This topic describes how an enterprise that has multiple cloud resources can use RAM to manage the permissions of employees to access the cloud resources.

Background information

Enterprise A has purchased various Alibaba Cloud resources, such as ECS instances, ApsaraDB for RDS instances, SLB instances, and OSS buckets, for the migration of a project. Certain employees need to perform operations on these cloud resources. Different employees require different permissions to fulfill their duties. Enterprise A has the following requirements:

  • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A prefers to create different RAM user accounts for the employees and grant different permissions to these user accounts.
  • The RAM users can only perform operations on resources after they are granted the corresponding permissions.

    Enterprise A can revoke the permissions granted to RAM users and delete user accounts at any time.

  • Fees on resources incurred by RAM users are billed to the parent Alibaba Cloud account.

Requirement analysis

  • Employees do not share the Alibaba Cloud account, which prevents the accidental disclosure of the account password and AccessKey pair.
  • Different employees are allocated with independent RAM user accounts (or operator accounts) and granted independent permissions to ensure that their responsibilities are consistent with their permissions.
  • All the operations performed by all RAM user accounts can be audited.
  • Fees on resources incurred by RAM users are billed to the parent Alibaba Cloud account.




  1. Enable an MFA device for an Alibaba Cloud account to avoid risks associated with mistaken exposure of the Alibaba Cloud account password.
  2. Create RAM users. Create RAM user accounts for different employees (or apps) and set logon passwords or create AccessKey pairs.
  3. Create RAM user groups. If multiple employees have the same responsibility, we recommend that you create a RAM user group and add the corresponding users to the group.
  4. Permission granting in RAM to RAM users. Attach one or more system policies to the RAM user group or RAM users. For finer-grained authorization, you can create one or more Manage policies and attach them to the RAM user group or RAM users.