All Products
Search
Document Center

Resource Management:Differences and relationships among the Resource Directory, Resource Group, and Tag services

Last Updated:Nov 27, 2023

This topic describes the differences and relationships among the Resource Directory, Resource Group, and Tag services. This topic also describes the differences between resource group-based authentication and tag-based authentication.

Differences among the Resource Directory, Resource Group, and Tag services

Service

Scenario

Resource isolation method

Management level

Cross-account capability

Resource Directory

Multi-account scenario.

If your enterprise uses multiple Alibaba Cloud accounts to manage cloud resources, you can use the Resource Directory service to build an organizational structure. Then, you can use this structure to manage accounts and resources in a centralized and organized manner.

Accounts are used to isolate resources.

Account level

Resource groups and tags that are created within a member cannot be used by other members.

Resource Group

Single-account scenario.

If your enterprise uses one Alibaba Cloud account to manage all cloud resources and each branch or project team uses RAM users to perform daily operations, you can use the Resource Group service to isolate resources and manage permissions. Examples:

  • Grant permissions on resources by resource group.

  • Allocate resource costs by resource group.

RAM identities and permission policies are used to isolate resources.

Note

For more information about the differences between resource group-based authentication and tag-based authentication, see Differences between resource group-based authentication and tag-based authentication.

Resource level

Resource groups that are created within an Alibaba Cloud account cannot be used by other Alibaba Cloud accounts.

Tag

Single-account scenario.

If your enterprise uses one Alibaba Cloud account to manage all cloud resources and each branch or project team uses RAM users to perform daily operations, you can use the Tag service to effectively manage resources. Examples:

  • Add tags to resources.

  • Grant permissions on resources by resource group.

  • Allocate resource costs by resource group.

  • Implement automated resource O&M by tag.

Resource level

Tags that are created within an Alibaba Cloud account cannot be used by other Alibaba Cloud accounts.

Relationships among the Resource Directory, Resource Group, and Tag services

The Resource Directory, Resource Group, and Tag services complement each other and can be used together. For example, an enterprise consists of multiple branches, departments, or project teams. If the enterprise is compared to a tree, the Resource Directory service can be used to build the trunk and branches of the tree. The Resource Group and Tag services can be used to summarize and manage the leaves of the branches. The enterprise can select one or more of the three services based on its business requirements.

三者联系

Differences between resource group-based authentication and tag-based authentication

You can use resource groups and tags to classify resources and implement finer-grained permission management than accounts. The following table describes the differences between resource group-based authentication and tag-based authentication.

Authentication method

Scenario

Supported Alibaba Cloud service

Example

Resource group-based authentication

If the cloud resources that you use support resource groups, you can add the resources to resource groups and grant permissions on the resource groups to different accounts. If you use this method, you can directly use system permission policies without the need to learn how to use the policies. If you want to implement finer-grained permission management, you can use custom permission policies.

Services that work with Resource Group

Tag-based authentication

If the cloud resources that you use support tags, you can add tags to the resources and grant permissions on the tags to different accounts. If you use this method, you must specify the tags whose permissions you want to grant in the Condition element of a custom permission policy. This method implements finer-grained permission management and is more flexible than resource group-based authentication. However, this method requires that you have a good command of custom permission policies.

To obtain the supported services, log on to the Resource Management console, choose Tag > Tag in the left-side navigation pane, click the Resource Tagging Capabilities tab, and then find the resource types for which the value of Tag Ram Support is Support.