This topic describes how to use RAM to create and authorize resource groups in Alibaba Cloud. After you create and authorize resource groups, you can manage your own members, permissions, and resources by group.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.

Background information

A gaming company is developing three gaming projects. Each project requires multiple types of cloud resources. The company has an Alibaba Cloud account and more than 100 Elastic Compute Service (ECS) instances under this account.

The requirements of the company are as follows:

  • Independent project management: Project managers can manage their own project members and the permissions that the project members require to access cloud resources.
  • Separate bills: The financial department of the company requires that each project receives separate bills.
  • A shared bottom-layer network: The company requires a shared bottom-layer network for its cloud resources.

The company has the following optional solutions:

  • Multi-account solution
    • This solution supports independent project management. The company creates three Alibaba Cloud accounts (one account for each project) and assigns one project manager for each account. Then, project managers can manage their own project members and access permissions of each member.
    • This solution supports separate bills. The accounts receive separate bills by default. The consolidated billing feature provided by Alibaba Cloud for multiple accounts can be used to consolidate the bills and invoices.
    • This solution does not support a shared bottom-layer network. The resources of different accounts are isolated between different networks. Virtual private clouds (VPCs) under the accounts can be connected through peering connections. However, this incurs higher management costs.
  • Single-account solution (with tagged resources)
    • This solution does not support independent project management. The company can tag its cloud resources by group, but project managers cannot manage their own members and access permissions of each member.
    • This solution supports separate bills. The company can tag its cloud resources by project. Then, each project can receive separate bills.
    • This solution supports a shared bottom-layer network. The company can use tag-based RAM policies to authorize RAM users to access a group of resources. The company does not need to pay for peering connections established between different networks because these resources belong to the same account.
  • Resource group-based management solution
    • This solution supports independent project management. Each resource group has an administrator. Administrators can manage their own group members and access permissions of each member.
    • This solution supports separate bills. Alibaba Cloud provides the consolidated billing feature that allows resource groups to receive separate bills.
    • This solution supports a shared bottom-layer network. Resource groups belong to the same account and can share a VPC. The cost of peering connections is eliminated.

Solution

The resource group-based management solution can meet all requirements of the company. By using this solution, the company only needs to use one Alibaba Cloud account to create three resource groups that correspond to the three projects.

Resource group-based solution
  1. Create three RAM users: alice@secloud.onaliyun.com, bob@secloud.onaliyun.com, and charlie@secloud.onaliyun.com.

    For more information, see Create a RAM user.

    Note The following steps use the RAM user Alice as an example. The steps demonstrate how to set a RAM user as a resource group administrator.
  2. Log on to the Resource Management console.
  3. In the left-side navigation pane, click Resource Group. On the Resource Group page, click Create Resource Group.
  4. Specify the Resource Group Name and Display Name parameters, and then click OK.
    Note Create three resource groups: Game1, Game2, and Game3.
  5. Find the target resource group, and click Manage Permission in the Actions column.
  6. On the Permissions tab, click Grant Permission.
  7. In the Principal field, enter Alice, and then select the RAM user from the auto-complete results.
  8. In the Authorization Policy Name column, click AdministratorAccess.
  9. Click OK.
  10. Click Complete.
    Note Repeat the preceding steps to set Bob and Charlie as resource group administrators.

Result

Alice, Bob, and Charlie are the respective resource group administrators of Game1, Game2, and Game3. The administrators have the following permissions:

  • After an administrator logs on to the ECS console, the administrator can view the respective resource group. The administrator can also create and manage ECS instances.
  • After an administrator logs on to the Resource Management console, the administrator can add RAM users and grant resource access permissions to RAM users.