Scenario description

Assume that enterprise A buys several types of cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. Employees at enterprise A need to perform operations on these resources, such as procurement, O&M, or online application. Because different employees have different responsibilities, they require different permissions.

  • For security reasons, the Alibaba Cloud account owner of enterprise A does not want to disclose its account AccessKey to its employees. Rather, the account owner prefers to create different RAM user accounts for their employees and associate each RAM user account with different permissions.
  • Then, the employees can perform resource operations only under their permissions with their RAM user accounts and charges are not billed to these accounts. All expenses are charged to the account owner.
  • The account owner can also revoke the permissions of a RAM user account at any time, and delete the user.

Requirement analysis

The analysis of the preceding scenarios is as follows:

  • Employees do not share the primary account to avoid uncontrollable risks caused by the disclosure of the account’s password or AccessKey.
  • Different employees are allocated independent user accounts (or operator accounts) with independent permissions, so that their responsibilities are consistent with their permissions.
  • All the operations of all user accounts can be audited.
  • Charges are not calculated for each operator; the primary account is billed for all fees incurred.


Use RAM-user accounts and the authorization management function, as shown in the following figure:

Figure 1. Solution for the enterprise scenario

The operation procedure is as follows:

  1. Set up MFA to prevent risks caused by disclosure of the password of the primary account.
  2. Activate RAM.
  3. Create RAM users for different employees (or application systems) and set logon passwords or create AccessKeys for them as needed.
  4. Create a RAM user group. If multiple employees share the same responsibility, we recommend that you create a group for them and add the users to the group.
  5. Authorization. Attach one or more authorization policies to groups or users. For finer-grained authorization, you can create Authorization Policy Management and then attach them to groups or users.