Use resource groups for fine-grained access control - E-MapReduce

You can use resource groups with RAM to isolate resources and implement fine-grained permission management in an Alibaba Cloud account. This topic explains how E-MapReduce supports resource groups and the steps for resource group-level authorization.

Note

Resource group-level authorization applies only to resource types that support resource groups and to operations that support it.
For resource types that do not support resource groups, select account level as the resource scope to grant permissions. For more information, see Operations that do not support resource group-level authorization.

Resource group authorization

You can use resource groups to group and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the corresponding resources into the group for centralized management. For more information, see What is a resource group?.

After grouping your resources, you can grant permissions at the resource group level to RAM principals, such as RAM users, RAM user groups, or RAM roles. This ensures that a principal can manage only the resources within that specific resource group. For more information, see Resource grouping and authorization.

This authorization method offers the following benefits:

Fine-grained permissions: Each identity is granted the exact permissions it needs to access resources. This helps you avoid mixing resources from different projects in a single account.
Scalability: When you add new resources, you only need to add them to the resource group. The RAM identity automatically inherits permissions for the new resources.

Grant resource group-level permissions

This topic describes how to grant permissions to a RAM user to manage E-MapReduce resources within a specific resource group.

1. Prerequisites

Create the RAM user you intend to use. For more information, see Create a RAM user.
Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatic resource transfer, and Manual resource transfer.

2. Grant resource group-level permissions

You can grant permissions at the resource group level in the following ways:

Resource management console

You can grant permissions to a specific RAM user by using the permission management feature of a resource group. For more information, see Grant resource group-scoped permissions to a RAM identity.

Sign in to the Resource Management console.
On the Resource Group page, find the target resource group and click Permission Management in the Actions column.
On the Permission Management tab, click Grant Permission.
In the Grant Permission panel, configure the principal and permission policy.
- Principal: Select an existing RAM user.
- Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
Click Confirm.

RAM console

You can grant resource group-level permissions to a specific RAM user in the RAM console. For more information, see Manage permissions for a RAM user.

Sign in to the RAM console with an Alibaba Cloud account or as a RAM administrator.
In the left-side navigation pane, choose Identity Management > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the following:
- Resource Scope: Select Resource Group.
- Principal: Select the target RAM user.
- Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
Click Confirm.

Resource types that support resource groups

The following table lists the resource types in E-MapReduce that support resource groups:

Cloud service	Cloud service code	Resource type
E-MapReduce	emr	cluster: cluster
E-MapReduce	emr	flowproject: project

Note

You can request support for other resource types in the Resource Group Console.

Operations without resource group authorization

E-MapReduce does not support resource group-level authorization for the following actions:

