This topic introduces identity and permission management by using CloudSSO in multi-account scenarios.
Resource Access Management (RAM) allows you to manage permissions, manage identities, and configure single sign-on (SSO) within one Alibaba Cloud account. The identities include RAM users, RAM user groups, or RAM roles.
If only a small number of Alibaba Cloud accounts are created for your enterprise, you can use RAM to manage the identities and permissions for the Alibaba Cloud accounts in an efficient manner. However, if a large number of Alibaba Cloud accounts are created for your enterprise, the use of RAM can be inefficient. This is because you must manage the identities and permissions and configure SSO within each Alibaba Cloud account. In this case, we recommend that you use CloudSSO.
CloudSSO is integrated with Alibaba Cloud Resource Directory to provide unified multi-account identity management and access control. You can configure settings only in CloudSSO. After the configuration, you can manage identities and permissions for multiple Alibaba Cloud accounts to implement SSO access in a centralized manner. To manage identities and permissions in a centralized manner, you can use the CloudSSO directory. CloudSSO is independent of RAM, but uses the system policies and the syntax of custom policies in RAM to manage permissions. When a CloudSSO user accesses an account in a resource directory, the user assumes the RAM role of the account to implement SSO access. For more information, see What is CloudSSO?.
CloudSSO and RAM do not affect the functionality of each other. You can use CloudSSO or RAM based on your business requirements.