Resource Directory, Resource Group, and tags serve different resource management needs. Compare their scopes, isolation levels, and authentication methods to choose the right combination.
Key differences
|
Service |
Scenario |
Resource isolation |
Management level |
Cross-account |
|
Resource Directory |
Best for multi-account environments. Use Resource Directory to build a corporate hierarchy and centrally manage accounts and resources across multiple Alibaba Cloud accounts. |
Isolates resources at the account level. |
Account level. |
Resource groups and tags created within one member cannot be used by other members. |
|
Resource Group |
Best for single-account environments. When a single Alibaba Cloud account serves multiple teams or projects using RAM users, Resource Group acts as a container for resource isolation and permission management:
|
Isolates resources by using RAM identities and permission policies. |
Resource level. |
Resource groups created in one Alibaba Cloud account cannot be used by other accounts. |
|
tag |
Best for single-account environments. When a single Alibaba Cloud account serves multiple teams with RAM users, tags help manage resources efficiently:
|
Resource level. |
Tags created in one Alibaba Cloud account cannot be used by other accounts. |
How they work together
These three services are complementary. Think of your enterprise as a tree: Resource Directory builds the trunk and branches (organizational hierarchy), while Resource Group and tags organize the leaves (individual resources). Combine them in any way that fits your needs.

Resource group vs. tag authentication
Both Resource Group and tags provide finer-grained access control than account-level permissions.
|
Authentication method |
Scenario |
Supported services |
Example |
|
Resource Group |
Add resources to a resource group and grant permissions based on that group. Supports system policies for ease of use, or custom policies for finer control. |
||
|
tag |
Attach tags to resources and grant permissions based on those tags. Requires specifying authorized tags in the Condition element of a custom policy. More flexible but has a steeper learning curve. |
Go to the Tag-related capabilities page in the Tag console. In the Tag-based authorization column of the Tag-related Capability Items tab, find the resource types that are marked as Supported. |
|