Grant permissions to a RAM user group - Resource Access Management

If you grant permissions to a Resource Access Management (RAM) user group, all RAM users in the group have the permissions. We recommend that you grant only the required permissions to the RAM user group based on the principle of least privilege.

Method 1: Grant permissions to a RAM user on the Groups page

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Groups.
On the Groups page, find the RAM user group that you want to manage and click Add Permissions in the Actions column.
You can also select multiple RAM user groups and click Add Permissions in the lower part of the page to grant permissions to the RAM user groups at a time.
In the Grant Permission panel, grant permissions to the RAM user group.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Configure the Principal parameter.
  The principal is the RAM user group to which you want to grant permissions. The current RAM user group is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

Method 2: Grant permissions to a RAM user group on the Grants page

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Grants.
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user group.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Configure the Principal parameter.
  The principal is the RAM user group to which you want to grant permissions. You can select multiple RAM user groups at a time.
3. Configure the Policy parameter.
  A policy contains a set of permissions. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.