You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or RAM users that belong to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.
Enterprise A has purchased MNS to conduct business and wants to authorize part of the business to Enterprise B. The following points describes business requirements:
- Enterprise A wants to focus on its business systems and function only as a resource owner. Enterprise A wants to delegate or authorize Enterprise B to execute tasks such as publishing an event.
- Enterprise A hopes that no permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can assign fine-grained permissions on resources of Enterprise A to RAM users of Enterprise B, including employees or applications.
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Enterprise B.
- Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role for the Alibaba Cloud account of Enterprise B.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
- Enterprise A adds a system policy or a custom policy to the RAM role that is created.
Enterprise A must grant permissions to the RAM role, because new RAM roles do not have permissions. For more information, see Grant permissions to a RAM role.
- Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.
For more information, see Create a RAM user for Enterprise B.
- The RAM user of Enterprise B accesses the resources of Enterprise A in the console or by calling API operations.
The RAM user can access the resources of Alibaba Cloud account A by one of the following methods:
- Access resources by using SDKs
- Access resources in the console
- Access resources by calling API operations