All Products
Search

This Product

    Resource Orchestration Service:Best practices for RAM permissions

    Document Center

    Resource Orchestration Service:Best practices for RAM permissions

    Last Updated:Jun 16, 2026

    Manage RAM permissions within a single account by applying best practices for user management, resource grouping, permission configuration, and access control. An e-commerce website project is used as an example.

    Prerequisites

    To manage RAM permissions for an e-commerce project, use the ROS template RAM Account Permission Management to automatically set up a single-account environment for user and permission management. Before you begin, complete the following tasks:

    • Ensure that you have permissions to access ECS, VPC, ApsaraDB RDS, OSS, and RAM.

    • Create resource groups for your development, production, and test environments, and obtain their IDs. For more information about how to create a resource group, see Create a resource group.

    Step 1: Create a stack

    1. Log in to the ROS console.

    2. In the left-side navigation pane, click Public Templates.

    3. Find the Use RAM to Manage Account Permissions template.

    4. Click Create Stack.

    5. On the Configure Parameters page, enter a Stack Name and configure the following parameters.

      Parameter group

      Parameter

      Description

      Example

      {key, select, Rescan {Rescan} Archive {Archive} BatchArchiveTip {Only active findings will be archived. Are you sure to archive selected findings?} Active {Unarchive} BatchActiveTip {Only archived findings will be unarchived. Are you sure to archive selected findings?} External {Go for Governance} CopyURL {Copy Resource URL} ShowMore {Show More} SaveAsArchiveRule {Save as Archive Rule} ClearAllFilters {Clear} Archived {Archived} Activated {Unarchived} Rescanned {Scan for {resource} in analyzer {analyzer} triggered.} AnalyzerNotSelected {Select an analyzer at first.} Downloading {Downloading} NoDownload {No downloads.} other {{key}} }

      Development resource group ID

      The ID of the resource group for the development environment.

      rg-aekzs3xmizs****

      Production resource group ID

      The ID of the resource group for the production environment.

      rg-aekzko7fsuj****

      Test resource group ID

      The ID of the resource group for the test environment.

      rg-aekzsvnra53****

      VPC

      Development environment VPC CIDR block

      The CIDR block of the VPC for the development environment.

      172.16.0.0/12

      Production environment VPC CIDR block

      The CIDR block of the VPC for the production environment.

      10.0.0.0/8

      Test environment VPC CIDR block

      The CIDR block of the VPC for the test environment.

      192.168.0.0/16

      vSwitch Zone

      The ID of the availability zone for the vSwitch.

      China (Hangzhou) Zone K

      Development vSwitch CIDR block

      The CIDR block of the vSwitch for the development environment.

      The CIDR block must be a subnet of the VPC's CIDR block.

      172.16.10.0/24

      Production vSwitch CIDR block

      The CIDR block of the vSwitch for the production environment.

      The CIDR block must be a subnet of the VPC's CIDR block.

      10.0.10.0/24

      Test vSwitch CIDR block

      The CIDR block of the vSwitch for the test environment.

      The CIDR block must be a subnet of the VPC's CIDR block.

      192.168.10.0/24

      ECS

      Instance specification

      The instance type of the ECS instance.

      Select a valid instance type. For more information, see Instance families.

      ecs.c5.large

      Image

      The ID of the ECS image. The default value is centos_7.

      For more information, see Image overview.

      centos_7

      System Disk Type

      The category of the system disk. Valid values:

      • cloud_efficiency: ultra disk.

      • cloud_ssd: standard SSD.

      • cloud_essd: ESSD.

      • cloud: basic disk.

      • ephemeral_ssd: local SSD.

      For more information, see Cloud disk overview.

      cloud_efficiency

      System disk size

      The size of the system disk.

      Range: 40 to 500.

      Unit: GB.

      40

      Instance password

      The password of the ECS instance.

      Test_12****

      RDS

      Engine and version

      The database engine type and version of the ApsaraDB RDS instance.

