When you use resource groups to organize and manage resources, you can use RAM to isolate resources and enforce fine-grained access control within an Alibaba Cloud account. This document explains how CADT works with resource groups and how to grant permissions at the resource group level.
-
Resource group-level authorization applies only to resource types that support resource groups and to operations that support this authorization level.
-
For resource types that do not support resource groups, permissions scoped to a resource group have no effect. Instead, grant permissions by setting the resource scope to account level. For details, see Operations that do not support resource group-level authorization.
Resource group authorization
You can use resource groups to group and manage resources in your Alibaba Cloud account. For example, you can create a dedicated resource group for each project and move the project resources to the corresponding group for centralized management. For more information, see What is a resource group?.
After you group resources, you can grant permissions on a specific resource group to different RAM principals, such as RAM users, RAM user groups, and RAM roles. This limits the principal to managing only the resources within that resource group. For more information, see Resource grouping and authorization.
This authorization method has the following advantages:
-
Fine-grained permissions: You can ensure that each RAM identity has precise resource access permissions. This prevents the collective management of resources from multiple projects under a single account.
-
Scalability: You only need to add a new resource to the resource group. The associated RAM identity then automatically gains the required permissions, eliminating the need to grant them separately.
Grant resource group permissions to a RAM user
This topic describes how to grant a RAM user permissions on Cloud Architect Design Tool (CADT) resources within a specific resource group.
1. Prerequisites
-
A RAM user is created. For more information, see Create a RAM user.
-
A resource group is created and the required resources are moved into it. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move a resource to a resource group.
2. Grant resource group-level permissions
You can grant resource group-level permissions by using either of the following methods.
Resource Management console
Use the permission management feature of a resource group to grant permissions to a specific RAM user. For detailed instructions, see Grant resource group-scoped permissions to a RAM identity.
-
Sign in to the Resource Management console.
-
On the resource groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Add Permission.
-
In the Add Permission panel, configure the principal and permission policy.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
-
-
Click OK.
RAM console
Use the RAM console to grant resource group-level permissions to a specific RAM user. For more information, see Manage permissions for a RAM user.
-
Sign in to the RAM console using an Alibaba Cloud account (root account) or a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permission in the Actions column.
-
In the Add Permission panel, configure the following parameters.
-
Resource Scope: Select Resource Group.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
-
-
Click OK.
Resource types that support resource groups
CADT supports resource groups for the following resource types:
|
Cloud service |
Cloud service code |
Type |
|
CADT |
bpstudio |
application |
|
CADT |
bpstudio |
template |
For resource types that do not yet support resource groups, you can request support in the Resource Group Console.
