You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or RAM users that belong to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.

Background information

Enterprise A has purchased MNS to conduct business and wants to authorize part of the business to Enterprise B. The following points describes business requirements:

  • Enterprise A wants to focus on its business systems and function only as a resource owner. Enterprise A wants to delegate or authorize Enterprise B to execute tasks such as publishing an event.
  • Enterprise A hopes that no permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can assign fine-grained permissions on resources of Enterprise A to RAM users of Enterprise B, including employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Enterprise B.

Procedure

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role for the Alibaba Cloud account of Enterprise B.
  2. Enterprise A adds a system policy or a custom policy to the RAM role that is created.
    Enterprise A must grant permissions to the RAM role, because new RAM roles do not have permissions. For more information, see Grant permissions to a RAM role.
  3. Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

    For more information, see Create a RAM user for Enterprise B.

  4. The RAM user of Enterprise B accesses the resources of Enterprise A in the console or by calling API operations.
    The RAM user can access the resources of Alibaba Cloud account A by one of the following methods:
    • Access resources by using SDKs
    • Access resources in the console
    • Access resources by calling API operations

References