Overview

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.

Benefits

• Enhanced Security Follows Multi-Factor Authentication (MFA) technique to ensure protection for your account
• Usability Allows you to simply access and configure RAM using web-based Alibaba Cloud Management Console or APIs
• Complimentary Service with Alibaba Cloud Subscription Enables centralized management without paying extra charges; pay only for other services used by your RAM users Provides one consolidated bill for all expenses incurred by resource operations performed by all users present in multiple accounts falling under one enterprise account
• Centralized management Create, manage, rename and delete RAM users, groups and roles; grant necessary permissions Use unified management of access permissions and identity credentials for Alibaba Cloud resources Revoke permissions from multiple resources or user accounts in accordance with your needs

Feature

Identity Management

• User Identity Management Create and manage user identities and grant permissions using the primary account
• Multi-factor Authentication Supports MFA devices that comply with TOTP protocol standard (RFC 6238) to keep user passwords secure and assign special permissions like shutting down virtual hosts
• Independent Password Policy Management Create custom password strength policies for users and set the number of allowed logon attempts, password validity periods, and other password policies
• User Groups Create and manage user groups for assigning the same set of permissions to multiple users
• Access Keys Set access keys for users wanting to perform operations using the console. You can also set up API access keys for users who require programmatic access

SSO (Identity Federation)

• User-based SSO You can configure your IdP to specify a RAM user in the SAML assertion and use the RAM user to access Alibaba Cloud.
• Role-based SSO You can configure your IdP to specify a RAM role in the SAML assertion and use the RAM role to access Alibaba Cloud.

Access Management

• Execution Permission Set permissions for allowing or denying execution of certain operations on specific resources under certain conditions
• Custom Access Management Use custom policies to manage user permissions effectively
• Group Permission The group permission mechanism allows for scenario-specific access management to reduce the burdens associated with permission management
• User Access Management Grant user or user group access to users under your account, or even other Alibaba Cloud accounts

Security Token Service

• Access Permission Security Token Service grants specific cloud resource access permissions to mobile clients, giving your mobile customers direct access to cloud resources
• Custom Validity Supports custom token validity periods for enhanced security

High Flexibility

• Fine-grained Access Management Allows you to grant permission for one or multiple operations on a single resource. For example, a resource owner can grant permission to create, perform operations or delete resources
• Multi-dimensional Access Management Restricts access permissions by IP, time, and other factors
• Version Management Mechanism Retain multiple versions of each authorization policy to eliminate risk of unwanted policy deletion

Usage and Billing

• Free of Charge RAM is offered at no additional cost. You are charged only for other Alibaba products/services used by RAM users/roles
• Consolidated Bill Your account receives a consolidated bill for all expenses incurred from resource operations performed by all RAM users/roles