Use resource groups for fine-grained access control - Domain Names

When you use resource groups, you can use RAM to isolate resources and implement fine-grained permission management within a single Alibaba Cloud account. This topic explains how to use domain names with resource groups and grant permissions at the resource group level.

Note

Resource group-level authorization applies only to resource types that support resource groups and to actions that support resource group-level authorization.
For resource types that do not support resource groups, permissions granted at the resource group scope have no effect. When you select a resource scope, select account-level to use account-level authorization. For more information, see Actions that do not support resource group-level authorization.

Resource group authorization

You can use Resource Groups to group and manage resources in your Alibaba Cloud account. For example, you can create a Resource Group for each project and move the project's resources into it for centralized management. For more information, see What is a Resource Group?.

After you group your resources, you can grant permissions scoped to a specific Resource Group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This restricts the RAM principal to managing only the resources within that Resource Group. For more information, see Resource grouping and authorization.

This method offers the following benefits:

Fine-grained permissions: Grant each identity only the specific permissions it needs to access resources. This avoids the mixed management of resources from different projects in a single account.
Scalability: When you add new resources, simply add them to the Resource Group. The associated RAM identity automatically inherits permissions for these new resources.

Grant resource group-level permissions to a RAM user

This topic shows you how to grant a RAM user permissions on domain resources in a specific resource group.

1. Prerequisites

Create a RAM user. For more information, see Create a RAM user.
Create a resource group and move your resources to it. For more information, see Create a resource group, Automatically transfer resources, and Manually transfer resources.

2. Grant resource group-level permissions

You can grant resource group-level permissions using one of the following methods.

Method 1: Resource Management console

Use a resource group's permission management feature to grant permissions to a specific RAM user. For detailed steps, see Grant permissions on a resource group to a RAM identity.

Log on to the Resource Group console.
On the Resource Groups page, in the Actions column of the target resource group, click Permissions.
On the Permissions tab, click Grant Permission.
In the Grant Permission panel, configure the principal and policy.
- Principal: Select an existing RAM user.
- Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
Click Grant Permission.

Method 2: RAM console

Use the RAM console to grant resource group-level permissions to a specific RAM user. For detailed steps, see Manage the permissions of a RAM user.

Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
In the left-side navigation pane, choose Identities > Users. On the Users page, in the Actions column of the target RAM user, click Grant Permission.
In the Grant Permission panel, configure the following settings.
- Resource Scope: Select Specific Resource Groups.
- Principal: Select an existing RAM user or the one you created previously.
- Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
Click Grant Permission.

Supported resource types

This table lists the domain resource types that support resource groups.

Cloud service	Cloud service code	Resource type
Domain	domain	domain: Domain

Note

To request support for a resource type that does not support resource groups, submit feedback in the resource group console.

Actions without resource group authorization

The following actions for domain names do not support resource group-level authorization:

