All Products
Search
Document Center

Resource Management:Resource directory hierarchical management solution

Last Updated:Jun 02, 2026

Resource Directory supports resource-level authorization. Use Resource Access Management (RAM) or CloudSSO to delegate folder-level management to department administrators.

Scenarios

For large enterprises with multiple subsidiaries, the cloud management or O&M team typically manages the resource directory management account. The team can delegate management to subsidiary administrators, enabling independent resource management.

The following example uses Company Y, which has two business departments. Company Y delegates management to each department's O&M administrator, who independently manages account structures and employee permissions.

Department

Administrator

Duty

Security department

Mike

Manages security control policies globally for the company.

Business Department 1

Alice

O&M administrator of Business Department 1. Can create resource accounts, organizations, control policies, and notification contacts only within Business Department 1.

Business Department 2

Bob

O&M administrator of Business Department 2. Can create resource accounts, organizations, control policies, and notification contacts only within Business Department 2.

Solutions

Hierarchical management provides fine-grained permission control over resource scopes and operations.

image

Resource Directory supports resource-level authorization. Specify operations in the Action element and resources in the Resource element of a RAM policy to control access at the resource level. For more information, see the RAM authorization section in the RAM authorization topic.

Select a solution based on your requirements:

Solution 1: Use RAM to perform hierarchical management

  1. Enable a resource directory.

    Create an Alibaba Cloud account, complete enterprise real-name verification, enable a resource directory, and create folders named Business Department 1 and Business Department 2 in the resource directory. The administrator of Company Y can be an employee in the financial department. For more information about how to enable a resource directory and create a folder in the resource directory, see Enable a resource directory and Create a folder.

    This account becomes the management account of the resource directory.

  2. Create a RAM user named Mike and grant permissions to configure global control policies.

    The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named Mike, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.

    Policy document:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/*",
                    "acs:resourcemanager:*:*:folder/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListAccount*",
                    "resourcemanager:GetFolder*",
                    "resourcemanager:ListFolder*",
                    "resourcemanager:GetAccount",
                    "resourcemanager:GetControlPolicy*",
                    "resourcemanager:ListControlPolicies",
                    "resourcemanager:ListControlPolicyAttachmentsForTarget",
                    "resourcemanager:ListTargetAttachmentsForControlPolicy",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Create a RAM user named Alice and grant management permissions on the Business Department 1 folder.

    The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named Alice, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.

    Policy document:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*Account*",
                    "resourcemanager:*Parent*",
                    "resourcemanager:*Folder*",
                    "resourcemanager:*Handshake*",
                    "resourcemanager:*Contact*",
                    "resourcemanager:*Members*",
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*",
                    "resourcemanager:*SendVerificationCodeFor*",
                    "resourcemanager:*BindSecureMobilePhone*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*",  // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*",   // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****",     // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:handshake/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*",
                    "acs:resourcemanager:*:*:messagecontact/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "resourcemanager:DeleteControlPolicy",
                    "resourcemanager:UpdateControlPolicy",
                    "resourcemanager:DisableControlPolicy",
                    "resourcemanager:EnableControlPolicy",
                    "resourcemanager:DeleteMessageContact",
                    "resourcemanager:UpdateMessageContact",
                    "resourcemanager:CancelMessageContactUpdate",
                    "resourcemanager:CancelHandshake"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Create a RAM user named Bob and grant management permissions on the Business Department 2 folder.

    The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named Bob, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.

    Policy document:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*Account*",
                    "resourcemanager:*Parent*",
                    "resourcemanager:*Folder*",
                    "resourcemanager:*Handshake*",
                    "resourcemanager:*Contact*",
                    "resourcemanager:*Members*",
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*",
                    "resourcemanager:*SendVerificationCodeFor*",
                    "resourcemanager:*BindSecureMobilePhone*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*",  // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*",   // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****",     // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:handshake/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*",
                    "acs:resourcemanager:*:*:messagecontact/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "resourcemanager:DeleteControlPolicy",
                    "resourcemanager:UpdateControlPolicy",
                    "resourcemanager:DisableControlPolicy",
                    "resourcemanager:EnableControlPolicy",
                    "resourcemanager:DeleteMessageContact",
                    "resourcemanager:UpdateMessageContact",
                    "resourcemanager:CancelMessageContactUpdate",
                    "resourcemanager:CancelHandshake"
                ],
                "Resource": "*"
            }
        ]
    }
  5. Verify the result.

    Use the AccessKey pairs of Mike, Alice, and Bob to call the API operations of Resource Directory to access their authorized resources. If Alice can only operate within the Business Department 1 folder and Bob can only operate within the Business Department 2 folder, the configuration is correct.

