Create a RAM user group and grant permissions to the group - Resource Access Management

Resource Access Management (RAM) user groups are physical identities. You can create RAM user groups to classify RAM users and grant permissions to the RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions.

Step 1: Create a RAM user group

Procedure

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Groups.
On the Groups page, click Create User Group.
On the Create Group page, configure the Group Name, Display Name, and Note parameters.
Click OK.

Step 2: Add RAM users to the RAM user group

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that is assigned the administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user that you want to manage and click Add to Group in the Actions column.
In the Add Group Members panel, select the RAM user group to which you want to add the RAM user. The information about the RAM user is automatically filled in.
Click OK.
Click Close.

Step 3: (Optional) Create a custom policy

RAM provides system policies and custom policies. System policies are provided by Alibaba Cloud and cannot be modified. If system policies cannot meet your business requirements, you can create a custom policy to implement fine-grained access control.

You can create a custom policy by using different methods. In this example, a custom policy is created on the Visual editor tab. For more information, see Create a custom policy.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Permissions > Policies
On the Policies page, click Create Policy.
On the Create Policy page, click the Visual editor tab.
Configure the policy and click Next to edit policy information.
1. In the Effect section, select Allow or Deny.
2. In the Service section, select an Alibaba Cloud service.
  Note
  The Alibaba Cloud services that you can select are displayed in the Service section.
3. In the Action section, select All action(s) or Select action(s).
  The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.
4. In the Resource section, select All resource(s) or Specified resource(s).
  The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.
  Note
  The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
5. In the Condition section, click Add condition to configure a condition.
  Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.
6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- (Optional) Advanced optimization
  You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Step 4: Grant permissions to the RAM user group

When you grant permissions to a RAM user group, we recommend that you grant only the required permissions to the RAM user group based on the principle of least privilege.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Groups.
On the Groups page, find the RAM user group to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user group.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM user group to which permissions are granted. By default, the current RAM user group is specified. You can also specify a different RAM user group.
3. Select policies.
  Note
  You can attach a maximum of five policies to a RAM user group at a time. If you need to attach more than five policies to a RAM user group, perform the operation multiple times.
Click OK.
Click Complete.