Resource Access Management (RAM) allows you to grant permissions with two distinct scopes: account-level and resource group-level. When you create a policy, choosing the appropriate scope is key to implementing the principle of least privilege based on your business requirements.
Overview
Scope | Description | Common use case | Illustration |
Account-level | Permissions granted to a RAM principal (a RAM user or role) apply to all resources within the entire Alibaba Cloud account. This is the default and broadest scope. | Granting broad permissions to account administrators who need to manage all services and resources. |
|
Resource group-level | Permissions are restricted to the resources contained within a specific resource group. This enables you to isolate permissions for different projects, environments (development or production), or teams. | Delegating management of a specific project or application to a team, while preventing them from affecting other resources in the account. |
|
Delegate administration with resource groups
In addition to scoping permissions, resource groups support a delegated administration model.
A RAM user who is granted the AdministratorAccess system policy for a specific resource group becomes the administrator of that group. By default, the creator of a resource group is its administrator. An administrator can perform the following actions within the scope of their resource group:
Manage all resources within the group.
Authorize other RAM users to access resources within the group.