Action	Description
emr:AttachCluster	-
emr:AttachClusterForNote	-
emr:AuthRealName	-
emr:BindPrivateZoneVpc	-
emr:CheckAssumeRole	-
emr:CheckDLFCatalogAuth	-
emr:CheckProductActiveStatus	-
emr:CheckRenewClusterForAdmin	-
emr:CheckUserBalance	-
emr:CheckUserRole	-
emr:CleanupFlowEntitySnapshot	-
emr:CommitFlowEntitySnapshot	-
emr:CommonApiWhiteList	-
emr:CreateAlertContact	-
emr:CreateAlertDingDingGroup	-
emr:CreateAlertUserGroup	-
emr:CreateBackup	-
emr:CreateBackupPlan	-
emr:CreateBackupRule	-
emr:CreateCloudNativeCluster	-
emr:CreateClusterBootstrapAction	-
emr:CreateClusterCost	-
emr:CreateClusterEni	-
emr:CreateClusterTemplate	-
emr:CreateClusterV3	-
emr:CreateClusterWithTemplate	-
emr:CreateClusterWithTemplateForInternal	-
emr:CreateDisasterRecoveryPlan	-
emr:CreateExternalUsers	-
emr:CreateFlowProject	-
emr:CreateFlowProjectClusterSetting	-
emr:CreateJob	-
emr:CreateJobExecutionPlanFolder	-
emr:CreateLibrary	-
emr:CreateMetaTablePreviewTask	-
emr:CreateMetaTablePreviewTaskForOuter	-
emr:CreateNote	-
emr:CreateOnKubeCluster	-
emr:CreateParagraph	-
emr:CreateScalingGroupV2	-
emr:CreateUserPassword	-
emr:CreateUserStatistics	-
emr:CreateVerificationCode	-
emr:DeleteAlertContacts	-
emr:DeleteAlertDingDingGroups	-
emr:DeleteAlertUserGroups	-
emr:DeleteApiTemplate	Deletes a specified API template.
emr:DeleteApplication	-
emr:DeleteClusterBootstrapAction	-
emr:DeleteClusterScript	-
emr:DeleteClusterTemplate	-
emr:DeleteDiagnoseReport	-
emr:DeleteDisasterRecoveryPlan	-
emr:DeleteExecutionPlan	-
emr:DeleteFlowEditLock	-
emr:DeleteFlowProject	-
emr:DeleteFlowProjectById	-
emr:DeleteFlowProjectClusterSetting	-
emr:DeleteFlowProjectUser	-
emr:DeleteJob	-
emr:DeleteJobExecutionPlanFolder	-
emr:DeleteJobExecutionPlanParam	-
emr:DeleteLibraries	-
emr:DeleteNote	-
emr:DeleteParagraph	-
emr:DeleteScalingRule	-
emr:DeleteScalingTaskGroup	-
emr:DeleteUsers	Deletes multiple users.
emr:DescribeAvailableInstanceType	-
emr:DescribeClusterForInternal	-
emr:DescribeClusterForOuter	-
emr:DescribeClusterHealth	-
emr:DescribeClusterOperationHostTaskLog	-
emr:DescribeClusterResourcePoolSchedulerTypeForAdmin	-
emr:DescribeClusterServiceConfigForAdmin	-
emr:DescribeClusterServiceConfigTagForAdmin	-
emr:DescribeClusterTemplate	-
emr:DescribeDiskOpsActivity	-
emr:DescribeEmrMainVersion	-
emr:DescribeExecutionPlan	-
emr:DescribeFlowAgentToken	-
emr:DescribeFlowAgentUser	-
emr:DescribeFlowEntitySnapshot	-
emr:DescribeFlowNodeInstanceContainerLog	-
emr:DescribeFlowProjectClusterSetting	-
emr:DescribeJob	-
emr:DescribeKafkaReassign	-
emr:DescribeLibraryDetail	-
emr:DescribeLibraryInstallTaskDetail	-
emr:DescribeMetaDataSourceForOuter	-
emr:DescribeMetaDatabaseForOuter	-
emr:DescribeMetaTableColumnForOuter	-
emr:DescribeMetaTablePartitionForOuter	-
emr:DescribeMetaTablePreviewTask	-
emr:DescribeMetaTablePreviewTaskForOuter	-
emr:DescribeNote	-
emr:DescribeOperationTask	-
emr:DescribeParagraph	-
emr:DescribeRdsInstance	-
emr:DescribeScalingActivity	-
emr:DescribeScalingCommonConfig	-
emr:DescribeScalingGroupInstanceV2	-
emr:DescribeScalingGroupV2	-
emr:DescribeScalingMetrics	-
emr:DescribeScalingRule	-
emr:DescribeScalingTaskGroup	-
emr:DescribeServiceConfigDefinition	-
emr:DescribeServiceHealth	-
emr:DescribeUserStatistics	-
emr:DetachAndReleaseClusterEni	-
emr:DetachCluster	-
emr:DetachClusterForNote	-
emr:DiffFlowEntitySnapshot	-
emr:DumpMetaDataSourceForOuter	-
emr:EnableApplication	-
emr:ExecuteFsAction	-
emr:ExecuteHiveSql	-
emr:ExistsUser	-
