RAM supports two authorization scopes: account-level and resource group-level. Choose the appropriate scope to enforce least privilege based on your business requirements.
Overview
|
Scope |
Description |
Common use case |
Illustration |
|
Account-level |
Permissions granted to a RAM principal (user or role) apply to all resources in the Alibaba Cloud account. This is the default and broadest scope. |
Grant account administrators full access to all services and resources. |
|
|
Resource group-level |
Permissions apply only to resources in a specific resource group. Use this scope to isolate permissions by project, environment (development or production), or team. |
Delegate project or application management to a team without exposing other account resources. |
|
Delegate administration with resource groups
Resource groups also support delegated administration.
A RAM user granted the AdministratorAccess system policy for a resource group becomes its administrator. By default, the resource group creator is the administrator. Administrators can:
-
Manage all resources within the group.
-
Authorize other RAM users to access resources within the group.