Solution 2: Use CloudSSO to perform hierarchical management

  1. Enable a resource directory.

    Create an Alibaba Cloud account, complete enterprise real-name verification, enable a resource directory, and create folders named Business Department 1 and Business Department 2 in the resource directory. The administrator of Company Y can be an employee in the financial department. For more information about how to enable a resource directory and create a folder in the resource directory, see Enable a resource directory and Create a folder.

    This account becomes the management account of the resource directory.

  2. Create a CloudSSO user named Mike and grant permissions to configure global control policies.

    The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named Mike, specifies a logon password for Mike, creates an access configuration, and then provisions the access configuration for the management account of the resource directory for Mike. For more information, see Create a user, Create a permission set, and Assign access to a member account.

    Inline policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/*",
                    "acs:resourcemanager:*:*:folder/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListAccount*",
                    "resourcemanager:GetFolder*",
                    "resourcemanager:ListFolder*",
                    "resourcemanager:GetAccount",
                    "resourcemanager:GetControlPolicy*",
                    "resourcemanager:ListControlPolicies",
                    "resourcemanager:ListControlPolicyAttachmentsForTarget",
                    "resourcemanager:ListTargetAttachmentsForControlPolicy",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Create a CloudSSO user named Alice and grant management permissions on the Business Department 1 folder.

    The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named Alice, specifies a logon password for Alice, creates an access configuration, and then provisions the access configuration for the management account of the resource directory for Alice. For more information, see Create a user, Create a permission set, and Assign access to a member account.

    Inline policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*Account*",
                    "resourcemanager:*Parent*",
                    "resourcemanager:*Folder*",
                    "resourcemanager:*Handshake*",
                    "resourcemanager:*Contact*",
                    "resourcemanager:*Members*",
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*",
                    "resourcemanager:*SendVerificationCodeFor*",
                    "resourcemanager:*BindSecureMobilePhone*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*",  // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*",   // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****",     // The RDPath of the Business Department 1 folder.
                    "acs:resourcemanager:*:*:handshake/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*",
                    "acs:resourcemanager:*:*:messagecontact/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "resourcemanager:DeleteControlPolicy",
                    "resourcemanager:UpdateControlPolicy",
                    "resourcemanager:DisableControlPolicy",
                    "resourcemanager:EnableControlPolicy",
                    "resourcemanager:DeleteMessageContact",
                    "resourcemanager:UpdateMessageContact",
                    "resourcemanager:CancelMessageContactUpdate",
                    "resourcemanager:CancelHandshake"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Create a CloudSSO user named Bob and grant management permissions on the Business Department 2 folder.

    The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named Bob, specifies a logon password for Bob, creates an access configuration, and then provisions the access configuration for the management account of the resource directory for Bob. For more information, see Create a user, Create a permission set, and Assign access to a member account.

    Inline policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:ListTagKeys",
                    "resourcemanager:ListTagValues"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "resourcemanager:*Account*",
                    "resourcemanager:*Parent*",
                    "resourcemanager:*Folder*",
                    "resourcemanager:*Handshake*",
                    "resourcemanager:*Contact*",
                    "resourcemanager:*Members*",
                    "resourcemanager:*ControlPolicy*",
                    "resourcemanager:*ControlPolicies*",
                    "resourcemanager:*SendVerificationCodeFor*",
                    "resourcemanager:*BindSecureMobilePhone*"
                ],
                "Resource": [
                    "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*",  // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*",   // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****",     // The RDPath of the Business Department 2 folder.
                    "acs:resourcemanager:*:*:handshake/*",
                    "acs:resourcemanager:*:*:policy/controlpolicy/*",
                    "acs:resourcemanager:*:*:messagecontact/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "resourcemanager:DeleteControlPolicy",
                    "resourcemanager:UpdateControlPolicy",
                    "resourcemanager:DisableControlPolicy",
                    "resourcemanager:EnableControlPolicy",
                    "resourcemanager:DeleteMessageContact",
                    "resourcemanager:UpdateMessageContact",
                    "resourcemanager:CancelMessageContactUpdate",
                    "resourcemanager:CancelHandshake"
                ],
                "Resource": "*"
            }
        ]
    }
  5. Verify the result.

    Use Alibaba Cloud CLI to log on to the CloudSSO user portal separately as Mike, Alice, and Bob. Then, run commands in Alibaba Cloud CLI to access their authorized resources. If Alice can only operate within the Business Department 1 folder and Bob can only operate within the Business Department 2 folder, the configuration is correct. For information about how to use Alibaba Cloud CLI to log on to the CloudSSO user portal, see Use Alibaba Cloud CLI to access log on to the CloudSSO user portal.

    Note

    After configuring the CloudSSO hierarchical management solution, you can manage authorized resources only through CLI, not through the CloudSSO console.

References