When multiple teams share an Alibaba Cloud account, the default flat-permission model gives every Resource Access Management (RAM) user with AliyunECSFullAccess full access to every Elastic Compute Service (ECS) instance in the account. A Department A administrator can view, modify, or delete Department B's production servers — whether accidentally or intentionally.
Resource groups solve this by creating logical management boundaries within your account. You place each department's ECS instances, disks, images, security groups, key pairs, and vSwitches in a separate resource group, then scope permissions to that group. Each administrator can only see and operate their own department's resources.
By the end of this topic, you will have set up a two-department ECS environment where each department's administrator has full control over their own resources and no visibility into the other's.
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account or a RAM identity with resource group management permissions
Access to the Resource Group console and RAM console
Why the default model falls short
Granting AliyunECSFullAccess at the account level gives a RAM user permissions far beyond what their job requires. This violates the principle of least privilege — a core component of defense-in-depth security — and creates three concrete problems:
Permission abuse and operational errors: Any ECS administrator can view, modify, or delete resources belonging to any other department.
Audit and compliance challenges: When all teams operate under the same flat permission scope, it is difficult to track which department made a specific change.
No enforceable boundaries: There is no technical mechanism to prevent accidental cross-department actions.
Resource groups, combined with resource-group-scoped RAM policies, eliminate all three problems without requiring separate Alibaba Cloud accounts.
Set up horizontal permission management
The following steps create two isolated ECS administration environments: DepartmentA and DepartmentB. Each department gets its own resource group, its own RAM user, and permissions scoped exclusively to that group.
Step 1: Create resource groups
Log on to the Resource Group console.
Click Create Resource Group, fill in the following fields, and click OK:
Field Value Resource Group Identifier DepartmentAResource Group Name Department A Resource GroupRepeat to create a second resource group with the identifier
DepartmentB.
Step 2: Create RAM users
Log on to the RAM console. In the left navigation pane, choose Identities > Users.
Click Create User and fill in the following fields:
Field Value Logon Name/Display Name AdminAAccess Mode Console Access Configure the password policy and click OK. Complete the security authentication as prompted.
Repeat to create a second user named
AdminB.
Step 3: Grant permissions to each resource group
Return to the Resource Group console.
Find the
DepartmentAresource group and click Manage Permission in the Actions column.Click Grant Permission and configure the following:
Field Value Resource Scope DepartmentA(current resource group, default)Principal RAM User — select AdminAPolicy AliyunECSFullAccessandAliyunBSSFullAccessClick OK.
Repeat to grant the same policies to
AdminBfor theDepartmentBresource group.
Step 4: Verify the isolation
Log out of your current account.
Log on to the Alibaba Cloud Management Console as
AdminA.Create a custom instance. For the resource group, select Department A Resource Group.
Go to the ECS console - Instances. Confirm that only the instances in the
DepartmentAresource group are visible.Log out and repeat as
AdminB. Confirm thatAdminBsees only the instances in theDepartmentBresource group and has no visibility intoDepartmentAresources.
What's next
Example of the RAM policy for resource groups — customize the policy scope beyond
AliyunECSFullAccessCreate an ECS instance by using the wizard — add instances to the resource groups you created