This topic provides an example scenario that describes how to use Alibaba Cloud RAM to manage user permissions and resources.
Assume that Enterprise A has bought several types of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets, for Project-X. In this project, multiple employees need to perform operations on these cloud resources. Specifically, different employees require different permissions to complete different operations.
- Employees do not share the Alibaba Cloud account to avoid mistaken disclosure of the account password or AccessKey.
- Independent RAM users are created for different employees and the RAM users are granted independent permissions.
- All operations of all RAM users can be audited.
- Fees are not charged to each RAM user, but are instead charged to the corresponding Alibaba Cloud account to which the RAM users belong.
- Set multi-factor authentication (MFA) to avoid risks associated with mistaken disclosure of the Alibaba Cloud account password. For more information, see (Optional) Set MFA.
- Create RAM users for different employees (or applications) and set logon passwords or create AccessKeys. For more information, see Create a RAM user.
- If multiple RAM users require the same permissions, we recommend that you create a user group and add the corresponding users to this user group. For more information, see (Optional) Create a RAM user group.
- Attach one or more system policies to the groups or users. For more information, see Permission granting in RAM. For finer-grained permission management, you can create one or more custom policies and attach them to individual users or to a user group. For more information, see Create a custom policy.