Use tags to perform group-based service authorization - Resources Management| Alibaba Cloud Documentation Center

You can use the tagging feature to group services and authorize different roles to manage services in different groups.

Sample scenario

Assume that you have created 10 services in the Function Compute console. You want to authorize the dev team to manage five services and the ops team to manage the other five services. The dev and ops teams can view only the services that they are authorized to manage.

You can use the tagging feature to add teams to different groups and grant different permissions to different groups. In this scenario, you can attach the team:dev tag to five services and the team:ops tag to the other five services.

Procedure

Attach the team:dev tag to the five services that you want to authorize the dev team to manage, and attach the team:ops tag to the five services that you want to authorize the ops team to manage. For more information, see Create tags.
Create a RAM user.
Create a RAM user group.
Create two user groups named dev and ops.
Add a RAM user to a RAM user group.
Create RAM users and add them to the corresponding user groups.
Grant different permissions to the two user groups.
Function Compute supports system policies and custom policies. You can select an appropriate policy as needed.
- Grant permissions to different user groups by using system policies.
  For more information, see Grant permissions to a RAM user group.
- Grant permissions to different user groups by using custom policies.
  1. Create a custom policy.
    Assume that the custom policy named policyForDevTeam is used to grant permissions to the dev team. The following example shows the policy:
```
{
    "Statement": [
    {
        "Action": "fc:*",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "fc:tag/team": "dev"
            }
        }
    },
    {
        "Action": "fc:*",
        "Effect": "Allow",
        "Resource": "*"
    }
    ],
    "Version": "1"
}            
```
    Assume that the custom policy named policyForOpsTeam is used to grant permissions to the ops team. The following example shows the policy:
```
{
    "Statement": [
    {
        "Action": "fc:*",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "fc:tag/team": "ops"
            }
        }
    },
    {
        "Action": "fc:*",
        "Effect": "Allow",
        "Resource": "*"
    }
    ],
    "Version": "1"
}           
```
  2. Grant permissions to a RAM user group.
    Select the created custom policies when you grant permissions to user groups.
After the authorization is complete, the RAM users in the dev user group can manage only the services tagged with team:dev and the RAM users in the ops user group can manage only the services tagged with team:ops.