Unsupported operations
The following Actions in Cloud Architect Design Tool (CADT) do not support resource group-level authorization:
|
Action |
Description |
|
bpstudio:AddAlertContact |
- |
|
bpstudio:AddCompositeAlertRule |
- |
|
bpstudio:AddEditorType |
- |
|
bpstudio:AddProcessVariable |
- |
|
bpstudio:AddResource2FoPlan |
- |
|
bpstudio:AddResourceGroup |
- |
|
bpstudio:AddSnapshotDescription |
- |
|
bpstudio:AddTemplateVariable |
- |
|
bpstudio:AddUserPreferenceData |
- |
|
bpstudio:AppBindingInputParams |
- |
|
bpstudio:AppBindingProcess |
- |
|
bpstudio:AppChangeBindingResources |
- |
|
bpstudio:AppFailBack |
Fails back a disaster recovery set to its primary availability zone. |
|
bpstudio:AppFailOver |
Fails over a disaster recovery set to a supported availability zone. |
|
bpstudio:AppUnbindingProcess |
- |
|
bpstudio:ApplyPortalTemplateDeploy |
- |
|
bpstudio:AttachActivity |
- |
|
bpstudio:AttachCoupon |
- |
|
bpstudio:AutoAddApplication |
- |
|
bpstudio:CancelMonitorApp |
- |
|
bpstudio:ChangeResourceGroup |
Moves an application or a template created in CADT from one resource group to another. |
|
bpstudio:ChangeTemplate |
- |
|
bpstudio:CheckOneClickOrder |
- |
|
bpstudio:CloneApp |
- |
|
bpstudio:ClonePrivateProcess |
- |
|
bpstudio:CloneTemplate |
- |
|
bpstudio:CloneTemplateVariables |
- |
|
bpstudio:CopyTemplateVariables |
- |
|
bpstudio:CreateExploreJob |
- |
|
bpstudio:CreateExploreTopology |
- |
|
bpstudio:CreateMigrateJob |
- |
|
bpstudio:CreateMonitorNS |
- |
|
bpstudio:CreateOneClickOrder |
- |
|
bpstudio:CreateProbeOneClick |
- |
|
bpstudio:CreateProbeTopology |
- |
|
bpstudio:CreateTask |
Creates a task. |
|
bpstudio:DeleteAlertContact |
- |
|
bpstudio:DeleteAlertContactGroup |
- |
|
bpstudio:DeleteAlertRule |
- |
|
bpstudio:DeleteAlertTemplate |
- |
|
bpstudio:DeleteFoPlan |
- |
|
bpstudio:DeleteMigrateJob |
- |
|
bpstudio:DeleteMonitorAppHistory |
- |
|
bpstudio:DeleteMonitorNS |
- |
|
bpstudio:DeleteProcess |
- |
|
bpstudio:DeleteProcessVariable |
- |
|
bpstudio:DeleteResourceGroup |
- |
|
bpstudio:DeleteResourceInFoPlan |
- |
|
bpstudio:DeleteTemplateVariable |
- |
|
bpstudio:DeployOneClickOrder |
- |
|
bpstudio:DescribeResourceInFoPlan |
- |
|
bpstudio:DetectApp |
- |
|
bpstudio:DetectAppStatus |
- |
|
bpstudio:ExecuteProcess |
- |
|
bpstudio:ExecuteTask |
Executes a task. |
|
bpstudio:ExportFile |
- |
|
bpstudio:ExportYml |
- |
|
bpstudio:GenerateAppFromScript |
- |
|
bpstudio:GenerateProbeAnalysisReport |
- |
|
bpstudio:GenerateSubTopo |
- |
|
bpstudio:GetAiUsageStats |
- |
|
bpstudio:GetAlertTaskStatus |
- |
|
bpstudio:GetAlertTemplate |
- |
|
bpstudio:GetAppAlarmList |
- |
|
bpstudio:GetAppInputParams |
- |
|
bpstudio:GetApplicationDetail |
- |
|
bpstudio:GetApplicationVariables |
Gets the values of all input template variables for an application. |
|
bpstudio:GetApplicationVariables4Fail |
Gets variables that require reconfiguration. |
|
bpstudio:GetDesignPptTemplate |
- |
|
bpstudio:GetDetectResult |
- |
|
bpstudio:GetDrService |
- |
|
bpstudio:GetEditorType |
- |
|
bpstudio:GetExploreCIofTypes |
- |
|
bpstudio:GetExploreJobStatus |
- |
|
bpstudio:GetExploreReport |
- |
|
bpstudio:GetExploreResourceSummary |
- |
|
bpstudio:GetExploreTopologyResult |
- |
|
bpstudio:GetExportReportResult |
- |
|
bpstudio:GetFlowInputParams |
- |
|
bpstudio:GetFoAppStatus |
- |
|
bpstudio:GetFoTaskStatus |
Gets the status of a specified disaster recovery task (TaskId). |
|
bpstudio:GetGeneratedAppInfo |
- |
|
bpstudio:GetGroupMonitorData |
- |
|
bpstudio:GetInitFoImages |
- |
|
bpstudio:GetLastProbeTime |
- |
|
bpstudio:GetLatestResourceInformation |
- |
|
bpstudio:GetLinkageAttributesTemplate |
Gets the available values for template variables. |