emr:GetApiTemplate	Gets the detailed configuration of a specified API template.
emr:GetApplicationActions	-
emr:GetAuditLogs	-
emr:GetBackPlanInfo	-
emr:GetBackupInfo	-
emr:GetBackupRuleInfo	-
emr:GetClusterCost	-
emr:GetCostUploadSignature	-
emr:GetDisasterRecoveryPlan	-
emr:GetDoctorComputeSummary	Gets the usage analysis results for a single resource in a cluster using EMR Doctor.
emr:GetDoctorHBaseRegion	Gets information about an HBase region.
emr:GetDoctorHBaseRegionServer	Gets information about an HBase RegionServer.
emr:GetDoctorHBaseTable	Gets information about an HBase table.
emr:GetDoctorHDFSCluster	Gets the HDFS data analysis results for a cluster using EMR Doctor.
emr:GetDoctorHDFSDirectory	Gets the data analysis results for a specific HDFS directory (up to five levels deep) using EMR Doctor.
emr:GetFlowAgentTrackStatus	-
emr:GetFlowAuditLogs	-
emr:GetFlowEntityRelationGraph	-
emr:GetMetadataTypeList	-
emr:GetOverview	-
emr:GetPriceForCreate	-
emr:GetPriceForCreateOnKubeCluster	-
emr:GetReleaseVersion	-
emr:GetSlsTempToken	-
emr:GetSupportApplications	-
emr:HasRamOauthPolicy	-
emr:IncreaseNodesDiskSize	-
emr:InnerCheckAckInstance	-
emr:InnerDescribeUserAccountStatus	-
emr:InstallLibraries	-
emr:KillExecutionJobInstance	-
emr:KillExecutionPlanInstance	-
emr:ListAdviceAction	-
emr:ListAlertContacts	-
emr:ListApmMetadata	-
emr:ListApplicationConfigVersions	-
emr:ListBackupPlans	-
emr:ListBackupRules	-
emr:ListBackups	-
emr:ListClusterAttach	-
emr:ListClusterBootstrapActions	-
emr:ListClusterCosts	-
emr:ListClusterForAdmin	-
emr:ListClusterForOuter	-
emr:ListClusterHostComponentForAdmin	-
emr:ListClusterOperationHostTask	-
emr:ListClusterServiceConfigHistoryForAdmin	-
emr:ListClusterTag	-
emr:ListClusterTagForAdmin	-
emr:ListClusterTypes	-
emr:ListComponentDefaultTopologies	-
emr:ListDependApplications	-
emr:ListDisasterRecoveryPlans	-
emr:ListDisasterRecoveryRecords	-
emr:ListDiskOpsEvents	-
emr:ListDoctorComputeSummary	Gets usage information for multiple cluster resources based on filter conditions using EMR Doctor.
emr:ListDoctorHBaseRegionServers	Gets information about multiple HBase RegionServers.
emr:ListDoctorHBaseTables	Gets information about multiple HBase tables.
emr:ListDoctorJobsStats	Gets basic runtime summary information for multiple jobs using EMR Doctor.
emr:ListEcsInstances	-
emr:ListEmrAvailableConfig	-
emr:ListEmrAvailableMetaType	-
emr:ListEmrAvailableResource	-
emr:ListEmrMainVersion	-
emr:ListEmrMainVersionServiceGroup	-
emr:ListEmrMainVersions	-
emr:ListExecutePlanMigrateInfo	-
emr:ListExecutionPlanInstanceTrend	-
emr:ListFailureJobExecutionInstances	-
emr:ListFeatures	-
emr:ListFlowClusterAllHosts	-
emr:ListFlowClusterK8sNamespace	-
emr:ListFlowEntitySnapshot	-
emr:ListFlowProjectClusterSetting	-
emr:ListFlowProjectUser	-
emr:ListGlobalConfigs	-
emr:ListHealthRule	-
emr:ListJobExecutionInstanceTrend	-
emr:ListJobExecutionInstances	-
emr:ListJobExecutionPlanHierarchy	-
emr:ListJobInstanceWorkers	-
emr:ListJobMigrateInfo	-
emr:ListKMSKeys	-
emr:ListKafkaReassign	-
emr:ListKafkaReassignForAdmin	-
emr:ListKafkaReassignTopic	-
emr:ListKafkaTopicStatistics	-
emr:ListKafkaTopicStatisticsForAdmin	-
emr:ListKeyPairNames	-
emr:ListLibraries	-
emr:ListLibraryInstallTasks	-
emr:ListLibraryStatus	-
emr:ListLocalDiskComponentInfo	-
emr:ListMetaCluster	-
emr:ListMetaDataSourceForOuter	-
emr:ListMetaDatabaseForOuter	-
emr:ListMetaTableColumnForOuter	-
emr:ListMetaTableForOuter	-
emr:ListMetaTablePartitionForOuter	-
emr:ListMetastoreTypes	-
emr:ListMetricsToDisplay	-
