This topic describes how an enterprise that has multiple cloud resources can use Resource Access Management (RAM) to manage user permissions to access the cloud resources.

Prerequisites

An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create an Alibaba Cloud account.

Background information

Enterprise A has purchased various Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets, to migrate a project to the cloud. Certain employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties.

Enterprise A has the following requirements:

  • To guarantee security, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees.
  • Enterprise A prefers to create different RAM user accounts for the employees and grant different permissions to these user accounts. The employees are granted only the permissions that are required to fulfill their duties.
  • The RAM users can only manage resources after they are granted the corresponding permissions. All the operations performed by RAM users can be audited.
  • Enterprise A can revoke the permissions granted to RAM users and delete RAM user accounts at any time.
  • Fees on resources incurred by RAM users are billed to the parent Alibaba Cloud account.

Solution

Solution for managing user permissions and resources