All Products
Search

This Product

    ApsaraMQ for RocketMQ:Use resource groups for fine-grained control

    Document Center

    ApsaraMQ for RocketMQ:Use resource groups for fine-grained control

    Last Updated:Apr 23, 2026

    Using resource groups to organize your resources allows you to integrate with Resource Access Management (RAM) for resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes which ApsaraMQ for RocketMQ resources support resource groups and provides step-by-step instructions on how to grant permissions at the resource group level.

    Note

    How resource group authorization works

    You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create a dedicated resource group for each project and move the project's resources into that group for centralized management. For more information, see What is a resource group?

    After organizing your resources, you can grant permissions to specific RAM principals, such as RAM users, RAM user groups, or RAM roles, for a specified resource group. This limits each principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This authorization method provides the following benefits:

    • Fine-grained permissions: Each identity receives only the specific permissions it needs, preventing the commingling of resource management across different projects.

    • Scalability: When you add new resources, simply assign them to the resource group. The RAM principals with access to that group automatically gain the corresponding permissions for the new resources without requiring further authorization.

    Grant resource group-level permissions

    The following example demonstrates how to grant permissions to a RAM user to manage ApsaraMQ for RocketMQ resources within a specific resource group.

    1. Prerequisites

    1. Create the RAM user that you want to use. For instructions, see Create a RAM user.

    2. Create a resource group and move your existing resources into it. For instructions, see Create a resource group, Automatically transfer resources, and Manually transfer resources.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions by using one of the following methods.

    Method 1: Resource Management console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more details, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Manage Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy that you have created. For instructions, see Create a custom policy.

    • Click Confirm.

    Method 2: RAM console

    Use the RAM console to grant resource group-level permissions to a specific RAM user. For more details, see Manage permissions for a RAM user.

    • Log on to the RAM console with your Alibaba Cloud account (root account) or as a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, configure the following settings.

      • Resource Scope: Select Resource Group.

      • Principal: Select the RAM user you created in the prerequisites or another existing RAM user.

      • Policy: Select a system policy or a custom policy that you have created. For instructions, see Create a custom policy.

    • Click Confirm.

    Resource types that support resource groups

    The following table lists the ApsaraMQ for RocketMQ resource types that support resource groups.

    Cloud service

    Service code

    Resource type

    ApsaraMQ for RocketMQ

    rocketmq

    instance
    Note

    For resource types that do not yet support resource groups, you can submit feedback in the Resource Management console.

    image

    Actions without resource group-level authorization

    The following ApsaraMQ for RocketMQ actions do not support resource group-level authorization:

    Action

    Description

    rocketmq:CheckServiceLinkedRole

    -

    rocketmq:CreateServiceLinkedRole

    -

    rocketmq:DeleteDiagnosis

    -

    rocketmq:ExportDiagnose

    -

    rocketmq:GetDiagnosis

    -

    rocketmq:GetUserMetrics

    -

    rocketmq:GetUserTags

    -

    rocketmq:InvokeGenericService

    -

    rocketmq:ListAllTags

    -

    rocketmq:ListDiagnosis

    -

    rocketmq:ListDisasterRecoveryPlans

    Queries a list of backup plans.

    rocketmq:ListFaultDrillTasks

    -

    rocketmq:ListInstanceContainsV4

    -

    rocketmq:ListMetricMeta

    Queries a list of monitoring metrics.

    rocketmq:ListMigrations

    Queries a list of migration tasks.

    rocketmq:ListRegions

    -

    For actions that do not support resource group-level authorization, setting the Resource Scope to Resource Group has no effect. If a RAM user requires permissions for these actions, you must create a custom policy with the resource scope set to Account Level.

    image.pngThe following two examples show custom policies. You can modify their content to meet your business requirements.

    • To allow all read-only actions that do not support resource group-level authorization, specify them in the Action element of the following policy:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rocketmq:GetDiagnosis",
        "rocketmq:GetUserMetrics",
        "rocketmq:GetUserTags",
        "rocketmq:ListAllTags",
        "rocketmq:ListDiagnosis",
        "rocketmq:ListDisasterRecoveryPlans",
        "rocketmq:ListFaultDrillTasks",
        "rocketmq:ListInstanceContainsV4",
        "rocketmq:ListMetricMeta",
        "rocketmq:ListMigrations",
        "rocketmq:ListRegions"
      ],
      "Resource": "*"
    }
  ]
}

    • To allow all actions that do not support resource group-level authorization, specify them in the Action element of the following policy:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rocketmq:CheckServiceLinkedRole",
        "rocketmq:CreateServiceLinkedRole",
        "rocketmq:DeleteDiagnosis",
        "rocketmq:ExportDiagnose",
        "rocketmq:GetDiagnosis",
        "rocketmq:GetUserMetrics",
        "rocketmq:GetUserTags",
        "rocketmq:InvokeGenericService",
        "rocketmq:ListAllTags",
        "rocketmq:ListDiagnosis",
        "rocketmq:ListDisasterRecoveryPlans",
        "rocketmq:ListFaultDrillTasks",
        "rocketmq:ListInstanceContainsV4",
        "rocketmq:ListMetricMeta",
        "rocketmq:ListMigrations",
        "rocketmq:ListRegions"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    RAM users or RAM roles with account-level permissions can operate on all resources in the account. Always follow the principle of least privilege and grant only the permissions required.

    FAQ

    How to view a resource's resource group?

    • Method 1: Click the resource name to open its details page, which displays the resource group.

    • Method 2: Log on to the Resource Management console. Click Resource Center > Resource Search. In the left-side navigation pane, select the account to which the resource belongs (Current Account by default). Use the filter conditions to locate the target resource and view its resource group.

    How to view a product's resources in a resource group?

    • Method 1: Log on to the Resource Management console. Click Resource Center > Resource Search. In the left-side navigation pane, under the account to which the resource belongs (Current Account by default), click the name of the target resource group. Then, from the Select Resource Type drop-down list on the right, select the current product to view all of its resources in that resource group.

    • Method 2: Log on to the Resource Management console. Click Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the current product from the Product drop-down list at the top to view all of its resources in that resource group.

    How to move multiple resources to a different resource group?

    Log on to the Resource Management console. Click Resource Groups > Resource Groups. In the row of the target resource group, click Manage Resources in the Actions column to go to the resource management page. Use the filter conditions to locate the target resources. Select the checkboxes in the first column for the resources you want to move, click Transfer Resource Group at the bottom and follow the on-screen instructions.