|
bpstudio:GetMigrateJob |
- |
|
bpstudio:GetMigrateNetwork |
- |
|
bpstudio:GetMigrateResourceTypes |
- |
|
bpstudio:GetMigrateResources |
- |
|
bpstudio:GetMonitorAppHistory |
- |
|
bpstudio:GetMonitorApps |
- |
|
bpstudio:GetMonitorDataById |
- |
|
bpstudio:GetMonitorDataList |
- |
|
bpstudio:GetMonitorInstanceLogInfo |
- |
|
bpstudio:GetMonitorMetrics |
- |
|
bpstudio:GetMonitorNS |
- |
|
bpstudio:GetMonitorParentApp |
- |
|
bpstudio:GetMonitorServiceMetrics |
- |
|
bpstudio:GetMonitorSubApps |
- |
|
bpstudio:GetMonitorSubResource |
- |
|
bpstudio:GetOperationParams |
- |
|
bpstudio:GetOrderAttributes |
- |
|
bpstudio:GetParentApp |
- |
|
bpstudio:GetPolicyInPlan |
- |
|
bpstudio:GetPortalApiReportASync |
- |
|
bpstudio:GetPortalTemplateDeploy |
- |
|
bpstudio:GetPotentialFailZones |
Gets the available failover availability zones for a disaster recovery service. |
|
bpstudio:GetProbeAllTopology |
- |
|
bpstudio:GetProbeCiDetails |
- |
|
bpstudio:GetProbeCiInRegion |
- |
|
bpstudio:GetProbeCiInVpc |
- |
|
bpstudio:GetProbeCiInZone |
- |
|
bpstudio:GetProbeCiOfTypes |
- |
|
bpstudio:GetProbeCiRegions |
- |
|
bpstudio:GetProbeCiTypes |
- |
|
bpstudio:GetProbeCiTypesInRegion |
- |
|
bpstudio:GetProbeCiTypesInVpc |
- |
|
bpstudio:GetProbeCiTypesInZone |
- |
|
bpstudio:GetProbeGlobalCI |
- |
|
bpstudio:GetProbeGlobalCITypes |
- |
|
bpstudio:GetProbeJobStatus |
- |
|
bpstudio:GetProbeOneClick |
- |
|
bpstudio:GetProbeRegions |
- |
|
bpstudio:GetProbeResourceSummary |
- |
|
bpstudio:GetProbeTagKeys |
- |
|
bpstudio:GetProbeTagValues |
- |
|
bpstudio:GetProbeTopologyParameters |
- |
|
bpstudio:GetProbeTopologyResult |
- |
|
bpstudio:GetProbeVpcInRegion |
- |
|
bpstudio:GetProbeZoneInVpc |
- |
|
bpstudio:GetProcessApps |
- |
|
bpstudio:GetProcessInOutParams |
- |
|
bpstudio:GetProcessInputParams |
- |
|
bpstudio:GetProcessOutputParams |
- |
|
bpstudio:GetProcessShareUsers |
- |
|
bpstudio:GetResource |
- |
|
bpstudio:GetResource4ModifyRecord |
Gets the price inquiry records for application specification modifications. |
|
bpstudio:GetResourceMigratePolicy |
- |
|
bpstudio:GetResult4QueryInstancePrice4Modify |
Gets the result of a price inquiry. |
|
bpstudio:GetSaeSpec |
- |
|
bpstudio:GetSaeTaskData |
- |
|
bpstudio:GetServerMessage |
- |
|
bpstudio:GetServerlessAttribute |
- |
|
bpstudio:GetSingleAzResources |
- |
|
bpstudio:GetSubAppStatus |
- |
|
bpstudio:GetSubApps |
- |
|
bpstudio:GetTask |
Gets information about a task. |
|
bpstudio:GetTaskInputParams |
- |
|
bpstudio:GetTaskNodeStatus |
- |
|
bpstudio:GetTemplateInputParams |
- |
|
bpstudio:GetToolsTask |
- |
|
bpstudio:GetUserPreferenceData |
- |
|
bpstudio:GrantGroup |
- |
|
bpstudio:HasMonitorData |
- |
|
bpstudio:InitAppFailOver |
Initializes a disaster recovery failover task for an application. |
|
bpstudio:InitFailOver |
- |
|
bpstudio:IsMigrateApplicationOK |
- |
|
bpstudio:IsMigrateConfigurationOK |
- |
|
bpstudio:IsMigrateNetworkOK |
- |
|
bpstudio:IsMigratePrepareOK |
- |
|
bpstudio:IsMigrateResourceOK |
- |
|
bpstudio:ListActivity |
- |
|
bpstudio:ListAlertContactGroup |
- |
|
bpstudio:ListAlertRules |
- |
|
bpstudio:ListAlertTemplates |
- |
|
bpstudio:ListAllOperations |
- |
|
bpstudio:ListAllProcess |
- |
|
bpstudio:ListAppBindingProcess |
- |
|
bpstudio:ListAuthorization |
- |
|
bpstudio:ListBindingRefIds |
- |
|
bpstudio:ListBpmApps |
- |
|
bpstudio:ListBpmInstances |
- |
|
bpstudio:ListCloudClient |
- |
|
bpstudio:ListCloudProviderRegions |
- |
|
bpstudio:ListCloudProviders |
- |
|
bpstudio:ListCrossMigrateJobs |
- |
|
bpstudio:ListExploreProjects |
- |
|
bpstudio:ListExploreRegions |
- |
|
bpstudio:ListExploreTypes |
- |
|
bpstudio:ListExportMigrateJobs |
- |
|