emr:ListNodeGroupSpecs	-
emr:ListNotes	-
emr:ListOperation	-
emr:ListOperationActivity	-
emr:ListOperationStageInstanceRelation	-
emr:ListOperationTask	-
emr:ListPrivateZones	-
emr:ListRamRole	-
emr:ListRamUsers	-
emr:ListRdsDatabase	-
emr:ListRdsInstance	-
emr:ListRegions	-
emr:ListReleaseVersions	-
emr:ListResourcePoolForAdmin	-
emr:ListScalingActivity	-
emr:ListScalingActivityV2	-
emr:ListScalingConfigItemV2	-
emr:ListScalingGroupV2	-
emr:ListSecurityGroups	-
emr:ListServiceComponentTopology	-
emr:ListSlsProject	-
emr:ListStack	-
emr:ListStackService	-
emr:ListStreamingSqlQuery	-
emr:ListSupportedServiceName	-
emr:ListTagKeys	-
emr:ListTagValues	-
emr:ListUserStatistics	-
emr:ListVpcInfo	-
emr:ListVswitch	-
emr:ManageUserPlatform	-
emr:MetastoreCreateDatabase	-
emr:MetastoreCreateKafkaTopic	-
emr:MetastoreCreateTable	-
emr:MetastoreDataPreview	-
emr:MetastoreDeleteKafkaTopic	-
emr:MetastoreDescribeDataSource	-
emr:MetastoreDescribeDatabase	-
emr:MetastoreDescribeKafkaConsumerGroup	-
emr:MetastoreDescribeKafkaTopic	-
emr:MetastoreDescribeTable	-
emr:MetastoreDescribeTask	-
emr:MetastoreDropDatabase	-
emr:MetastoreDropTable	-
emr:MetastoreListDataSource	-
emr:MetastoreListDataSourceForAdmin	-
emr:MetastoreListDatabases	-
emr:MetastoreListKafkaConsumerGroup	-
emr:MetastoreListKafkaTopic	-
emr:MetastoreListKafkaTopicForAdmin	-
emr:MetastoreListTablePartition	-
emr:MetastoreListTables	-
emr:MetastoreListTask	-
emr:MetastoreRetryTask	-
emr:MetastoreSearchTables	-
emr:MetastoreSync	-
emr:MetastoreUpdateKafkaTopic	-
emr:MetastoreUpdateKafkaTopicBatch	-
emr:MetastoreUpdateTable	-
emr:MigrateJobs	-
emr:ModifyAlertContact	-
emr:ModifyAlertDingDingGroup	-
emr:ModifyAlertUserGroup	-
emr:ModifyClusterBootstrapAction	-
emr:ModifyClusterTemplate	-
emr:ModifyExecutionPlanBasicInfo	-
emr:ModifyFlow	-
emr:ModifyFlowProject	-
emr:ModifyFlowProjectClusterSetting	-
emr:ModifyFlowProjectGeneralSetting	-
emr:ModifyFlowVariableCollection	-
emr:ModifyHealthRuleConfig	-
emr:ModifyJob	-
emr:ModifyJobExecutionPlanFolder	-
emr:ModifyJobExecutionPlanParam	-
emr:ModifyScalingConfigItemV2	-
emr:ModifyScalingGroupV2	-
emr:ModifyScalingRule	-
emr:ModifyUserChannelInfo	-
emr:ModifyUserStatistics	-
emr:PassRole	-
emr:PreCheckClusterBootstrapAction	-
emr:QueryGrafanaData	-
emr:QueryInfoByToken	-
emr:QueryLogKey	-
emr:QueryPrice	-
emr:QuerySlsMetricData	-
emr:QueryUserByToken	-
emr:QueryUserByUid	-
emr:QueryUserFromMns	-
emr:QueryUserPolicy	-
emr:RefreshClusterResourcePool	-
emr:ReleaseCluster	-
emr:ReleaseClusterForAdmin	-
emr:RemoveBackupRule	-
emr:RemoveDisasterRecoveryPlan	-
emr:RenewClusterForAdmin	-
emr:RerunExecutionPlan	-
emr:ResizeCluster	-
emr:ResizeClusterV2	-
emr:ResolveUser	-
emr:RestoreBackup	-
emr:RestoreDisasterRecovery	-
emr:ResumeExecutionPlan	-
emr:ResumeExecutionPlanScheduler	-
emr:RunApiTemplate	Runs a specified API template.
emr:RunClusterServiceActionForAdmin	-
emr:RunExecutionPlan	-
emr:RunNote	-
emr:RunParagraph	-
emr:SearchUsers	-
emr:StartApplication	-
emr:StopApplication	-
emr:SubmitFlow	-
emr:SubmitFlowJob	-
emr:SuspendExecutionPlan	-
emr:SuspendExecutionPlanScheduler	-
emr:SyncDataSourceSchema	-
emr:SyncDataSourceSchemaForAdmin	-
emr:SyncUserPassword	-
emr:SyncUserToFlow	-
emr:TagResources	-
emr:UninstallLibraries	-
emr:UnsubscribeUser	-
emr:UntagResources	-
emr:UpdateApiTemplate	Updates a specified API template.
emr:UpdateApplication	-
emr:UpdateBackupPlan	-
emr:UpdateBackupRule	-
emr:UpdateDisasterRecoveryPlan	-
emr:UpdateGlobalConfigs	-

