You can designate an administrator for each resource group. Administrators can then grant permissions on the resource group to other users.
Prerequisites
An Alibaba Cloud account or a RAM identity (RAM user or RAM role) that has the permissions to manage resource group authorization is prepared.
Background information
How resource group authorization relates to Resource Access Management (RAM):
-
RAM provides the permission management service for resource group authorization.
-
Resource group authorization uses all RAM policies, including system policies and custom policies.
-
Resource group authorization grants permissions to RAM users, RAM user groups, or RAM roles.
-
When the resource scope is account-level, permissions take effect within the current Alibaba Cloud account. When the resource scope is resource, permissions take effect only within the corresponding resource group.
Procedure
You can grant permissions in the Resource Management or RAM console. In this example, the Resource Management console is used.
-
Log on to the Resource Management console. The Resource Group page appears.
-
On the Resource Group page, click Permissions in the Actions column for the resource group you want.
-
On the Permissions tab, click Grant Permission.
-
In the Grant Permission panel, set the Principal and Policy, and then click OK.
-
Resource Scope: Defaults to the current resource group. The permissions apply only within this resource group.
-
Principal: Select the RAM user, RAM role, or RAM user group to authorize.
-
Policy Name: Select the system policy or custom policy to apply.
-
Result
The principal now has the specified permissions on the resources in the resource group.
References
To grant permissions in the RAM console, see Manage RAM user permissions, Grant permissions to a RAM user group, and Manage permissions for a RAM role.