Actions	Description
domain:AcknowledgeTaskResult	Confirms the result of a task.
domain:AddFavoriteDomain	-
domain:BatchIntrudeDomains	-
domain:BatchQueryPushStatus	-
domain:BatchRecallPush	-
domain:BrokerDemand	-
domain:BrokerDemandApp	-
domain:CancelOperationAudit	Cancels a self-service operation audit.
domain:CancelTask	Cancels an in-progress task.
domain:CheckDomain	-
domain:CheckPushReceiver	-
domain:DeleteContactTemplates	Deletes multiple domain contact templates.
domain:DeleteOrderTaskDetail	-
domain:DomainSpecialBizCancel	-
domain:DomainSpecialBizCreateOrder	-
domain:EmailVerificationOperation	Sends a verification email.
domain:EmailVerified	-
domain:FixPrice	-
domain:ImportPreDeleteDomain	-
domain:IntlFixPrice	Queries a list of international fixed-price orders.
domain:ListDomains	-
domain:ListOperationAuditInfos	Queries a list of audit records for self-service operations.
domain:ListTagKeys	-
domain:ListTagResources	-
domain:PartnerAuction	-
domain:PayIntlBrokerDemandOrder	-
domain:PushDomains	-
domain:QueryBuyerDomainTradeRecords	-
domain:QueryDomain	Queries details about a specified domain name.
domain:QueryDomainAutoRenewList	-
domain:QueryDomainGroup	Queries the list of domain name groups.
domain:QueryDomainRealTimePrice	-
domain:QueryDomainSpecialBizDetail	-
domain:QueryDomainSpecialBizInfoByDomain	-
domain:QueryDomainSpecialBizInfoList	-
domain:QueryDomainSpecialBizPrice	-
domain:QueryDomainValueAddedService	-
domain:QueryEmailVerification	Queries the result of an email verification.
domain:QueryExportAuctionDetail	-
domain:QueryExportDomainExpireSnatchs	-
domain:QueryFailingReasonList	Check the reason for a failed qualification review for .restaurant and .trademark domains.
domain:QueryFavoriteDomainPageList	-
domain:QueryFulfillmentRecordDetail	-
domain:QueryFulfillmentRecordList	-
domain:QueryIntlBrokerDemandDetail	-
domain:QueryIntlBrokerDemandList	-
domain:QueryIntlBrokerDemandRecordList	-
domain:QueryOperationAuditInfoDetail	Queries the details of an audit record for a self-service operation.
domain:QueryRegistrantProfile	Queries the domain contact templates for the current account.
domain:QuerySingleTaskInfo	-
domain:QueryUsRegistrantExtension	-
domain:QueryUserCommand	-
domain:QueryUserExtConfigByExtField	-
domain:RegistrantProfileOperation	Creates or updates a domain contact template.
domain:RemoveFavoriteDomain	-
domain:SaveCctldExtendInfo	-
domain:SaveContactTemplateRemark	-
domain:SaveRegistrantProfileRealNameVerification	Saves domain contact information and identity documents.
domain:SaveTaskInfo	-
domain:SaveUsRegistrantExtension	-
domain:SaveUserCommand	-
domain:SaveUserExtConfig	-
domain:SetDefaultRegistrantProfile	Sets the default domain contact template.
domain:SubmitDomainSpecialBizCredentials	-
domain:SubmitDomainSpecialBizInfo	-
domain:SubmitIntlBrokerDemand	-
domain:SubmitOperationCredentials	Submits identity documents for a self-service operation audit.
domain:TransferInCheckMailToken	Verifies the email token of a domain name registrant.
domain:UploadPolicyForCredential	Obtains the OSS upload policy for audit materials.
domain:UploadPolicyForQualification	Obtain the authorization policies for the ".餐厅" and ".商标" domains.
domain:UserConfirmIntlBrokerDemand	-
domain:VerifyEmail	Submits an email for verification.
domain:WebsiteAddDnsRecord	-
domain:WebsiteDeleteDnsRecord	-
domain:WhoisProtection	-
domain:null	-

For actions that do not support resource group-level authorization, setting the resource scope to the resource group level has no effect. To grant permissions for these actions to a RAM user or RAM role, you must create a custom policy and set the resource scope to the account level.

The following are two custom policy examples. You can adjust the policy content to meet your business requirements.

