This topic describes the differences and relationships among the Resource Directory, Resource Group, and Tag services. This topic also describes the differences between resource group-based authentication and tag-based authentication.
Differences among the Resource Directory, Resource Group, and Tag services
Service | Scenario | Resource isolation method | Management level | Cross-account capability |
Resource Directory | Multi-account scenario. If your enterprise uses multiple Alibaba Cloud accounts to manage cloud resources, you can use the Resource Directory service to build an organizational structure. Then, you can use this structure to manage accounts and resources in a centralized and organized manner. | Accounts are used to isolate resources. | Account level | Resource groups and tags that are created within a member cannot be used by other members. |
Resource Group | Single-account scenario. If your enterprise uses one Alibaba Cloud account to manage all cloud resources and each branch or project team uses RAM users to perform daily operations, you can use the Resource Group service to isolate resources and manage permissions. Examples:
| RAM identities and permission policies are used to isolate resources. Note For more information about the differences between resource group-based authentication and tag-based authentication, see Differences between resource group-based authentication and tag-based authentication. | Resource level | Resource groups that are created within an Alibaba Cloud account cannot be used by other Alibaba Cloud accounts. |
Tag | Single-account scenario. If your enterprise uses one Alibaba Cloud account to manage all cloud resources and each branch or project team uses RAM users to perform daily operations, you can use the Tag service to effectively manage resources. Examples:
| Resource level | Tags that are created within an Alibaba Cloud account cannot be used by other Alibaba Cloud accounts. |
Relationships among the Resource Directory, Resource Group, and Tag services
The Resource Directory, Resource Group, and Tag services complement each other and can be used together. For example, an enterprise consists of multiple branches, departments, or project teams. If the enterprise is compared to a tree, the Resource Directory service can be used to build the trunk and branches of the tree. The Resource Group and Tag services can be used to summarize and manage the leaves of the branches. The enterprise can select one or more of the three services based on its business requirements.
Differences between resource group-based authentication and tag-based authentication
You can use resource groups and tags to classify resources and implement finer-grained permission management than accounts. The following table describes the differences between resource group-based authentication and tag-based authentication.
Authentication method | Scenario | Supported Alibaba Cloud service | Example |
Resource group-based authentication | If the cloud resources that you use support resource groups, you can add the resources to resource groups and grant permissions on the resource groups to different accounts. If you use this method, you can directly use system permission policies without the need to learn how to use the policies. If you want to implement finer-grained permission management, you can use custom permission policies. | ||
Tag-based authentication | If the cloud resources that you use support tags, you can add tags to the resources and grant permissions on the tags to different accounts. If you use this method, you must specify the tags whose permissions you want to grant in the Condition element of a custom permission policy. This method implements finer-grained permission management and is more flexible than resource group-based authentication. However, this method requires that you have a good command of custom permission policies. | To obtain the supported services, log on to the Resource Management console, choose Tag > Tag in the left-side navigation pane, click the Resource Tagging Capabilities tab, and then find the resource types for which the value of Tag Ram Support is Support. |
|