For operations that do not support resource group authorization, setting the resource scope to resource group level will have no effect. If a RAM user requires these permissions, you must create a custom policy and set the resource scope to account level.

Below are two custom policy examples. Adjust the content as needed.

Allows all read-only operations that do not support resource group-level authorization. The Action element lists these operations.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "emr:GetApiTemplate",
        "emr:GetApplicationActions",
        "emr:GetAuditLogs",
        "emr:GetBackPlanInfo",
        "emr:GetBackupInfo",
        "emr:GetBackupRuleInfo",
        "emr:GetClusterCost",
        "emr:GetCostUploadSignature",
        "emr:GetDisasterRecoveryPlan",
        "emr:GetDoctorComputeSummary",
        "emr:GetDoctorHBaseRegion",
        "emr:GetDoctorHBaseRegionServer",
        "emr:GetDoctorHBaseTable",
        "emr:GetDoctorHDFSCluster",
        "emr:GetDoctorHDFSDirectory",
        "emr:GetFlowAgentTrackStatus",
        "emr:GetFlowAuditLogs",
        "emr:GetFlowEntityRelationGraph",
        "emr:GetMetadataTypeList",
        "emr:GetOverview",
        "emr:GetPriceForCreate",
        "emr:GetPriceForCreateOnKubeCluster",
        "emr:GetReleaseVersion",
        "emr:GetSlsTempToken",
        "emr:GetSupportApplications",
        "emr:ListAdviceAction",
        "emr:ListAlertContacts",
        "emr:ListApmMetadata",
        "emr:ListApplicationConfigVersions",
        "emr:ListBackupPlans",
        "emr:ListBackupRules",
        "emr:ListBackups",
        "emr:ListClusterAttach",
        "emr:ListClusterBootstrapActions",
        "emr:ListClusterCosts",
        "emr:ListClusterForAdmin",
        "emr:ListClusterForOuter",
        "emr:ListClusterHostComponentForAdmin",
        "emr:ListClusterOperationHostTask",
        "emr:ListClusterServiceConfigHistoryForAdmin",
        "emr:ListClusterTag",
        "emr:ListClusterTagForAdmin",
        "emr:ListClusterTypes",
        "emr:ListComponentDefaultTopologies",
        "emr:ListDependApplications",
        "emr:ListDisasterRecoveryPlans",
        "emr:ListDisasterRecoveryRecords",
        "emr:ListDiskOpsEvents",
        "emr:ListDoctorComputeSummary",
        "emr:ListDoctorHBaseRegionServers",
        "emr:ListDoctorHBaseTables",
        "emr:ListDoctorJobsStats",
        "emr:ListEcsInstances",
        "emr:ListEmrAvailableConfig",
        "emr:ListEmrAvailableMetaType",
        "emr:ListEmrAvailableResource",
        "emr:ListEmrMainVersion",
        "emr:ListEmrMainVersionServiceGroup",
        "emr:ListEmrMainVersions",
        "emr:ListExecutePlanMigrateInfo",
        "emr:ListExecutionPlanInstanceTrend",
        "emr:ListFailureJobExecutionInstances",
        "emr:ListFeatures",
        "emr:ListFlowClusterAllHosts",
        "emr:ListFlowClusterK8sNamespace",
        "emr:ListFlowEntitySnapshot",
        "emr:ListFlowProjectClusterSetting",
        "emr:ListFlowProjectUser",
        "emr:ListGlobalConfigs",
        "emr:ListHealthRule",
        "emr:ListJobExecutionInstanceTrend",
        "emr:ListJobExecutionInstances",
        "emr:ListJobExecutionPlanHierarchy",
        "emr:ListJobInstanceWorkers",
        "emr:ListJobMigrateInfo",
        "emr:ListKMSKeys",
        "emr:ListKafkaReassign",
        "emr:ListKafkaReassignForAdmin",
        "emr:ListKafkaReassignTopic",
        "emr:ListKafkaTopicStatistics",
        "emr:ListKafkaTopicStatisticsForAdmin",
        "emr:ListKeyPairNames",
        "emr:ListLibraries",
        "emr:ListLibraryInstallTasks",
        "emr:ListLibraryStatus",
        "emr:ListLocalDiskComponentInfo",
        "emr:ListMetaCluster",
        "emr:ListMetaDataSourceForOuter",
        "emr:ListMetaDatabaseForOuter",
        "emr:ListMetaTableColumnForOuter",
        "emr:ListMetaTableForOuter",
        "emr:ListMetaTablePartitionForOuter",
        "emr:ListMetastoreTypes",
        "emr:ListMetricsToDisplay",
        "emr:ListNodeGroupSpecs",
        "emr:ListNotes",
        "emr:ListOperation",
        "emr:ListOperationActivity",
        "emr:ListOperationStageInstanceRelation",
        "emr:ListOperationTask",
        "emr:ListPrivateZones",
        "emr:ListRamRole",
        "emr:ListRamUsers",
        "emr:ListRdsDatabase",
        "emr:ListRdsInstance",
        "emr:ListRegions",
        "emr:ListReleaseVersions",
        "emr:ListResourcePoolForAdmin",
        "emr:ListScalingActivity",
        "emr:ListScalingActivityV2",
        "emr:ListScalingConfigItemV2",
        "emr:ListScalingGroupV2",
        "emr:ListSecurityGroups",
        "emr:ListServiceComponentTopology",
        "emr:ListSlsProject",
        "emr:ListStack",
        "emr:ListStackService",
        "emr:ListStreamingSqlQuery",
        "emr:ListSupportedServiceName",
        "emr:ListTagKeys",
        "emr:ListTagValues",
        "emr:ListUserStatistics",
        "emr:ListVpcInfo",
        "emr:ListVswitch",
        "emr:QueryGrafanaData",
        "emr:QueryInfoByToken",
        "emr:QueryLogKey",
        "emr:QueryPrice",
        "emr:QuerySlsMetricData",
        "emr:QueryTableData",
        "emr:QueryTrendData",
        "emr:QueryUserById"
      ],
      "Resource": "*"
    }
  ]
}

