This topic describes the basic concepts of Resource Access Management (RAM) users. This topic also describes the procedure, best practices, and limits of using RAM users.

What is a RAM user?

A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

  • A RAM user can be created by an Alibaba Cloud account. In this case, the RAM user belongs to the Alibaba Cloud account. A RAM user can also be created by a RAM user or a RAM role that has administrative rights. In this case, the RAM user belongs to the Alibaba Cloud account that creates the RAM user or the RAM role.
  • A RAM user does not own resources. Resource usage fees of the RAM user are billed to the Alibaba Cloud account to which the RAM user belongs. A RAM user does not receive individual bills and cannot make payments.
  • Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After RAM users are authorized, the RAM users can access resources that are owned by the Alibaba Cloud accounts.
  • RAM users have independent passwords or AccessKey pairs for logon.
  • An Alibaba Cloud account can create multiple RAM users. RAM users can be employees, systems, and applications within an enterprise.

You can create RAM users and authorize the RAM users to access different resources. If multiple users in your enterprise need to simultaneously access resources, you can use RAM to assign the least permissions to the users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces the security risks.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user or a RAM role that has administrative rights.
  2. Create a RAM user.

    For more information, see Create a RAM user.

  3. Configure logon parameters.

    You can configure both logon passwords and AccessKey pairs for RAM users. For security reasons, we recommend that you configure only a logon password or an AccessKey pair for a RAM user to ensure security. If a RAM user is an application, the RAM user must call operations to access resources. In this case, you need to create only an AccessKey pair for the RAM user. If a RAM user is an employee, the RAM user must log on the Alibaba Cloud Management Console to access resources. In this case, you need to configure only a logon password for the RAM user.

  4. Grant permissions to the RAM user.

    You can grant different RAM users the permissions to access different resources. For more information, see Grant permissions to a RAM user.

  5. Use the RAM user to log on to the Alibaba Cloud Management Console or call operations by using an AccessKey pair.

    For more information, see Log on to the console as a RAM user and API overview.

Best practices

Enterprises that have multiple Alibaba Cloud resources can use RAM to manage identities, user permissions, and resources. For more information, see Use RAM to manage user permissions and resources.

Limits

For more information about the limits of using RAM users, see Limits.