Allow all read-only operations that do not support resource group-level authorization: The Action element should list all read-only operations that do not support resource group-level authorization.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}
```

Allow all operations that do not support resource group-level authorization: The Action element lists all operations that do not support resource group-level authorization.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "domain:AcknowledgeTaskResult",
        "domain:AddFavoriteDomain",
        "domain:BatchIntrudeDomains",
        "domain:BatchQueryPushStatus",
        "domain:BatchRecallPush",
        "domain:BrokerDemand",
        "domain:BrokerDemandApp",
        "domain:CancelOperationAudit",
        "domain:CancelTask",
        "domain:CheckDomain",
        "domain:CheckPushReceiver",
        "domain:DeleteContactTemplates",
        "domain:DeleteOrderTaskDetail",
        "domain:DomainSpecialBizCancel",
        "domain:DomainSpecialBizCreateOrder",
        "domain:EmailVerificationOperation",
        "domain:EmailVerified",
        "domain:FixPrice",
        "domain:ImportPreDeleteDomain",
        "domain:IntlFixPrice",
        "domain:ListDomains",
        "domain:ListOperationAuditInfos",
        "domain:ListTagKeys",
        "domain:ListTagResources",
        "domain:PartnerAuction",
        "domain:PayIntlBrokerDemandOrder",
        "domain:PushDomains",
        "domain:QueryBuyerDomainTradeRecords",
        "domain:QueryDomain",
        "domain:QueryDomainAutoRenewList",
        "domain:QueryDomainGroup",
        "domain:QueryDomainRealTimePrice",
        "domain:QueryDomainSpecialBizDetail",
        "domain:QueryDomainSpecialBizInfoByDomain",
        "domain:QueryDomainSpecialBizInfoList",
        "domain:QueryDomainSpecialBizPrice",
        "domain:QueryDomainValueAddedService",
        "domain:QueryEmailVerification",
        "domain:QueryExportAuctionDetail",
        "domain:QueryExportDomainExpireSnatchs",
        "domain:QueryFailingReasonList",
        "domain:QueryFavoriteDomainPageList",
        "domain:QueryFulfillmentRecordDetail",
        "domain:QueryFulfillmentRecordList",
        "domain:QueryIntlBrokerDemandDetail",
        "domain:QueryIntlBrokerDemandList",
        "domain:QueryIntlBrokerDemandRecordList",
        "domain:QueryOperationAuditInfoDetail",
        "domain:QueryRegistrantProfile",
        "domain:QuerySingleTaskInfo",
        "domain:QueryUsRegistrantExtension",
        "domain:QueryUserCommand",
        "domain:QueryUserExtConfigByExtField",
        "domain:RegistrantProfileOperation",
        "domain:RemoveFavoriteDomain",
        "domain:SaveCctldExtendInfo",
        "domain:SaveContactTemplateRemark",
        "domain:SaveRegistrantProfileRealNameVerification",
        "domain:SaveTaskInfo",
        "domain:SaveUsRegistrantExtension",
        "domain:SaveUserCommand",
        "domain:SaveUserExtConfig",
        "domain:SetDefaultRegistrantProfile",
        "domain:SubmitDomainSpecialBizCredentials",
        "domain:SubmitDomainSpecialBizInfo",
        "domain:SubmitIntlBrokerDemand",
        "domain:SubmitOperationCredentials",
        "domain:TransferInCheckMailToken",
        "domain:UploadPolicyForCredential",
        "domain:UploadPolicyForQualification",
        "domain:UserConfirmIntlBrokerDemand",
        "domain:VerifyEmail",
        "domain:WebsiteAddDnsRecord",
        "domain:WebsiteDeleteDnsRecord",
        "domain:WhoisProtection"
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role with account-level permissions can manage all resources in the account. Always ensure that the granted permissions meet your requirements. Follow the principle of least privilege and assign permissions with caution.

FAQ

Find the resource group of a resource

Method 1: Click the resource name to view its details. The resource group is listed on the details page.
Method 2: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, select the account that owns the resource (the current account is selected by default). Use the filters to find the resource and view its resource group.

View a product's resources in a resource group

Method 1: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, under the account section (the current account is selected by default), click the name of the target resource group. Then, from the Select Resource Type list on the right, select the product to view all its resources.
Method 2: Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the desired product from the Product drop-down list to view all its resources.

Move multiple resources to another resource group

Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. Use filters to locate the target resources. Select the checkboxes for the resources that you want to move, click Transfer Resource Group below the list, and follow the on-screen instructions to complete the transfer.