Allows all operations that do not support resource group-level authorization. The Action element lists these operations.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "emr:AttachCluster",
        "emr:AttachClusterForNote",
        "emr:AuthRealName",
        "emr:BindPrivateZoneVpc",
        "emr:CheckAssumeRole",
        "emr:CheckDLFCatalogAuth",
        "emr:CheckProductActiveStatus",
        "emr:CheckRenewClusterForAdmin",
        "emr:CheckUserBalance",
        "emr:CheckUserRole",
        "emr:CleanupFlowEntitySnapshot",
        "emr:CommitFlowEntitySnapshot",
        "emr:CommonApiWhiteList",
        "emr:CreateAlertContact",
        "emr:CreateAlertDingDingGroup",
        "emr:CreateAlertUserGroup",
        "emr:CreateBackup",
        "emr:CreateBackupPlan",
        "emr:CreateBackupRule",
        "emr:CreateCloudNativeCluster",
        "emr:CreateClusterBootstrapAction",
        "emr:CreateClusterCost",
        "emr:CreateClusterEni",
        "emr:CreateClusterTemplate",
        "emr:CreateClusterV3",
        "emr:CreateClusterWithTemplate",
        "emr:CreateClusterWithTemplateForInternal",
        "emr:CreateDisasterRecoveryPlan",
        "emr:CreateExternalUsers",
        "emr:CreateFlowProject",
        "emr:CreateFlowProjectClusterSetting",
        "emr:CreateJob",
        "emr:CreateJobExecutionPlanFolder",
        "emr:CreateLibrary",
        "emr:CreateMetaTablePreviewTask",
        "emr:CreateMetaTablePreviewTaskForOuter",
        "emr:CreateNote",
        "emr:CreateOnKubeCluster",
        "emr:CreateParagraph",
        "emr:CreateScalingGroupV2",
        "emr:CreateUserPassword",
        "emr:CreateUserStatistics",
        "emr:CreateVerificationCode",
        "emr:DeleteAlertContacts",
        "emr:DeleteAlertDingDingGroups",
        "emr:DeleteAlertUserGroups",
        "emr:DeleteApiTemplate",
        "emr:DeleteApplication",
        "emr:DeleteClusterBootstrapAction",
        "emr:DeleteClusterScript",
        "emr:DeleteClusterTemplate",
        "emr:DeleteDiagnoseReport",
        "emr:DeleteDisasterRecoveryPlan",
        "emr:DeleteExecutionPlan",
        "emr:DeleteFlowEditLock",
        "emr:DeleteFlowProject",
        "emr:DeleteFlowProjectById",
        "emr:DeleteFlowProjectClusterSetting",
        "emr:DeleteFlowProjectUser",
        "emr:DeleteJob",
        "emr:DeleteJobExecutionPlanFolder",
        "emr:DeleteJobExecutionPlanParam",
        "emr:DeleteLibraries",
        "emr:DeleteNote",
        "emr:DeleteParagraph",
        "emr:DeleteScalingRule",
        "emr:DeleteScalingTaskGroup",
        "emr:DeleteUsers",
        "emr:DescribeAvailableInstanceType",
        "emr:DescribeClusterForInternal",
        "emr:DescribeClusterForOuter",
        "emr:DescribeClusterHealth",
        "emr:DescribeClusterOperationHostTaskLog",
        "emr:DescribeClusterResourcePoolSchedulerTypeForAdmin",
        "emr:DescribeClusterServiceConfigForAdmin",
        "emr:DescribeClusterServiceConfigTagForAdmin",
        "emr:DescribeClusterTemplate",
        "emr:DescribeDiskOpsActivity",
        "emr:DescribeEmrMainVersion",
        "emr:DescribeExecutionPlan",
        "emr:DescribeFlowAgentToken",
        "emr:DescribeFlowAgentUser",
        "emr:DescribeFlowEntitySnapshot",
        "emr:DescribeFlowNodeInstanceContainerLog",
        "emr:DescribeFlowProjectClusterSetting",
        "emr:DescribeJob",
        "emr:DescribeKafkaReassign",
        "emr:DescribeLibraryDetail",
        "emr:DescribeLibraryInstallTaskDetail",
        "emr:DescribeMetaDataSourceForOuter",
        "emr:DescribeMetaDatabaseForOuter",
