Resource groups are used to group IoT Platform resources. You can grant RAM users the permissions to view and manage IoT Platform resources, such as Enterprise Edition instances, by managing resource groups. This way, you can isolate resources between RAM users.
Background information
You can use RAM to grant RAM users the permissions to access IoT Platform resources. RAM permissions globally take effect. For example, if you authorize a RAM user to query instance information, the RAM user can query the information about all instances that belong to the corresponding Alibaba Cloud account.
However, the RAM authorization feature cannot limit RAM users to access only specified instances to isolate resources between the RAM users. For example, RAM User A can access only Instance 1 and RAM User B can access only Instance 2. To address this issue, IoT Platform is integrated with the Resource Management platform. You can grant RAM users the permissions to view and manage specific resources by managing resource groups.
Permissions granted to RAM users in the RAM console take effect for all resources in the resource group. If you want to isolate resources between RAM users, grant permissions by using resource groups instead of the RAM console. For more information, see Manage resource groups.
Isolate IoT Platform resources
IoT Platform allows you to use resource groups to isolate resources, such as Enterprise Edition instances, between RAM users.
You can create a resource group in the Resource Management console and add a principal and custom policies to the resource group. When you purchase an Enterprise Edition instance, you can add the instance to a resource group. A RAM user can view and manage only the Enterprise Edition instances of a resource group on which the RAM user has permissions.