Use resource groups for fine-grained access control - Data Transmission Service

You can use resource groups to organize resources and integrate with RAM to enable resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic explains how DTS supports resource groups and how to grant permissions at the resource group level.

Note

Resource group-level authorization applies only to resource types that support resource groups and to operations that support this authorization level.
For resource types that do not support resource groups, permissions at the resource group scope do not apply. For account-level authorization, set the resource scope to the account level. For details, see Operations that do not support resource group-level authorization.

Resource group authorization

You can use resource groups to organize and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and add its resources to the group for centralized management. For more information, see What is a Resource Group.

After grouping your resources, you can grant permissions to RAM principals, such as RAM users, RAM user groups, or RAM roles, at the resource group level. This ensures a principal can manage only the resources within that resource group. For more information, see Resource grouping and authorization.

This authorization method offers the following advantages:

Fine-grained permissions: Ensures each principal has only the resource access it requires. This helps separate the management of resources by project within a single account.
Scalability: When you add new resources, you simply add them to the resource group. The RAM principal automatically gains the required permissions for these new resources, and no additional authorization is required.

Grant resource group-level permissions to a RAM user

This topic explains how to grant a RAM user permissions on DTS resources within a specific resource group.

1. Prerequisites

Create a RAM user. For more information, see Create a RAM user.
Create a resource group and assign existing resources to it. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.

2. Grant resource group-level permissions

You can use either of the following methods to grant resource group-level permissions.

Resource management console

Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant resource group-scoped permissions to a RAM identity.

Log on to the Resource Management console.
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
On the Permission Management tab, click Grant Permission.
In the Grant Permission panel, configure the principal and permission policy.
- Principal: Select an existing RAM user.
- Permission Policy: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
Click OK.

RAM console

Use the RAM console to grant resource group-level permissions to a specific RAM user. For more information, see Manage permissions for a RAM user.

Log on to the RAM console by using your Alibaba Cloud account (main account) or as a RAM administrator.
In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, configure the following parameters.
- Resource Scope: Select Specific Resource Group.
- Principal: The selected RAM user is displayed.
- Permission: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
Click OK.

Supported resource types

You can add the following DTS resource types to resource groups:

Cloud service	Cloud service code	Resource type
DTS	dts	instance

Note

To request support for an unsupported resource type, submit feedback in the resource group console.

Actions without resource group authorization

The following table lists the Data Transmission Service (DTS) Actions that do not support resource group-level authorization.