bpstudio:ListExportTags |
- |
|
bpstudio:ListFoCreatedApps |
Lists all disaster recovery service plans in the current account. |
|
bpstudio:ListFoPlanResources |
- |
|
bpstudio:ListFoPlans |
- |
|
bpstudio:ListFoRunningApps |
- |
|
bpstudio:ListMessage |
- |
|
bpstudio:ListMigrateConfigurationTasks |
- |
|
bpstudio:ListMigrateJobs |
- |
|
bpstudio:ListMonitorRunningApps |
- |
|
bpstudio:ListOperations |
- |
|
bpstudio:ListOperationsDetails |
- |
|
bpstudio:ListPortalApplication |
- |
|
bpstudio:ListPortalResources |
- |
|
bpstudio:ListPortalTemplate |
- |
|
bpstudio:ListPortalTemplateVariables |
- |
|
bpstudio:ListPrepareMigrateTasks |
- |
|
bpstudio:ListProbeReports |
- |
|
bpstudio:ListProcessResources |
- |
|
bpstudio:ListProcessVariables |
- |
|
bpstudio:ListProcesses |
- |
|
bpstudio:ListPublicProcesses |
- |
|
bpstudio:ListReplicateJobs |
- |
|
bpstudio:ListResourceGroups |
- |
|
bpstudio:ListResources |
- |
|
bpstudio:ListServices |
- |
|
bpstudio:ListSession |
- |
|
bpstudio:ListTagResources |
Lists the tags for an application or a template. |
|
bpstudio:ListTasks |
- |
|
bpstudio:ListTasksByAppId |
- |
|
bpstudio:ListTemplateBindingProcess |
- |
|
bpstudio:ListTemplateConfig |
- |
|
bpstudio:ListTemplateProcessResources |
- |
|
bpstudio:ListTemplateVariables |
- |
|
bpstudio:ModifyApplicationSpec |
Modifies the specification of an application. |
|
bpstudio:ModifyMonitorNS |
- |
|
bpstudio:PasswordOperation |
- |
|
bpstudio:PlanFailBack |
- |
|
bpstudio:PlanFailOver |
- |
|
bpstudio:PrepareFoPlanResources |
- |
|
bpstudio:PrepareMigrateJob |
- |
|
bpstudio:PrepareMonitorApp |
- |
|
bpstudio:QueryInstancePrice4Modify |
Queries the price for a specification modification. |
|
bpstudio:QueryInstanceSpec4Modify |
Queries the available specifications for modification. |
|
bpstudio:QueryMonitorScreen |
- |
|
bpstudio:QueryTemplateNodeInfo |
- |
|
bpstudio:ReConfigApplication |
Reconfigures an application by updating template variables for failed nodes, enabling redeployment. |
|
bpstudio:RefreshResourcesInFoPlan |
- |
|
bpstudio:RefreshSubApp |
- |
|
bpstudio:RegisterCloudClient |
- |
|
bpstudio:RemoveFoPlanResources |
- |
|
bpstudio:RepliateMigrateJob |
- |
|
bpstudio:ResetMigratePlan |
- |
|
bpstudio:RevokeGroup |
- |
|
bpstudio:Save2PrivateTemplate |
- |
|
bpstudio:SaveProcessInputParams |
- |
|
bpstudio:SaveTaskInputParams |
- |
|
bpstudio:ShareProcess |
- |
|
bpstudio:StartAlertApp |
- |
|
bpstudio:StartMigrateConfiguration |
- |
|
bpstudio:StartProbeJob |
- |
|
bpstudio:StartSubTopo |
- |
|
bpstudio:StreamingChat |
- |
|
bpstudio:SyncTemplateVariable |
- |
|
bpstudio:TagResources |
- |
|
bpstudio:TemplateBindingInputParams |
- |
|
bpstudio:TemplateBindingProcess |
- |
|
bpstudio:TemplateUnbindingProcess |
- |
|
bpstudio:TranslateMigrateApplication |
- |
|
bpstudio:UnregisterCloudClient |
- |
|
bpstudio:UnshareProcess |
- |
|
bpstudio:UntagResources |
- |
|
bpstudio:UpdateAlertTemplate |
- |
|
bpstudio:UpdateAlertTemplateStatus |
- |
|
bpstudio:UpdateAppBindingProcessSeq |
- |
|
bpstudio:UpdateAppProducts |
- |
|
bpstudio:UpdateMessage |
- |
|
bpstudio:UpdateMonitor |
- |
|
bpstudio:UpdateMonitorAppHistory |
- |
|
bpstudio:UpdatePolicyInPlan |
- |
|
bpstudio:UpdateProbeTableFormat |
- |
|
bpstudio:UpdateSeqInFoPlan |
- |
|
bpstudio:UpdateTemplateConfig |
- |
|
bpstudio:UploadResourceMigratePolicy |
- |
|
bpstudio:ValidateTask |
- |
|
bpstudio:null |
- |
For operations that do not support resource group authorization, setting the resource scope to resource group level has no effect. To grant a RAM User these permissions, create a custom policy and set the resource scope to account level.
Here are two sample custom policies. Adjust them as needed.
