All Products
Search

This Product

    Auto Scaling:Use resource groups for fine-grained access control

    Document Center

    Auto Scaling:Use resource groups for fine-grained access control

    Last Updated:Apr 23, 2026

    When you use resource groups to organize your resources, you can integrate them with Resource Access Management (RAM) to achieve resource isolation and fine-grained access control within a single Alibaba Cloud account. This topic describes how Auto Scaling supports resource groups and provides instructions on how to grant permissions at the resource group level.

    Note

    How resource group authorization works

    You can use a resource group to manage resources within your Alibaba Cloud account as a unit. For example, you can create a dedicated resource group for each of your projects and move project-specific resources into their respective groups for centralized management. For more information, see What is a resource group?.

    After you group your resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, for specific resource groups. This practice restricts the principal to managing only the resources within the assigned group. For more information, see Resource grouping and authorization.

    This authorization method offers the following advantages:

    • Fine-grained permissions: Ensures each identity has precise access to the necessary resources, preventing resources from different projects from being managed together within a single account.

    • Scalability: When you add new resources, you only need to add them to the designated resource group. The RAM principal automatically gains the corresponding permissions for the new resources without requiring further authorization.

    Grant resource group permissions to a RAM user

    The following procedure shows how to grant a RAM user permissions to manage Auto Scaling resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions by using either of the following methods.

    Method 1: Resource Management console

    Use the permission management feature of resource groups to grant permissions to a RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.

    • On the Permission Management tab, click Add Permission.

    • In the Add Permission panel, configure the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom permission policy.

    • Click Confirm.

    Method 2: RAM console

    Grant resource group-level permissions to a RAM user in the RAM console. For more information, see Manage RAM user permissions.

    • Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, grant permissions to the RAM user.

      • Resource Scope: Select Resource Group Level.

      • Principal: Select the target RAM user.

      • Permission Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom permission policy.

    • Click Confirm.

    Resource types that support resource groups

    The following table lists the resource types in Auto Scaling that support resource groups.

    Cloud service

    Cloud service code

    Resource type

    Auto Scaling

    ess

    scalinggroup: scaling group
    Note

    If a resource type you need does not yet support resource groups, you can submit feedback in the Resource Management console.

    image

    Actions without resource group authorization

    The following Auto Scaling Actions do not support authorization at the resource group level.

    Action

    Description

    ess:DeleteDiagnoseReport

    -

    ess:DescribeAlarm

    -

    ess:DescribeCandidateInstanceType

    -

    ess:DescribeElasticStrength

    Describes the effectiveness of a scaling configuration, referred to as elastic strength. This helps you optimize the configuration for better scale-out success rates.

    ess:DescribeLimitation

    Queries resource quotas, such as the maximum number of scheduled tasks, associated Server Load Balancer instances, instances in a scaling group, and scaling configurations.

    ess:DescribeNotificationTypes

    Queries the types of event and resource change notifications available for a scaling group, such as notifications for scaling activities and scheduled tasks.

    ess:DescribePatternTypes

    Filters for and queries instance types based on specified criteria, such as VSwitch ID, vCPU count, memory size, and instance family.

    ess:DescribeRegions

    Queries the regions where Auto Scaling is available.

    ess:DescribeUser

    -

    ess:ExitStandBy

    -

    ess:ListTagKeys

    Queries the tag keys for Auto Scaling resources to help with classification and management.

    ess:ListTagValues

    Queries the tag values for a given tag key to help with resource classification and management.

    ess:RemoveInstances

    -

    ess:UnTagResources

    -

    For Actions that do not support resource group-level authorization, setting the resource scope to resource group level is ineffective. If a RAM user still needs these permissions, you must create a custom policy and set the resource scope to account level during authorization.

    image.pngThe following are two examples of custom permission policies. You can modify the policy content as needed.

    • Allow all read-only Actions that do not support resource group-level authorization: The Action element lists all such read-only Actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ess:DescribeAlarm",
        "ess:DescribeCandidateInstanceType",
        "ess:DescribeElasticStrength",
        "ess:DescribeLimitation",
        "ess:DescribeNotificationTypes",
        "ess:DescribePatternTypes",
        "ess:DescribeRegions",
        "ess:DescribeUser",
        "ess:ListTagKeys",
        "ess:ListTagValues"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all Actions that do not support resource group-level authorization: The Action element lists all such Actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ess:DeleteDiagnoseReport",
        "ess:DescribeAlarm",
        "ess:DescribeCandidateInstanceType",
        "ess:DescribeElasticStrength",
        "ess:DescribeLimitation",
        "ess:DescribeNotificationTypes",
        "ess:DescribePatternTypes",
        "ess:DescribeRegions",
        "ess:DescribeUser",
        "ess:ExitStandBy",
        "ess:ListTagKeys",
        "ess:ListTagValues",
        "ess:RemoveInstances",
        "ess:UnTagResources"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all relevant resources within the entire account. Always follow the principle of least privilege and carefully review permissions before granting them.

    FAQ

    Finding a resource's resource group

    • Method 1: Click the resource name to go to its details page, where you can view its resource group.

    • Method 2: Log on to the Resource Management console and click Resource Center > Resource Search. In the left-side pane, select the account to which the resource belongs (defaults to Current Account). Use the filters to locate the resource and view its resource group.

    View product resources in a resource group

    • Method 1: Log on to the Resource Management console and click Resource Center > Resource Search. In the left-side pane under the account (defaults to Current Account), click the name of the target resource group. In the right-side pane, select the product from the Select Resource Type drop-down list to view all its resources in that group.

    • Method 2: Log on to the Resource Management console and click Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all its resources in that group.

    Move multiple resources to a different resource group

    Log on to the Resource Management console and click Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column to go to the resource management page. Use the filters to locate the target resources, select the checkboxes in the first column for the resources, click Transfer Resource Group at the bottom, and follow the on-screen instructions to complete the transfer.