Assume that an enterprise A buys several types of cloud resources, such as ECS instances, RDS instances, Server Load Balancer instances, and OSS buckets. The employees at the enterprise A need to perform operations on these resources such as buying, O&M, or online application.
Because different employees have different responsibilities, they require different permissions. For security reasons, the Alibaba Cloud account owner of the enterprise A does not want to disclose its account AccessKey to its employees.
Rather, the account owner prefers to create different RAM user accounts for their employees and associate each RAM user account with different permissions. Then, the employees can perform resource operations only under their permissions with their RAM user accounts and charges are not billed to these accounts.
All expenses are charged to the account owner. The account owner can also revoke the permissions of a RAM user account at any time, and delete the user.
Employees do not share the primary account to avoid uncontrollable risks caused by the disclosure of the account’s password or AccessKey.
Different employees are allocated independent user accounts (or operator accounts) with independent permissions, so that their responsibilities are consistent with their permissions.
All the operations of all user accounts can be audited.
Charges are not calculated for each operator; the primary account is billed for all fees incurred.
Use RAM-user accounts and the authorization management function, as shown in the following figure:
The procedures are as follows:
Enable MFA for the primary account to prevent risks caused by disclosure of the primary account password.
Create RAM-User accounts for different employees (or application systems) and set logon passwords or create AccessKeys for them as needed.
Create a group. If multiple employees share the same responsibilities, we recommend that you create a group for them and add the users to the group.
Grant permissions. Attach one or more authorization policies to groups or users. For finer-grained authorization, you can create custom authorization policies and then attach them to groups or users.