logon settings, passkeys, and MFA configuration.
AccessKey
AccessKey pairs and the AccessKey recycle bin.
Groups
All user groups the user belongs to, useful for tracing inherited permissions.
Permissions
All attached permission policies. Click a policy name to view details and scope.
Events
Categorized history of important user operations (logon events, policy changes, key operations). Supports filtering.
View and filter only. Configuration changes are not supported.
Policy Access Beta
If enabled, shows analysis of the user's recent access to cloud services. Helps identify permission boundaries and detect anomalous access patterns.
OpenAPI
|
Console module |
Contents or purpose |
OpenAPI operation |
|
Basic Information |
Logon name, display name, UID, creation time. |
|
|
Authentication |
Console logon settings, passkeys, MFA settings, and AccessKey. |
Logon settings: GetLoginProfile Passkeys: ListPasskeys |
|
AccessKey |
AccessKey pairs and the AccessKey recycle bin. |
|
|
Groups |
All user groups the user belongs to, useful for tracing inherited permissions. |
|
|
Permissions |
All attached permission policies. Click a policy name to view details and scope. |
|
|
Events |
Categorized history of important user operations (logon events, policy changes, key operations). Supports filtering. |
Not supported via OpenAPI. |
|
Policy Access Beta |
If enabled, shows analysis of the user's recent access to cloud services. Helps identify permission boundaries and detect anomalous access patterns. |
Not supported via OpenAPI. |
You can also query information for all RAM users at once:
-
ListUsers: Returns detailed information for all RAM users.
-
ListUserBasicInfos: Returns only the logon name
UserPrincipalName, display nameDisplayName, and user IDUserIdfor all RAM users.
User field reference
The following table describes the fields on the user details page and their editability.
|
Console field |
API field |
Description |
Editable |
|
User Login Name |
UserPrincipalName |
The identifier the user enters to sign in to the console. Specified at user creation time. |
Yes |
|
Display Name |
DisplayName |
A human-readable name or alias shown in user lists and the console header. |
Yes |
|
Description |
Comments |
Supplementary notes about the user. |
Yes |
|
User ID |
UserId |
A system-assigned unique numeric identifier. |
No |
|
Provision Type |
ProvisionType |
Indicates whether the user was created manually, synchronized via SCIM, or provisioned through CloudSSO. |
No |
|
Created At |
CreateDate |
Timestamp of when the user was first created. Useful for lifecycle management. |
No |
|
Tags |
Tags |
Custom key-value pairs for categorizing users (e.g., department, project, employee ID). |
Yes |
Modify RAM user basic information
When a user's responsibilities change, projects shift, or security policies are updated, you may need to update their profile.
Console
-
Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has the
AliyunRAMFullAccesspolicy. -
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, click the target RAM user name.
-
In the Basic Information section, click Edit.
-
In the Modify Basic Information panel, update the Logon Name, Display Name, or Description as needed, then click OK.
OpenAPI
Call UpdateUser to modify the basic information of a RAM user.
Manage user tags
Tags simplify permission management and cost allocation. Key benefits:
-
Fine-grained access control: Implement attribute-based access control (ABAC). For example, allow users tagged with
project:Ato access only resources that also carry theproject:Atag. -
Automated operations: Use APIs or CLI tools to filter users by tag and perform batch operations such as adding policies or disabling users.
Edit tags for a single user
To manage tags centrally across all resource types, go to the Tag Management console.
Console
-
Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has the
AliyunRAMFullAccesspolicy. -
In the left-side navigation pane, choose Identities > Users.
-
In the RAM user list, hover over the
icon in the Tags column of the target user, then click Edit. -
In the Edit Tags dialog box, enter a tag key and tag value, then click OK.
NoteEach RAM user supports a maximum of 20 tags.
OpenAPI
Call TagResources to add tags to a RAM user. Set the following parameters:
-
Set
ResourceTypetouser. -
Set
ResourceIdto the RAM user ID, or setResourcePrincipalNameto the RAM user's logon name. Specify one of these two parameters (not both).
Set tags in batch
The RAM console supports batch tag operations that incrementally add or overwrite tag values for multiple users. Batch operations do not unbind existing tags. To manage tags centrally, go to the Tag Management console.
-
Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has the
AliyunRAMFullAccesspolicy. -
In the left-side navigation pane, choose Identities > Users.
-
In the RAM user list, select multiple target RAM users.
-
Below the user list, click Edit Tags.
-
In the Batch Set Tags dialog box, enter a tag key and tag value, then click OK.