        "emr:DescribeMetaTableColumnForOuter",
        "emr:DescribeMetaTablePartitionForOuter",
        "emr:DescribeMetaTablePreviewTask",
        "emr:DescribeMetaTablePreviewTaskForOuter",
        "emr:DescribeNote",
        "emr:DescribeOperationTask",
        "emr:DescribeParagraph",
        "emr:DescribeRdsInstance",
        "emr:DescribeScalingActivity",
        "emr:DescribeScalingCommonConfig",
        "emr:DescribeScalingGroupInstanceV2",
        "emr:DescribeScalingGroupV2",
        "emr:DescribeScalingMetrics",
        "emr:DescribeScalingRule",
        "emr:DescribeScalingTaskGroup",
        "emr:DescribeServiceConfigDefinition",
        "emr:DescribeServiceHealth",
        "emr:DescribeUserStatistics",
        "emr:DetachAndReleaseClusterEni",
        "emr:DetachCluster",
        "emr:DetachClusterForNote",
        "emr:DiffFlowEntitySnapshot",
        "emr:DumpMetaDataSourceForOuter",
        "emr:EnableApplication",
        "emr:ExecuteFsAction",
        "emr:ExecuteHiveSql",
        "emr:ExistsUser",
        "emr:GetApiTemplate",
        "emr:GetApplicationActions",
        "emr:GetAuditLogs",
        "emr:GetBackPlanInfo",
        "emr:GetBackupInfo",
        "emr:GetBackupRuleInfo",
        "emr:GetClusterCost",
        "emr:GetCostUploadSignature",
        "emr:GetDisasterRecoveryPlan",
        "emr:GetDoctorComputeSummary",
        "emr:GetDoctorHBaseRegion",
        "emr:GetDoctorHBaseRegionServer",
        "emr:GetDoctorHBaseTable",
        "emr:GetDoctorHDFSCluster",
        "emr:GetDoctorHDFSDirectory",
        "emr:GetFlowAgentTrackStatus",
        "emr:GetFlowAuditLogs",
        "emr:GetFlowEntityRelationGraph",
        "emr:GetMetadataTypeList",
        "emr:GetOverview",
        "emr:GetPriceForCreate",
        "emr:GetPriceForCreateOnKubeCluster",
        "emr:GetReleaseVersion",
        "emr:GetSlsTempToken",
        "emr:GetSupportApplications",
        "emr:HasRamOauthPolicy",
        "emr:IncreaseNodesDiskSize",
        "emr:InnerCheckAckInstance",
        "emr:InnerDescribeUserAccountStatus",
        "emr:InstallLibraries",
        "emr:KillExecutionJobInstance",
        "emr:KillExecutionPlanInstance",
        "emr:ListAdviceAction",
        "emr:ListAlertContacts",
        "emr:ListApmMetadata",
        "emr:ListApplicationConfigVersions",
        "emr:ListBackupPlans",
        "emr:ListBackupRules",
        "emr:ListBackups",
        "emr:ListClusterAttach",
        "emr:ListClusterBootstrapActions",
        "emr:ListClusterCosts",
        "emr:ListClusterForAdmin",
        "emr:ListClusterForOuter",
        "emr:ListClusterHostComponentForAdmin",
        "emr:ListClusterOperationHostTask",
        "emr:ListClusterServiceConfigHistoryForAdmin",
        "emr:ListClusterTag",
        "emr:ListClusterTagForAdmin",
        "emr:ListClusterTypes",
        "emr:ListComponentDefaultTopologies",
        "emr:ListDependApplications",
        "emr:ListDisasterRecoveryPlans",
        "emr:ListDisasterRecoveryRecords",
        "emr:ListDiskOpsEvents",
        "emr:ListDoctorComputeSummary",
        "emr:ListDoctorHBaseRegionServers",
        "emr:ListDoctorHBaseTables",
        "emr:ListDoctorJobsStats",
        "emr:ListEcsInstances",
        "emr:ListEmrAvailableConfig",
        "emr:ListEmrAvailableMetaType",
        "emr:ListEmrAvailableResource",
        "emr:ListEmrMainVersion",
        "emr:ListEmrMainVersionServiceGroup",
        "emr:ListEmrMainVersions",
        "emr:ListExecutePlanMigrateInfo",
        "emr:ListExecutionPlanInstanceTrend",
        "emr:ListFailureJobExecutionInstances",
