Hologres allows you to use resource groups to manage Hologres instances in a fine-grained manner. This topic describes the best practices for managing Hologres instances by using resource groups.

Background information

Company A has three department. Each department uses a variety of cloud resources. Company A has a single Alibaba Cloud account and multiple Hologres instances that belong to the Alibaba Cloud account.

Company A has the following requirements:
  • Independent department management: Department administrators can manage their own members and the permissions that the members require to access cloud resources.
  • Separate billing: The financial department of the company requires that each department receives a separate bill.
Company A has the following solutions:
  • Multi-account solution
    • This solution supports independent department management. Company A creates three Alibaba Cloud accounts (one account for each department) and assigns one department administrator for each account. Then, department administrators can manage their own members and access permissions of each member.
    • This solution supports separate billing. By default, each Alibaba Cloud account receives a separate bill. Company A can use the consolidated billing feature provided by Alibaba Cloud to consolidate the bills and invoices of multiple Alibaba Cloud accounts together.
  • Single-account solution (with tagged resources)
    • This solution does not support independent department management. Company A can tag its cloud resources by group, but department administrators cannot manage their own members and access permissions of each member.
    • This solution supports separate billing. Company A can tag its cloud resources by department. Then, each department can receive a separate bill.
  • Resource group-based management solution
    • This solution supports independent department management. Each resource group has an administrator. Resource group administrators can manage their own members and access permissions of each member.
    • This solution supports separate billing. Alibaba Cloud provides the consolidated billing feature that allows resource groups to receive separate bills.

Limits

RAM users are not allowed to create or renew instances, change the configurations of instances, or change the billing method from pay-as-you-go to subscription by resource group. If you want your RAM user to perform the preceding operations, you must attach the AliyunBSSOrderAccess policy to the RAM user to grant permissions on all resources within your Alibaba Cloud account.

Procedure of the resource group-based management solution

  1. Create RAM users.
    Create the following RAM users. For more information about how to create RAM users, see Create a RAM user.
    • Alice@secloud.onaliyun.com
    • Bob@secloud.onaliyun.com
    • Charlie@secloud.onaliyun.com
    Note The following steps show how to specify a RAM user as a resource group administrator. In this example, RAM User Alice is used.
  2. Log on to the Resource Management console.
  3. In the left-side navigation pane, click Resource Group. On the Resource Group page, click Create Resource Group.
    For information about the operations on resource groups, see Manage resource groups.
  4. In the Create Resource Group panel, set Resource Group Name and Display Name, and click OK.
    Note Create three resource groups: BU1, BU2, and BU3.
  5. Configure permissions.
    The following steps show how to grant RAM User Alice permissions to view and manage Hologres instances in Resource Group BU1.
    1. On the Resource Group page, find Resource Group BU1 and click Manage Permission in the Actions column.
    2. On the Permissions tab of the page that appears, click Grant Permission.
    3. In the Grant Permission panel, configure the parameters described in the following table.
      Parameter Description
      Authorized Scope Select Specific Resource Group and then select BU1 from the drop-down list.
      Principal Enter Alice@secloud.onaliyun.com.
      Select Policy Click the System policy tab and then select AliyunHologresFullAccess and AliyunBSSOrderAccess from the policy list. For more information about the policies that you can attach to RAM roles, see Grant permissions on Hologres to RAM users.
    4. Click OK and then click Complete.
      Now, RAM User Alice has permissions to view and manage Hologres instances in Resource Group BU1 and can perform operations in Resource Group BU1 such as creating, deleting, stopping, or renewing instances, or changing the configurations of instances.
      Note Repeat the preceding steps to specify RAM User Bob as the administrator of Resource Group BU2 and RAM User Charlie as the administrator of Resource Group BU3.

Execution results

RAM Users Alice, Bob, and Charlie are Hologres administrators of Resource Groups BU1, BU2, and BU3, respectively. After each RAM user logs on to the Hologres console, the RAM user can view the corresponding resource group and create and manage Hologres instances in the resource group.

View billing statements by resource group

For information about how to view billing statements by resource group, see View billing statements by resource group.