Actions	Description
dts:AddTags	-
dts:AllocateRAGFlowInstancePublicConnection	-
dts:AuthorizeScaleOut	-
dts:CheckDefaultEventRule	-
dts:CheckDefaultRole	-
dts:ConfigureSynchronizationJobReplicatorCompare	Configures the full-image matching switch for a synchronization task.
dts:ConfigureZeroETLJob	-
dts:CountJobByCondition	Counts tasks based on specified conditions.
dts:CreateDedicatedClusterMonitorRule	Creates an alert rule for a dedicated cluster.
dts:CreateDocParserJob	Creates a document parsing task.
dts:CreateGadInstance	-
dts:CreateRAGFlowInstance	-
dts:CreateRAGKnowledgeBase	-
dts:CreateServiceLinkedRoleForZeroETL	-
dts:CreateZeroETLInstance	-
dts:DeleteGadInstance	-
dts:DeleteNetWorkPath	-
dts:DescribeBasicConfigs	-
dts:DescribeCheckJobDiffDetails	-
dts:DescribeCheckJobStatus	-
dts:DescribeCheckJobs	Lists check tasks for migration and synchronization tasks.
dts:DescribeClusterNodeInfo	-
dts:DescribeConnectionStatus	Tests the connectivity between the execution node of a migration task and the source and target databases.
dts:DescribeDTSIP	Retrieves the DTS IP addresses that must be added to the whitelists of the source and target databases.
dts:DescribeDnsResolveResult	-
dts:DescribeDocParserJobResult	Retrieves the result of a document parsing task.
dts:DescribeDocParserJobStatus	Queries the execution status of a document parsing task.
dts:DescribeDomainRegions	-
dts:DescribeDtsJob	-
dts:DescribeDtsJobsTransmission	-
dts:DescribeEventMetaInfo	-
dts:DescribeGadInstanceDetail	-
dts:DescribeGadInstanceDtsMembers	-
dts:DescribeGadInstances	Lists Global Active Database (GAD) instances.
dts:DescribeHistoryEvents	-
dts:DescribeHistoryEventsStat	-
dts:DescribeInstanceInventory	-
dts:DescribeJobStepDetail	-
dts:DescribeMigrationJobs	Lists migration tasks and their details.
dts:DescribeNetWorkNisAnalysis	-
dts:DescribePreCheckCreateGadOrderResult	Queries the result of the precheck for creating a Global Active Database (GAD) order.
dts:DescribeRAGDocumentParseResult	-
dts:DescribeRAGFlowAvailableZones	-
dts:DescribeRAGFlowInstancePrice	-
dts:DescribeRdsInfo	-
dts:DescribeSubscriptionInstances	Lists subscription instances and their details.
dts:DescribeSynchronizationJobStatusList	Lists the statuses of synchronization jobs (legacy).
dts:DescribeSynchronizationObjectModifyStatus	Queries the status of synchronization object modification tasks (legacy).
dts:DescribeTagKeys	Queries all tag keys attached to a migration, synchronization, or subscription instance.
dts:DescribeTagValues	Queries all values for a specific tag key that is attached to a migration, synchronization, or subscription instance.
dts:DescribeUserEventConfig	-
dts:DescribeWorkflowJobResult	-
dts:DescribeZeroETLInstanceLimitation	-
dts:DetachGadInstanceDbMember	Removes a secondary role.
dts:DisableRAGFlowInstanceSSO	-
dts:EnableRAGFlowInstanceSSO	-
dts:Feedback	-
dts:GenerateChatCompletion	-
dts:GetAnswer	-
dts:GetLindormInstanceInner	-
dts:GetSimilarQuestions	-
dts:InitDtsRdsInstance	Initializes a built-in account on a node in a Global Active Database (GAD) cluster. DTS uses this account to connect to the node and perform synchronization tasks.
dts:ListRAGDocument	-
dts:ListRAGKnowledgeBase	-
dts:LoginRAGFlowInstance	-
dts:ModifyConsumerGroupPassword	Modifies the password of a consumer group (legacy).
dts:ModifyDtsJobDedicatedCluster	Changes the dedicated cluster on which a task runs.
dts:ModifyEventScheduleTime	-
dts:ModifyGadInstanceName	Modifies the name of a Global Active Database (GAD) instance.
dts:ModifyRAGFlowInstanceDescription	-
dts:ModifyRAGFlowInstanceSSO	-
dts:ModifyRAGFlowSecurityIps	-
dts:PreCheckCreateGadOrder	Runs a precheck for creating a Global Active Database (GAD) order.
dts:PreviewData	-
dts:PreviewSql	-
dts:PromoteToMaster	-
dts:RemoveTags	-
dts:SaveEtlJob	-
dts:StartReverseWriter	Starts a reverse task created by using the CreateReverseDtsJob action.
dts:SubmitDocParserJob	-
dts:TagResources	Attaches tags to one or more migration, synchronization, or subscription instances.
dts:UntagResources	Detaches tags from migration, synchronization, and subscription instances.
dts:UploadRAGDocument	-

For Actions that do not support resource group-level authorization, selecting resource group-level as the resource scope has no effect. To grant a RAM user or RAM role permissions for these Actions, create a custom permission policy and select account-level as the resource scope.

Here are two example custom permission policies. You can modify the policy content based on your requirements.

This policy allows all read-only operations that do not support resource group-level authorization. The Action element lists these operations.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dts:CheckDefaultRole",
        "dts:DescribeBasicConfigs",
        "dts:DescribeCheckJobDiffDetails",
        "dts:DescribeCheckJobStatus",
        "dts:DescribeCheckJobs",
        "dts:DescribeClusterNodeInfo",
        "dts:DescribeConnectionStatus",
        "dts:DescribeDTSIP",
        "dts:DescribeDnsResolveResult",
        "dts:DescribeDocParserJobResult",
        "dts:DescribeDocParserJobStatus",
        "dts:DescribeDomainRegions",
        "dts:DescribeDtsJob",
        "dts:DescribeDtsJobsTransmission",
        "dts:DescribeEventMetaInfo",
        "dts:DescribeGadInstanceDetail",
        "dts:DescribeGadInstanceDtsMembers",
        "dts:DescribeGadInstances",
        "dts:DescribeHistoryEvents",
        "dts:DescribeHistoryEventsStat",
        "dts:DescribeInstanceInventory",
        "dts:DescribeJobStepDetail",
        "dts:DescribeMigrationJobs",
        "dts:DescribeNetWorkNisAnalysis",
        "dts:DescribePreCheckCreateGadOrderResult",
        "dts:DescribeRAGDocumentParseResult",
        "dts:DescribeRAGFlowAvailableZones",
        "dts:DescribeRAGFlowInstancePrice",
        "dts:DescribeRdsInfo",
        "dts:DescribeSubscriptionInstances",
        "dts:DescribeSynchronizationJobStatusList",
        "dts:DescribeSynchronizationObjectModifyStatus",
        "dts:DescribeTagKeys",
        "dts:DescribeTagValues",
        "dts:DescribeUserEventConfig",
        "dts:DescribeWorkflowJobResult",
        "dts:DescribeZeroETLInstanceLimitation",
        "dts:ListRAGDocument",
        "dts:ListRAGKnowledgeBase"
      ],
      "Resource": "*"
    }
  ]
}