-
Allows all read-only actions that do not support resource group-level authorization. These actions are specified in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "bpstudio:AttachActivity", "bpstudio:AttachCoupon", "bpstudio:DescribeResourceInFoPlan", "bpstudio:ExportFile", "bpstudio:GetAiUsageStats", "bpstudio:GetAlertTaskStatus", "bpstudio:GetAlertTemplate", "bpstudio:GetAppAlarmList", "bpstudio:GetAppInputParams", "bpstudio:GetApplicationDetail", "bpstudio:GetApplicationVariables", "bpstudio:GetApplicationVariables4Fail", "bpstudio:GetDesignPptTemplate", "bpstudio:GetDetectResult", "bpstudio:GetDrService", "bpstudio:GetEditorType", "bpstudio:GetExploreCIofTypes", "bpstudio:GetExploreJobStatus", "bpstudio:GetExploreReport", "bpstudio:GetExploreResourceSummary", "bpstudio:GetExploreTopologyResult", "bpstudio:GetExportReportResult", "bpstudio:GetFlowInputParams", "bpstudio:GetFoAppStatus", "bpstudio:GetFoTaskStatus", "bpstudio:GetGeneratedAppInfo", "bpstudio:GetGroupMonitorData", "bpstudio:GetInitFoImages", "bpstudio:GetLastProbeTime", "bpstudio:GetLatestResourceInformation", "bpstudio:GetLinkageAttributesTemplate", "bpstudio:GetMigrateJob", "bpstudio:GetMigrateNetwork", "bpstudio:GetMigrateResourceTypes", "bpstudio:GetMigrateResources", "bpstudio:GetMonitorAppHistory", "bpstudio:GetMonitorApps", "bpstudio:GetMonitorDataById", "bpstudio:GetMonitorDataList", "bpstudio:GetMonitorInstanceLogInfo", "bpstudio:GetMonitorMetrics", "bpstudio:GetMonitorNS", "bpstudio:GetMonitorParentApp", "bpstudio:GetMonitorServiceMetrics", "bpstudio:GetMonitorSubApps", "bpstudio:GetMonitorSubResource", "bpstudio:GetOperationParams", "bpstudio:GetOrderAttributes", "bpstudio:GetParentApp", "bpstudio:GetPolicyInPlan", "bpstudio:GetPortalApiReportASync", "bpstudio:GetPortalTemplateDeploy", "bpstudio:GetPotentialFailZones", "bpstudio:GetProbeAllTopology", "bpstudio:GetProbeCiDetails", "bpstudio:GetProbeCiInRegion", "bpstudio:GetProbeCiInVpc", "bpstudio:GetProbeCiInZone", "bpstudio:GetProbeCiOfTypes", "bpstudio:GetProbeCiRegions", "bpstudio:GetProbeCiTypes", "bpstudio:GetProbeCiTypesInRegion", "bpstudio:GetProbeCiTypesInVpc", "bpstudio:GetProbeCiTypesInZone", "bpstudio:GetProbeGlobalCI", "bpstudio:GetProbeGlobalCITypes", "bpstudio:GetProbeJobStatus", "bpstudio:GetProbeOneClick", "bpstudio:GetProbeRegions", "bpstudio:GetProbeResourceSummary", "bpstudio:GetProbeTagKeys", "bpstudio:GetProbeTagValues", "bpstudio:GetProbeTopologyParameters", "bpstudio:GetProbeTopologyResult", "bpstudio:GetProbeVpcInRegion", "bpstudio:GetProbeZoneInVpc", "bpstudio:GetProcessApps", "bpstudio:GetProcessInOutParams", "bpstudio:GetProcessInputParams", "bpstudio:GetProcessOutputParams", "bpstudio:GetProcessShareUsers", "bpstudio:GetResource", "bpstudio:GetResource4ModifyRecord", "bpstudio:GetResourceMigratePolicy", "bpstudio:GetResult4QueryInstancePrice4Modify", "bpstudio:GetSaeSpec", "bpstudio:GetSaeTaskData", "bpstudio:GetServerMessage", "bpstudio:GetServerlessAttribute", "bpstudio:GetSingleAzResources", "bpstudio:GetSubAppStatus", "bpstudio:GetSubApps", "bpstudio:GetTask", "bpstudio:GetTaskInputParams", "bpstudio:GetTaskNodeStatus", "bpstudio:GetTemplateInputParams", "bpstudio:GetToolsTask", "bpstudio:GetUserPreferenceData", "bpstudio:ListActivity", "bpstudio:ListAlertContactGroup", "bpstudio:ListAlertRules", "bpstudio:ListAlertTemplates", "bpstudio:ListAllOperations", "bpstudio:ListAllProcess", "bpstudio:ListAppBindingProcess", "bpstudio:ListAuthorization", "bpstudio:ListBindingRefIds", "bpstudio:ListBpmApps", "bpstudio:ListBpmInstances", "bpstudio:ListCloudClient", "bpstudio:ListCloudProviderRegions", "bpstudio:ListCloudProviders", "bpstudio:ListCrossMigrateJobs", "bpstudio:ListExploreProjects", "bpstudio:ListExploreRegions", "bpstudio:ListExploreTypes", "bpstudio:ListExportMigrateJobs", "bpstudio:ListExportTags", "bpstudio:ListFoCreatedApps", "bpstudio:ListFoPlanResources", "bpstudio:ListFoPlans", "bpstudio:ListFoRunningApps", "bpstudio:ListMessage", "bpstudio:ListMigrateConfigurationTasks", "bpstudio:ListMigrateJobs", "bpstudio:ListMonitorRunningApps", "bpstudio:ListOperations", "bpstudio:ListOperationsDetails", "bpstudio:ListPortalApplication", "bpstudio:ListPortalResources", "bpstudio:ListPortalTemplate", "bpstudio:ListPortalTemplateVariables", "bpstudio:ListPrepareMigrateTasks", "bpstudio:ListProbeReports", "bpstudio:ListProcessResources", "bpstudio:ListProcessVariables", "bpstudio:ListProcesses", "bpstudio:ListPublicProcesses", "bpstudio:ListReplicateJobs", "bpstudio:ListResourceGroups", "bpstudio:ListResources", "bpstudio:ListServices", "bpstudio:ListSession", "bpstudio:ListTagResources", "bpstudio:ListTasks", "bpstudio:ListTasksByAppId", "bpstudio:ListTemplateBindingProcess", "bpstudio:ListTemplateConfig", "bpstudio:ListTemplateProcessResources", "bpstudio:ListTemplateVariables", "bpstudio:QueryInstancePrice4Modify", "bpstudio:QueryInstanceSpec4Modify", "bpstudio:QueryMonitorScreen", "bpstudio:QueryTemplateNodeInfo" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level authorization. These actions are specified in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "bpstudio:AddAlertContact", "bpstudio:AddCompositeAlertRule", "bpstudio:AddEditorType", "bpstudio:AddProcessVariable", "bpstudio:AddResource2FoPlan", "bpstudio:AddResourceGroup", "bpstudio:AddSnapshotDescription", "bpstudio:AddTemplateVariable", "bpstudio:AddUserPreferenceData", "bpstudio:AppBindingInputParams", "bpstudio:AppBindingProcess", "bpstudio:AppChangeBindingResources", "bpstudio:AppFailBack", "bpstudio:AppFailOver", "bpstudio:AppUnbindingProcess", "bpstudio:ApplyPortalTemplateDeploy", "bpstudio:AttachActivity", "bpstudio:AttachCoupon", "bpstudio:AutoAddApplication", "bpstudio:CancelMonitorApp", "bpstudio:ChangeResourceGroup", "bpstudio:ChangeTemplate", "bpstudio:CheckOneClickOrder", "bpstudio:CloneApp", "bpstudio:ClonePrivateProcess", "bpstudio:CloneTemplate", "bpstudio:CloneTemplateVariables", "bpstudio:CopyTemplateVariables", "bpstudio:CreateExploreJob", "bpstudio:CreateExploreTopology", "bpstudio:CreateMigrateJob", "bpstudio:CreateMonitorNS", "bpstudio:CreateOneClickOrder", "bpstudio:CreateProbeOneClick", "bpstudio:CreateProbeTopology", "bpstudio:CreateTask", "bpstudio:DeleteAlertContact", "bpstudio:DeleteAlertContactGroup", "bpstudio:DeleteAlertRule", "bpstudio:DeleteAlertTemplate", "bpstudio:DeleteFoPlan", "bpstudio:DeleteMigrateJob", "bpstudio:DeleteMonitorAppHistory", "bpstudio:DeleteMonitorNS", "bpstudio:DeleteProcess", "bpstudio:DeleteProcessVariable", "bpstudio:DeleteResourceGroup", "bpstudio:DeleteResourceInFoPlan", "bpstudio:DeleteTemplateVariable", "bpstudio:DeployOneClickOrder", "bpstudio:DescribeResourceInFoPlan", "bpstudio:DetectApp", "bpstudio:DetectAppStatus", "bpstudio:ExecuteProcess", "bpstudio:ExecuteTask", "bpstudio:ExportFile", "bpstudio:ExportYml", "bpstudio:GenerateAppFromScript", "bpstudio:GenerateProbeAnalysisReport", "bpstudio:GenerateSubTopo", "bpstudio:GetAiUsageStats", "bpstudio:GetAlertTaskStatus", "bpstudio:GetAlertTemplate", "bpstudio:GetAppAlarmList", "bpstudio:GetAppInputParams", "bpstudio:GetApplicationDetail", "bpstudio:GetApplicationVariables", "bpstudio:GetApplicationVariables4Fail", "bpstudio:GetDesignPptTemplate", "bpstudio:GetDetectResult", "bpstudio:GetDrService", "bpstudio:GetEditorType", "bpstudio:GetExploreCIofTypes", "bpstudio:GetExploreJobStatus", "bpstudio:GetExploreReport", "bpstudio:GetExploreResourceSummary", "bpstudio:GetExploreTopologyResult", "bpstudio:GetExportReportResult", "bpstudio:GetFlowInputParams", "bpstudio:GetFoAppStatus", "bpstudio:GetFoTaskStatus", "bpstudio:GetGeneratedAppInfo", "bpstudio:GetGroupMonitorData", "bpstudio:GetInitFoImages", "bpstudio:GetLastProbeTime", "bpstudio:GetLatestResourceInformation", "bpstudio:GetLinkageAttributesTemplate", "bpstudio:GetMigrateJob", "bpstudio:GetMigrateNetwork", "bpstudio:GetMigrateResourceTypes", "bpstudio:GetMigrateResources", "bpstudio:GetMonitorAppHistory", "bpstudio:GetMonitorApps", "bpstudio:GetMonitorDataById", "bpstudio:GetMonitorDataList", "bpstudio:GetMonitorInstanceLogInfo", "bpstudio:GetMonitorMetrics", "bpstudio:GetMonitorNS", "bpstudio:GetMonitorParentApp", "bpstudio:GetMonitorServiceMetrics", "bpstudio:GetMonitorSubApps", "bpstudio:GetMonitorSubResource", "bpstudio:GetOperationParams", "bpstudio:GetOrderAttributes", "bpstudio:GetParentApp", "bpstudio:GetPolicyInPlan", "bpstudio:GetPortalApiReportASync", "bpstudio:GetPortalTemplateDeploy", "bpstudio:GetPotentialFailZones", "bpstudio:GetProbeAllTopology", "bpstudio:GetProbeCiDetails", "bpstudio:GetProbeCiInRegion", "bpstudio:GetProbeCiInVpc", "bpstudio:GetProbeCiInZone", "bpstudio:GetProbeCiOfTypes", "bpstudio:GetProbeCiRegions", "bpstudio:GetProbeCiTypes", "bpstudio:GetProbeCiTypesInRegion", "bpstudio:GetProbeCiTypesInVpc", "bpstudio:GetProbeCiTypesInZone", "bpstudio:GetProbeGlobalCI", "bpstudio:GetProbeGlobalCITypes", "bpstudio:GetProbeJobStatus", "bpstudio:GetProbeOneClick", "bpstudio:GetProbeRegions", "bpstudio:GetProbeResourceSummary", "bpstudio:GetProbeTagKeys", "bpstudio:GetProbeTagValues", "bpstudio:GetProbeTopologyParameters", "bpstudio:GetProbeTopologyResult", "bpstudio:GetProbeVpcInRegion", "bpstudio:GetProbeZoneInVpc", "bpstudio:GetProcessApps", "bpstudio:GetProcessInOutParams", "bpstudio:GetProcessInputParams", "bpstudio:GetProcessOutputParams", "bpstudio:GetProcessShareUsers", "bpstudio:GetResource", "bpstudio:GetResource4ModifyRecord", "bpstudio:GetResourceMigratePolicy", "bpstudio:GetResult4QueryInstancePrice4Modify", "bpstudio:GetSaeSpec", "bpstudio:GetSaeTaskData", "bpstudio:GetServerMessage", "bpstudio:GetServerlessAttribute", "bpstudio:GetSingleAzResources", "bpstudio:GetSubAppStatus", "bpstudio:GetSubApps", "bpstudio:GetTask", "bpstudio:GetTaskInputParams", "bpstudio:GetTaskNodeStatus", "bpstudio:GetTemplateInputParams", "bpstudio:GetToolsTask", "bpstudio:GetUserPreferenceData", "bpstudio:GrantGroup", "bpstudio:HasMonitorData", "bpstudio:InitAppFailOver", "bpstudio:InitFailOver", "bpstudio:IsMigrateApplicationOK", "bpstudio:IsMigrateConfigurationOK", "bpstudio:IsMigrateNetworkOK", "bpstudio:IsMigratePrepareOK", "bpstudio:IsMigrateResourceOK", "bpstudio:ListActivity", "bpstudio:ListAlertContactGroup", "bpstudio:ListAlertRules", "bpstudio:ListAlertTemplates", "bpstudio:ListAllOperations", "bpstudio:ListAllProcess", "bpstudio:ListAppBindingProcess", "bpstudio:ListAuthorization", "bpstudio:ListBindingRefIds", "bpstudio:ListBpmApps", "bpstudio:ListBpmInstances", "bpstudio:ListCloudClient", "bpstudio:ListCloudProviderRegions", "bpstudio:ListCloudProviders", "bpstudio:ListCrossMigrateJobs", "bpstudio:ListExploreProjects", "bpstudio:ListExploreRegions", "bpstudio:ListExploreTypes", "bpstudio:ListExportMigrateJobs", "bpstudio:ListExportTags", "bpstudio:ListFoCreatedApps", "bpstudio:ListFoPlanResources", "bpstudio:ListFoPlans", "bpstudio:ListFoRunningApps", "bpstudio:ListMessage", "bpstudio:ListMigrateConfigurationTasks", "bpstudio:ListMigrateJobs", "bpstudio:ListMonitorRunningApps", "bpstudio:ListOperations", "bpstudio:ListOperationsDetails", "bpstudio:ListPortalApplication", "bpstudio:ListPortalResources", "bpstudio:ListPortalTemplate", "bpstudio:ListPortalTemplateVariables", "bpstudio:ListPrepareMigrateTasks", "bpstudio:ListProbeReports", "bpstudio:ListProcessResources", "bpstudio:ListProcessVariables", "bpstudio:ListProcesses", "bpstudio:ListPublicProcesses", "bpstudio:ListReplicateJobs", "bpstudio:ListResourceGroups", "bpstudio:ListResources", "bpstudio:ListServices", "bpstudio:ListSession", "bpstudio:ListTagResources", "bpstudio:ListTasks", "bpstudio:ListTasksByAppId", "bpstudio:ListTemplateBindingProcess", "bpstudio:ListTemplateConfig", "bpstudio:ListTemplateProcessResources", "bpstudio:ListTemplateVariables", "bpstudio:ModifyApplicationSpec", "bpstudio:ModifyMonitorNS", "bpstudio:PasswordOperation", "bpstudio:PlanFailBack", "bpstudio:PlanFailOver", "bpstudio:PrepareFoPlanResources", "bpstudio:PrepareMigrateJob", "bpstudio:PrepareMonitorApp", "bpstudio:QueryInstancePrice4Modify", "bpstudio:QueryInstanceSpec4Modify", "bpstudio:QueryMonitorScreen", "bpstudio:QueryTemplateNodeInfo", "bpstudio:ReConfigApplication", "bpstudio:RefreshResourcesInFoPlan", "bpstudio:RefreshSubApp", "bpstudio:RegisterCloudClient", "bpstudio:RemoveFoPlanResources", "bpstudio:RepliateMigrateJob", "bpstudio:ResetMigratePlan", "bpstudio:RevokeGroup", "bpstudio:Save2PrivateTemplate", "bpstudio:SaveProcessInputParams", "bpstudio:SaveTaskInputParams", "bpstudio:ShareProcess", "bpstudio:StartAlertApp", "bpstudio:StartMigrateConfiguration", "bpstudio:StartProbeJob", "bpstudio:StartSubTopo", "bpstudio:StreamingChat", "bpstudio:SyncTemplateVariable", "bpstudio:TagResources", "bpstudio:TemplateBindingInputParams", "bpstudio:TemplateBindingProcess", "bpstudio:TemplateUnbindingProcess", "bpstudio:TranslateMigrateApplication", "bpstudio:UnregisterCloudClient", "bpstudio:UnshareProcess", "bpstudio:UntagResources", "bpstudio:UpdateAlertTemplate", "bpstudio:UpdateAlertTemplateStatus", "bpstudio:UpdateAppBindingProcessSeq", "bpstudio:UpdateAppProducts", "bpstudio:UpdateMessage", "bpstudio:UpdateMonitor", "bpstudio:UpdateMonitorAppHistory", "bpstudio:UpdatePolicyInPlan", "bpstudio:UpdateProbeTableFormat", "bpstudio:UpdateSeqInFoPlan", "bpstudio:UpdateTemplateConfig", "bpstudio:UploadResourceMigratePolicy", "bpstudio:ValidateTask", "bpstudio:null" ], "Resource": "*" } ] }
RAM users or RAM roles with account-level permissions can manage all resources in your account. Grant these permissions with caution, ensuring they adhere to the principle of least privilege.
FAQ
Find a resource's resource group
-
Method 1: Click the resource name to go to its details page. You can find the resource group on this page.
-
Method 2: Log on to the Resource Management console and go to . On the left, select the resource's account (this defaults to current account). Use the filters to find the resource, and its resource group is shown in the search results.
View product resources in a resource group
-
Method 1: Log on to the Resource Management console and go to . On the left, in the account section (defaults to current account), click the name of the target resource group. Then, from the Select Resource Type list on the right, select the product. This displays all resources for that product within the selected resource group.
-
Method 2: Log on to the Resource Management console and go to . Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the Product dropdown list at the top to view all of its resources in that resource group.
Move resources between resource groups
Log on to the Resource Management console and go to . Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, use the filters to find your target resources. Select the checkbox in the first column for each resource, click Transfer Resource Group at the bottom of the page and follow the on-screen instructions.