All Products
Search
Document Center

Cloud Architect Design Tools:Permission management in CADT

Last Updated:Jun 17, 2026

Cloud Architect Design Tools (CADT) natively supports the Alibaba Cloud RAM Access Control and Resource Management frameworks. You can use permission management to easily manage permissions for CADT and its applications and templates.

Overview

On the Permission Management page in the CADT console, you can easily perform operations such as Create User, Create Resource Group, User Authorization, and Resource Group Authorization.

Note

The Permission Management feature in CADT is available only to Alibaba Cloud accounts.

  • Create User: Create RAM users and grant them permissions to access specific resources.

  • Create Resource Group: Organize your cloud resources into groups based on criteria such as business unit or project.

  • User Authorization: Grant permissions to a RAM user, which allows the user to access the corresponding Alibaba Cloud resources.

  • Resource Group Authorization: This action grants a principal the specified permissions on resources within a resource group.

This tutorial uses a practical example to show you how to use permission management in CADT.

Use case

Imagine you have two applications in CADT: app-test and app-dev. You need to grant permissions so that a developer (cadt-dev001) can only access app-dev, and a tester (cadt-test001) can only access app-test.

Prerequisites

Before you begin, create two applications in CADT named app-test and app-dev. For instructions, see Create a CADT application.

After the creation is complete, you can see the app-test and app-dev applications on the CADT All Applications page.

Step 1: Create users

First, create two RAM users to represent the developer (cadt-dev001) and the tester (cadt-test001).

  1. Log on to the CADT console by using your Alibaba Cloud account.

  2. In the top navigation bar, choose Manage > Permission Management to go to the Permission Management page.

    Note

    The Permission Management feature in CADT is available only to Alibaba Cloud accounts.

    image

  3. On the Permission Management page, click Create User.

  4. Enter the information for the developer cadt-dev001 as follows, and then click OK. Set both Logon Name and Display Name to cadt-dev001, select Console Access for Access Mode, set a Custom Password, select No Reset Required for Require Password Reset, and select Not Required for Multi-Factor Authentication.

  5. Create the tester user (cadt-test001) in the same way.

    After the two RAM users are created:

    The user list now displays the two created RAM users: cadt-dev001 and cadt-test001.

Step 2: Create resource groups

Create two resource groups to isolate resources: one for the development environment (dev) and one for the test environment (test).

  1. On the CADT Permission Management page, click Create Resource Group.image

  2. To create the development environment (dev) resource group, set Resource Group Identifier to dev and Resource Group Name to development environment, and then click OK.

  3. Create the test resource group (test) in the same way.

    After the operation is complete, you can see the two newly created resource groups, Development environment (dev) and Test environment (test), on the CADT permission management page, both with a status of Available.

Step 3: Grant permissions to RAM users

After you create the RAM users and resource groups, grant the RAM users permissions to operate on cloud resources within specific resource groups.

  1. On the CADT Permission Management page, you can click either User Authorization or Resource Group Authorization.imageThe following uses "User Authorization" as an example:

  2. Select a user, such as the developer cadt-dev001, and click Add Permissions.

  3. In the Add Permissions panel, configure the following settings and click OK.

    • Authorization Scope: Permissions can be granted at the account or resource group level. For account-level authorization, specify the account in the Principal field. For resource group-level authorization, specify a resource group.

    • Principal: cadt-dev001

    • Policy: For details about CADT system policies, see CADT system policies and usage notes. If the system policies do not meet your requirements, you can create a custom policy. For more information, see Create a custom policy for CADT.

      This example demonstrates how to grant the sls-test user full permissions on CADT. In the policy search box, enter CADT to filter the policies, select the three policies AliyunCADTReadOnlyAccess, AliyunCADTFullAccess, and AliyunCADTImportAccess, and then click Confirm Authorization.

  • In the same way, authorize the test user cadt-test001.

Step 4: Authorize CADT applications

After you grant permissions to the RAM users, add the CADT applications to their corresponding resource groups. This ensures that users can access only the applications within the resource groups for which they are authorized.

  1. On the CADT permission management page, find the corresponding resource group, such as the development environment resource group (dev), and click Add Authorization.

  2. In the Authorize panel, go to the My Applications tab, select the app-dev application, and click Authorize.

  3. After the authorization is complete, the application app-dev is displayed in the list of authorized resources for the development environment resource group, and its resource type is Application.

  4. In the same way, add the app-test application to the Test Environment (test) resource group.

Step 5: Verify the permissions

After completing the setup, verify that the developer (cadt-dev001) can access only app-dev and the tester (cadt-test001) can access only app-test.

  1. In your Alibaba Cloud account, go to the Overview page of the RAM console and copy the user logon URL.

  2. In a new browser window or an incognito tab, open the user logon URL. Log on as the developer user (cadt-dev001).

  3. Go to the CADT console. The cadt-dev001 user has access only to the development environment, which confirms that the permissions are set correctly. Switch to the development environment.

  4. Navigate to Application > My Applications. The cadt-dev001 account can view only the app-dev application. This verifies the permissions.

    image

  5. Repeat the steps to verify the permissions for the tester user (cadt-test001). This verifies the permissions.image