This policy allows all operations that do not support resource group-level authorization. The Action element lists these operations.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dts:AddTags",
        "dts:AllocateRAGFlowInstancePublicConnection",
        "dts:AuthorizeScaleOut",
        "dts:CheckDefaultEventRule",
        "dts:CheckDefaultRole",
        "dts:ConfigureSynchronizationJobReplicatorCompare",
        "dts:ConfigureZeroETLJob",
        "dts:CountJobByCondition",
        "dts:CreateDedicatedClusterMonitorRule",
        "dts:CreateDocParserJob",
        "dts:CreateGadInstance",
        "dts:CreateRAGFlowInstance",
        "dts:CreateRAGKnowledgeBase",
        "dts:CreateServiceLinkedRoleForZeroETL",
        "dts:CreateZeroETLInstance",
        "dts:DeleteGadInstance",
        "dts:DeleteNetWorkPath",
        "dts:DescribeBasicConfigs",
        "dts:DescribeCheckJobDiffDetails",
        "dts:DescribeCheckJobStatus",
        "dts:DescribeCheckJobs",
        "dts:DescribeClusterNodeInfo",
        "dts:DescribeConnectionStatus",
        "dts:DescribeDTSIP",
        "dts:DescribeDnsResolveResult",
        "dts:DescribeDocParserJobResult",
        "dts:DescribeDocParserJobStatus",
        "dts:DescribeDomainRegions",
        "dts:DescribeDtsJob",
        "dts:DescribeDtsJobsTransmission",
        "dts:DescribeEventMetaInfo",
        "dts:DescribeGadInstanceDetail",
        "dts:DescribeGadInstanceDtsMembers",
        "dts:DescribeGadInstances",
        "dts:DescribeHistoryEvents",
        "dts:DescribeHistoryEventsStat",
        "dts:DescribeInstanceInventory",
        "dts:DescribeJobStepDetail",
        "dts:DescribeMigrationJobs",
        "dts:DescribeNetWorkNisAnalysis",
        "dts:DescribePreCheckCreateGadOrderResult",
        "dts:DescribeRAGDocumentParseResult",
        "dts:DescribeRAGFlowAvailableZones",
        "dts:DescribeRAGFlowInstancePrice",
        "dts:DescribeRdsInfo",
        "dts:DescribeSubscriptionInstances",
        "dts:DescribeSynchronizationJobStatusList",
        "dts:DescribeSynchronizationObjectModifyStatus",
        "dts:DescribeTagKeys",
        "dts:DescribeTagValues",
        "dts:DescribeUserEventConfig",
        "dts:DescribeWorkflowJobResult",
        "dts:DescribeZeroETLInstanceLimitation",
        "dts:DetachGadInstanceDbMember",
        "dts:DisableRAGFlowInstanceSSO",
        "dts:EnableRAGFlowInstanceSSO",
        "dts:Feedback",
        "dts:GenerateChatCompletion",
        "dts:GetAnswer",
        "dts:GetLindormInstanceInner",
        "dts:GetSimilarQuestions",
        "dts:InitDtsRdsInstance",
        "dts:ListRAGDocument",
        "dts:ListRAGKnowledgeBase",
        "dts:LoginRAGFlowInstance",
        "dts:ModifyConsumerGroupPassword",
        "dts:ModifyDtsJobDedicatedCluster",
        "dts:ModifyEventScheduleTime",
        "dts:ModifyGadInstanceName",
        "dts:ModifyRAGFlowInstanceDescription",
        "dts:ModifyRAGFlowInstanceSSO",
        "dts:ModifyRAGFlowSecurityIps",
        "dts:PreCheckCreateGadOrder",
        "dts:PreviewData",
        "dts:PreviewSql",
        "dts:PromoteToMaster",
        "dts:RemoveTags",
        "dts:SaveEtlJob",
        "dts:StartReverseWriter",
        "dts:SubmitDocParserJob",
        "dts:TagResources",
        "dts:UntagResources",
        "dts:UploadRAGDocument"
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role with account-level permissions can access all resources in the account. Always follow the principle of least privilege when assigning these permissions.

FAQ

Check the resource group of a resource

Method 1: Click the resource name to go to its details page. The page displays the resource group.
Method 2: Log on to the Resource Management console and go to Resource Center > Resource Search. On the left, select the account that owns the resource (the default is the current account). Use the filters to find the resource and view its resource group.

View product resources in a resource group

Method 1: Log on to the Resource Management console and go to Resource Center > Resource Search. On the left, under the account that owns the resources (the default is the current account), click the name of the target resource group. Then, on the right, select the product from the Select Resource Type drop-down list to view all its resources in that group.
Method 2: Log on to the Resource Management console and go to Resource Groups > Resource Groups. Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the Product drop-down list at the top to view all its resources in that group.

Move multiple resources to another resource group

Log on to the Resource Management console and go to Resource Groups > Resource Groups. Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, use the filters to find the resources to move. Select the checkboxes for these resources in the first column, and then click Transfer Resource Group below the list. Follow the on-screen instructions to move the resources.