This topic provides an example scenario that describes how to use Alibaba Cloud RAM to manage user permissions and resources.


Assume that Enterprise A has bought several types of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets, for Project-X. In this project, multiple employees need to perform operations on these cloud resources. Specifically, different employees require different permissions to complete different operations.

Requirement analysis

  • Employees do not share the Alibaba Cloud account to avoid mistaken disclosure of the account password or AccessKey.
  • Independent RAM users are created for different employees and the RAM users are granted independent permissions.
  • All operations of all RAM users can be audited.
  • Fees are not charged to each RAM user, but are instead charged to the corresponding Alibaba Cloud account to which the RAM users belong.


Figure 1. Solution

  1. Set multi-factor authentication (MFA) to avoid risks associated with mistaken disclosure of the Alibaba Cloud account password. For more information, see (Optional) Set MFA.
  2. Create RAM users for different employees (or applications) and set logon passwords or create AccessKeys. For more information, see Create a RAM user.
  3. If multiple RAM users require the same permissions, we recommend that you create a user group and add the corresponding users to this user group. For more information, see (Optional) Create a RAM user group.
  4. Attach one or more system policies to the groups or users. For more information, see Permission granting in RAM. For finer-grained permission management, you can create one or more custom policies and attach them to individual users or to a user group. For more information, see Create a custom policy.