This topic describes how to use RAM to manage user permissions and resources.


An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create a new Alibaba Cloud account.


Enterprise A has bought several types of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets for a project. During this project, many employees need to perform operations on these cloud resources, but different employees require different permissions to complete different operations.

The requirements of Enterprise A are as follows:

  • Employees do not share the Alibaba Cloud account to avoid mistaken disclosure of the account password or AccessKey pair.
  • Independent RAM users are created for different employees and the RAM users are granted independent permissions.
  • All operations of all RAM users can be audited by Enterprise A.
  • The permissions of RAM users can be removed at any time, and users under an Alibaba Cloud account can be deleted by Enterprise A.
  • Fees are not charged to each RAM user, but are instead charged to the corresponding Alibaba Cloud account to which the RAM users belong.