All Products
Search

This Product

    Resource Management:Grant permissions on resource groups to a RAM identity

    Document Center

    Resource Management:Grant permissions on resource groups to a RAM identity

    Last Updated:Jun 26, 2025

    After you create resource groups, you can designate an administrator for each resource group. Resource group administrators can grant the operation permissions on the resource groups to other users.

    Prerequisites

    An Alibaba Cloud account or a RAM identity (RAM user or RAM role) that has the permissions to manage resource group authorization is prepared.

    Background information

    Relationship between resource group authorization and Resource Access Management (RAM):

    • RAM offers permission management for resource group authorization.

    • Resource group authorization uses all the policies in RAM. The policies include system policies and custom policies.

    • Resource group authorization grants permissions to RAM users, RAM user groups, or RAM roles.

    • If you set Resource Scope to Account when you grant permissions in the RAM console, the permissions take effect on the current Alibaba Cloud account. If you set Resource Scope to ResourceGroup when you grant permissions in the RAM console, the permissions take effect only on the specified resource group.

    Procedure

    You can grant permissions in the Resource Management or RAM console. In this example, the Resource Management console is used.

    1. Log on to the Resource Management console. The Resource Group page appears.

    2. On the Resource Group page, find the desired resource group and click Manage Permission in the Actions column.

    3. On the Permissions tab, click Grant Permission.

      image

    4. In the Grant Permission panel, configure the Principal and Policy parameters, and click Grant permissions.

      image

      • Resource Scope: By default, the current resource group is selected. This indicates that the permissions take effect only on this resource group.

      • Principal: Select the RAM user, RAM role, or RAM user group to which you want to grant permissions.

      • Policy: Select a system or custom policy based on your business requirements.

    Result

    After the authorization is complete, the principal is granted the relevant permissions on the resources in the resource group.

    References

    For information about how to grant permissions in the RAM console, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.