All Products
Search
Document Center

Resource Management:Grant a RAM user the permissions to use Resource Center

Last Updated:Oct 11, 2023

If you want to use Resource Center as a RAM user, you must make sure that the RAM user is granted the required permissions.

Background information

Permissions to access Resource Center

You must grant the permissions to a RAM user by following the principle of least privilege.

  • System policies

    • AliyunResourceCenterFullAccess: grants the permissions to manage Resource Center.

    • AliyunResourceCenterReadOnlyAccess: grants the read-only permissions on Resource Center.

  • Custom policies

    If the system policies do not meet your requirements, you can create a custom policy. For more information about the authorization information of Resource Center, see RAM authorization.

Permissions to search for resources in Resource Center

Within a single account

  • Permissions to view resources

    After a RAM user is granted the read-only permissions on a resource, you can view the resource in Resource Center as the RAM user.

    For example, if you want a RAM user to view all resources within your Alibaba Cloud account in Resource Center, you can attach the system policy ReadOnlyAccess to the RAM user. If you want a RAM user to view only virtual private clouds (VPCs) in Resource Center, you can attach the system policy AliyunVPCReadOnlyAccess to the RAM user.

  • Permissions to view resources in a resource group

    If the resources within your Alibaba Cloud account are managed by resource group, you can grant a RAM user the permissions to view only the resources in a specific resource group. This way, the RAM user can view only the specific resources in Resource Center. This helps isolate resources. For more information, see Add RAM authorization.

Across accounts

After the system policy AliyunResourceCenterFullAccess is attached to a RAM user within the management account of a resource directory, you can search for resources across accounts in Resource Center as the RAM user.

Permissions to manage resource groups in Resource Center

  • Permissions to create resource groups

    After a RAM user is granted the ram:CreateResourceGroup permission, you can create resource groups in Resource Center as the RAM user.

  • Permissions to transfer resources across resource groups

    After a RAM user is granted the permissions to transfer resources across resource groups, you can transfer resources across resource groups in Resource Center as the RAM user.

For example, after the following custom policy is attached to a RAM user, you can create resource groups and transfer VPCs across resource groups in Resource Center as the RAM user.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateResourceGroup",
        "vpc:MoveResourceGroup"
      ],
      "Resource": "*"
    }
  ]
}

Permissions to manage tags in Resource Center

After the system policy AliyunTagAdministratorAccess is attached to a RAM user, you can add tags to and remove tags from resources in Resource Center as the RAM user.