      MySQL-5.7

      Instance specification

      The instance type of the ApsaraDB RDS instance.

      Select a valid instance type. For more information, see Primary ApsaraDB RDS instance types.

      rds.mysql.s2.large

      Storage Capacity

      The storage space of the ApsaraDB RDS instance.

      Range: 5 to 1000, in 5 GB increments.

      Unit: GB.

      20

      OSS

      Access control

      The access control list (ACL) of the OSS bucket. Valid values:

      • private: All access to objects in the bucket requires authentication.

      • public-read: Write access to objects requires authentication, but read access is anonymous.

      • public-read-write: All users have read and write access to objects in the bucket.

      private

      Storage class

      The storage class of the OSS bucket. Valid values:

      • Standard: Standard

      • IA: Infrequent Access (IA)

      • Archive: Archive

      Standard

      Development bucket name

      The name of the OSS bucket for the development environment.

      ros-projects-dev

      Production bucket name

      The name of the OSS bucket for the production environment.

      ros-projects-prod

      Test bucket name

      The name of the OSS bucket for the test environment.

      ros-projects-test

      Code release bucket name

      The name of the OSS bucket for code releases.

      ros-projects-code

      Other bucket name

      The name of the OSS bucket for other purposes.

      ros-projects-other

      Release directory name

      The name of the OSS directory for the development environment.

      release

      Production directory name

      The name of the OSS directory for the production environment.

      prod

      RAM

      Operations user group name

      The name of the user group for operations.

      sa

      Development user group name

      The name of the user group for development.

      dev

      Test user group name

      The name of the user group for testing.

      test

      Development environment app user group name

      The name of the application user group for the development environment.

      app-dev

      Production environment app user group name

      The name of the application user group for the production environment.

      app-prod

      Test environment app user group name

      The name of the application user group for the test environment.

      app-test

      Development RAM user name

      The name of the RAM user for development.

      sts_dev

      Production RAM user name

      The name of the RAM user for production.

      sts_prod

      Test RAM user name

      The name of the RAM user for testing.

      sts_test

    6. Click Create.

    7. On the Stack Information tab, view the status of the stack. After the stack is successfully created, click the Output tab to obtain the AccessKey ID and AccessKey Secret for the development, test, and production environments.

    Step 2: View resources

    1. In the left-side navigation pane, click Resource stack.

    2. On the Stacks page, click the name of the target stack.

    3. Click the Resources tab to view resource information.

      The following table describes the resources created in this example.

      Resource

      Quantity

      Description

      Specifications

      ALIYUN::RAM::Group

      6

      Six RAM user groups are created to categorize RAM users by job responsibility and streamline policy management.

      N/A

      ALIYUN::ECS::SecurityGroup

      3

      Three security groups are created to define security domains in the cloud.

      N/A

      ALIYUN::RDS::DBInstance

      1

      One ApsaraDB RDS instance is created to store data.

      • rds.mysql.s2.large: General-purpose, 2 vCPUs, 4 GB of memory.

      • Storage space: 20 GB.

      ALIYUN::ECS::vSwitch

      3

      Three vSwitches are created to manage instances within a single availability zone.

      N/A

      ALIYUN::OSS::Bucket

      5

      Five buckets are created to store data for the development, production, and test environments.

      N/A

      ALIYUN::ECS::Instance

      3

      Three ECS instances are created to host workloads for the development, production, and test environments.

      • Total quantity: 3.

      • Instance type: ecs.c5.large.

      • Disk category: ultra disk.

      • System disk size: 40 GB.

      • Assign public IP address: No.

      ALIYUN::RAM::Role

      3

      Three RAM roles are created to grant temporary access through short-term STS tokens, which is more secure than using long-term keys.

      N/A

      ALIYUN::RAM::User

      3

      Three RAM users are created, each representing a person or application that needs to access cloud resources.

      N/A

      ALIYUN::ECS::VPC

      3

      Three VPCs are created to enhance the security of your cloud network.

      N/A
      Note

      For pricing details, see the pricing documentation for each product.