All Products
Search
Document Center

Resource Access Management:RAM authorization scopes

Last Updated:Jun 08, 2026

RAM supports two authorization scopes: account-level and resource group-level. Choose the appropriate scope to enforce least privilege based on your business requirements.

Overview

Scope

Description

Common use case

Illustration

Account-level

Permissions granted to a RAM principal (user or role) apply to all resources in the Alibaba Cloud account. This is the default and broadest scope.

Grant account administrators full access to all services and resources.

Manage the resources of an Alibaba Cloud account

Resource group-level

Permissions apply only to resources in a specific resource group. Use this scope to isolate permissions by project, environment (development or production), or team.

Delegate project or application management to a team without exposing other account resources.

Manage the resources of a resource group

Delegate administration with resource groups

Resource groups also support delegated administration.

A RAM user granted the AdministratorAccess system policy for a resource group becomes its administrator. By default, the resource group creator is the administrator. Administrators can:

  • Manage all resources within the group.

  • Authorize other RAM users to access resources within the group.