All Products
Search

This Product

    Resource Access Management:Manage permissions for common operations roles

    Document Center

    Resource Access Management:Manage permissions for common operations roles

    Last Updated:Mar 31, 2026

    This topic describes how to use Resource Access Management (RAM) to implement a role-based access control (RBAC) strategy for your operations teams. By creating RAM user groups that correspond to common job functions and attaching policies to them, you can efficiently manage permissions at scale.

    Scenario

    As your organization's cloud presence grows, you need to grant different operations engineers access to manage specific parts of your infrastructure. For example, your network engineers need to manage VPCs and CDN, while your database administrators need to manage ApsaraDB RDS instances. You need a secure and scalable way to assign these permissions based on job function.

    Solution overview

    The best practice for this scenario is to use RAM user groups to represent the different job functions within your organization. Instead of attaching policies directly to individual RAM users, you attach them to a group. When you add a user to that group, they automatically inherit the group's permissions. This approach simplifies administration and ensures that all users with the same job function have a consistent set of permissions.

    The implementation involves these steps:

    1. Create RAM user groups that correspond to job functions (such as NetworkAdmins and DatabaseAdmins).

    2. Attach the appropriate policies to each group.

    3. Create RAM users for your engineers and add them to the relevant groups.

    Common operations roles and recommended policies

    The following are examples of common operations job functions and the Alibaba Cloud system policies that can be used to grant them appropriate permissions.

    Cloud platform administrator

    This role has full permissions to manage all Alibaba Cloud resources and services within the account, including RAM.

    • AdministratorAccess

    Cloud resource administrator

    This role has full access to Alibaba Cloud services and resources, but is not responsible for managing RAM identities and their permissions, the Resource Directory and resource sharing relationships, or modifying financial account information.

    • PowerUserAccess

    Compute administrator

    This role is responsible for managing virtual machines and their related compute, storage, and scaling resources.

    • AliyunECSFullAccess (Elastic Compute Service)

    • AliyunESSFullAccess (Auto Scaling)

    • AliyunSLBFullAccess (Server Load Balancer)

    • AliyunNASFullAccess (File Storage NAS)

    • AliyunOSSFullAccess (Object Storage Service)

    • AliyunOTSFullAccess (Tablestore)

    Network administrator

    This role is responsible for managing all aspects of your cloud network infrastructure.

    • AliyunVPCFullAccess (Virtual Private Cloud)

    • AliyunEIPFullAccess (Elastic IP Address)

    • AliyunNATGatewayFullAccess (NAT Gateway)

    • AliyunCENFullAccess (Cloud Enterprise Network)

    • AliyunExpressConnectFullAccess (Express Connect)

    • AliyunSmartAccessGatewayFullAccess (Smart Access Gateway)

    • AliyunVPNGatewayFullAccess (VPN Gateway)

    • AliyunCommonBandwidthPackageFullAccess (Internet Shared Bandwidth)

    • AliyunCDNFullAccess (CDN)

    Database administrator

    This role is responsible for managing relational databases and data migration services.

    • AliyunRDSFullAccess (ApsaraDB RDS)

    • AliyunDTSFullAccess (Data Transmission Service)

    Security administrator

    This role is responsible for managing and monitoring the security services for your cloud resources.

    • AliyunYundunFullAccess (all Alibaba Cloud security services)

    Monitoring and auditing

    This role has permissions to view monitoring data, audit logs, and manage support cases, but cannot modify resources.

    • ReadOnlyAccess

    • AliyunCloudMonitorFullAccess (Cloud Monitor)

    • AliyunActionTrailFullAccess (ActionTrail)

    • AliyunARMSFullAccess (Application Real-Time Monitoring Service)

    • AliyunSupportFullAccess (Ticket system)

    Procedure: Grant permissions to a database administrator

    This example demonstrates how to grant a RAM user named Alice permissions as a database administrator.

    Step 1: Create a RAM user group for database administrators

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose .

    3. Click Create Group.

    4. Enter DatabaseAdmins as the group name and click OK.

    Step 2: Attach policies to the group

    1. On the Groups page, find the DatabaseAdmins group and click Attach Policy in the Actions column.

    2. On the Attach Policy panel, search for and select the following two policies:

      • AliyunRDSFullAccess

      • AliyunDTSFullAccess

    3. Click OK, then click Close.

    Step 3: Create a RAM user and add them to the group

    1. In the left-side navigation pane, choose .

    2. Create a new RAM user named Alice with console access.

    3. After the user is created, find Alice in the user list and click Add to Group in the Actions column.

    4. Select the DatabaseAdmins group and click Add User to Group.

    Step 4: Verify the permissions

    To verify that the permissions are working correctly:

    1. Have the user Alice log on to the Alibaba Cloud Management Console.

    2. Instruct them to navigate to the ApsaraDB RDS console. They should be able to view and manage ApsaraDB RDS instances.

    3. Instruct them to navigate to the ECS console. They should receive a "permission denied" error, confirming that they do not have permissions beyond their assigned job function.

    You can repeat this procedure for other job functions by creating different groups and attaching the appropriate policies.