Controlling User Permissions in the Cloud Era

Imagine you are the system administrator of a large corporation that is sprawled across several offices and has a myriad of different functional departments. Each office location, department, and team has specific permissions that need to be granted to the members of these groups so that they have appropriate access to cloud resources.

Alibaba Cloud Resource Access Management (RAM) is a service that meets this requirement and more. It allows you to create and manage the Alibaba Cloud access permissions for employees, systems, applications, and other identities. And best of all, it is completely free to use!

With RAM, you can create multiple identities under one Alibaba Cloud account. This allows you to keep your Alibaba Cloud account and password strictly confidential in cases where multiple users in your enterprise need to collaboratively manage and access cloud resources. It also allows you to grant the users the minimum required permissions to ensure superior security.

See the RAM documentation for a full list of services that support RAM.

How RAM works

RAM works by using identities knows as “RAM users”. Each RAM user can represent a system, an application, or an individual user in your organization.

You can also create “RAM user groups”, identities that contain multiple RAM users. RAM user groups allow you to set the access control of whole groups of staff members or systems. For example, you could group all staff in the marketing department into one RAM user group and then configure their permissions at one time.

It’s worth pointing out that both RAM users and RAM user groups are “physical identities”, in that the users have set username and password credentials that they use to log on to the Alibaba Cloud console. (They can also use an AccessKey pair.)

Interestingly, RAM also has non-physical, virtual roles, known as “RAM roles”. These roles are identities to which permission policies are attached. However, RAM roles do not have logon passwords or AccessKey pairs. Instead, an entity user (Alibaba Cloud account, RAM users, or Alibaba Cloud services) assumes a RAM role, and the entity user can then obtain and use an STS token to access the authorized resources. RAM roles are divided into the following types based on the entrusted entity:

As mentioned earlier, RAM is free of charge for Alibaba Cloud users. One thing worth noting though is that all costs incurred by the identities under an Alibaba Cloud account are charged to that Alibaba Cloud account. Always be careful about granting permission to users for creating and modifying the configurations of your cloud resources so you aren’t hit with any unexpected bills.


RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. The following is a list of RAM features:

How to use RAM

You can use the RAM service in one of two ways:

Get Started

Now you know the basics of what Alibaba Cloud Resource Access Management (RAM) service can do and how it works, why not have a go at using it for yourself? To get started, I recommend the following resources:

Original Source:

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.