Use tags to perform group-based service authorization - Resources Management| Alibaba Cloud Documentation Center

You can use the tagging feature to group services and authorize different roles to manage services in different groups.

Background information

For example, you have created 10 services in the Function Compute console. You want to authorize the dev team to manage five services and the ops team to manage the other five services. In addition, you want the dev and ops teams to view only the services that they are authorized to manage.

In this case, you can attach different tags to the services for different teams, add RAM users in different teams to different user groups, and grant the corresponding permissions to these groups. You can attach the team:dev tag to five services and the team:ops tag to the other five services.

Procedure

Attach the team:dev tag to the five services that you want to authorize the dev team to manage, and attach the team:ops tag to the five services that you want to authorize the ops team to manage. For more information, see Create tags.
Create a RAM user.
Create a RAM user group.
Create two user groups named dev and ops.
Add a RAM user to a RAM user group.
Add RAM users in different teams to different user groups.
Grant different permissions to the two user groups.
Function Compute supports system policies and custom policies. You can select an appropriate policy as needed.
- Grant permissions to different user groups by using system policies.
  For more information, see Grant permissions to a RAM user group.
- Grant permissions to different user groups by using custom policies.
  1. Create a custom policy.
    For example, you can create a custom policy named policyForDevTeam that is used to grant permissions to the dev team. The following sample code shows the policy:
```
{
    "Statement": [
        {
            "Action": "fc:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "fc:tag/team": "dev"
                }
            }
        },
        {
            "Action": "fc:ListServices",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "fc:GetResourceTags",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}         
```
    Then, you can create a custom policy named policyForOpsTeam that is used to grant permissions to the ops team. The following sample code shows the policy:
```
{
    "Statement": [
        {
            "Action": "fc:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "fc:tag/team": "ops"
                }
            }
        },
        {
            "Action": "fc:ListServices",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "fc:GetResourceTags",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}          
```
  2. Grant permissions to a RAM user group.
    Select the created custom policies when you grant permissions to the two user groups.
After the authorization is complete, the RAM users in the dev user group can manage only the services tagged with team:dev and the RAM users in the ops user group can manage only the services tagged with team:ops.