All Products
Search
Document Center

Resource Management:Comparing Resource Directory, Resource Group, and tags

Last Updated:Jun 04, 2026

Resource Directory, Resource Group, and tags serve different resource management needs. Compare their scopes, isolation levels, and authentication methods to choose the right combination.

Key differences

Service

Scenario

Resource isolation

Management level

Cross-account

Resource Directory

Best for multi-account environments.

Use Resource Directory to build a corporate hierarchy and centrally manage accounts and resources across multiple Alibaba Cloud accounts.

Isolates resources at the account level.

Account level.

Resource groups and tags created within one member cannot be used by other members.

Resource Group

Best for single-account environments.

When a single Alibaba Cloud account serves multiple teams or projects using RAM users, Resource Group acts as a container for resource isolation and permission management:

  • Resource authorization

  • Cost allocation

Isolates resources by using RAM identities and permission policies.

Resource level.

Resource groups created in one Alibaba Cloud account cannot be used by other accounts.

tag

Best for single-account environments.

When a single Alibaba Cloud account serves multiple teams with RAM users, tags help manage resources efficiently:

  • Resource identification

  • Resource authorization

  • Cost allocation

  • Automated O&M

Resource level.

Tags created in one Alibaba Cloud account cannot be used by other accounts.

How they work together

These three services are complementary. Think of your enterprise as a tree: Resource Directory builds the trunk and branches (organizational hierarchy), while Resource Group and tags organize the leaves (individual resources). Combine them in any way that fits your needs.

How Resource Directory, Resource Group, and tags work together

Resource group vs. tag authentication

Both Resource Group and tags provide finer-grained access control than account-level permissions.

Authentication method

Scenario

Supported services

Example

Resource Group

Add resources to a resource group and grant permissions based on that group. Supports system policies for ease of use, or custom policies for finer control.

Services that work with Resource Group

tag

Attach tags to resources and grant permissions based on those tags. Requires specifying authorized tags in the Condition element of a custom policy. More flexible but has a steeper learning curve.

Go to the Tag-related capabilities page in the Tag console. In the Tag-based authorization column of the Tag-related Capability Items tab, find the resource types that are marked as Supported.