        "emr:ListFeatures",
        "emr:ListFlowClusterAllHosts",
        "emr:ListFlowClusterK8sNamespace",
        "emr:ListFlowEntitySnapshot",
        "emr:ListFlowProjectClusterSetting",
        "emr:ListFlowProjectUser",
        "emr:ListGlobalConfigs",
        "emr:ListHealthRule",
        "emr:ListJobExecutionInstanceTrend",
        "emr:ListJobExecutionInstances",
        "emr:ListJobExecutionPlanHierarchy",
        "emr:ListJobInstanceWorkers",
        "emr:ListJobMigrateInfo",
        "emr:ListKMSKeys",
        "emr:ListKafkaReassign",
        "emr:ListKafkaReassignForAdmin",
        "emr:ListKafkaReassignTopic",
        "emr:ListKafkaTopicStatistics",
        "emr:ListKafkaTopicStatisticsForAdmin",
        "emr:ListKeyPairNames",
        "emr:ListLibraries",
        "emr:ListLibraryInstallTasks",
        "emr:ListLibraryStatus",
        "emr:ListLocalDiskComponentInfo",
        "emr:ListMetaCluster",
        "emr:ListMetaDataSourceForOuter",
        "emr:ListMetaDatabaseForOuter",
        "emr:ListMetaTableColumnForOuter",
        "emr:ListMetaTableForOuter",
        "emr:ListMetaTablePartitionForOuter",
        "emr:ListMetastoreTypes",
        "emr:ListMetricsToDisplay",
        "emr:ListNodeGroupSpecs",
        "emr:ListNotes",
        "emr:ListOperation",
        "emr:ListOperationActivity",
        "emr:ListOperationStageInstanceRelation",
        "emr:ListOperationTask",
        "emr:ListPrivateZones",
        "emr:ListRamRole",
        "emr:ListRamUsers",
        "emr:ListRdsDatabase",
        "emr:ListRdsInstance",
        "emr:ListRegions",
        "emr:ListReleaseVersions",
        "emr:ListResourcePoolForAdmin",
        "emr:ListScalingActivity",
        "emr:ListScalingActivityV2",
        "emr:ListScalingConfigItemV2",
        "emr:ListScalingGroupV2",
        "emr:ListSecurityGroups",
        "emr:ListServiceComponentTopology",
        "emr:ListSlsProject",
        "emr:ListStack",
        "emr:ListStackService",
        "emr:ListStreamingSqlQuery",
        "emr:ListSupportedServiceName",
        "emr:ListTagKeys",
        "emr:ListTagValues",
        "emr:ListUserStatistics",
        "emr:ListVpcInfo",
        "emr:ListVswitch",
        "emr:ManageUserPlatform",
        "emr:MetastoreCreateDatabase",
        "emr:MetastoreCreateKafkaTopic",
        "emr:MetastoreCreateTable",
        "emr:MetastoreDataPreview",
        "emr:MetastoreDeleteKafkaTopic",
        "emr:MetastoreDescribeDataSource",
        "emr:MetastoreDescribeDatabase",
        "emr:MetastoreDescribeKafkaConsumerGroup",
        "emr:MetastoreDescribeKafkaTopic",
        "emr:MetastoreDescribeTable",
        "emr:MetastoreDescribeTask",
        "emr:MetastoreDropDatabase",
        "emr:MetastoreDropTable",
        "emr:MetastoreListDataSource",
        "emr:MetastoreListDataSourceForAdmin",
        "emr:MetastoreListDatabases",
        "emr:MetastoreListKafkaConsumerGroup",
        "emr:MetastoreListKafkaTopic",
        "emr:MetastoreListKafkaTopicForAdmin",
        "emr:MetastoreListTablePartition",
        "emr:MetastoreListTables",
        "emr:MetastoreListTask",
        "emr:MetastoreRetryTask",
        "emr:MetastoreSearchTables",
        "emr:MetastoreSync",
        "emr:MetastoreUpdateKafkaTopic",
        "emr:MetastoreUpdateKafkaTopicBatch",
        "emr:MetastoreUpdateTable",
        "emr:MigrateJobs",
        "emr:ModifyAlertContact",
        "emr:ModifyAlertDingDingGroup",
        "emr:ModifyAlertUserGroup",
        "emr:ModifyClusterBootstrapAction",
        "emr:ModifyClusterTemplate",
        "emr:ModifyExecutionPlanBasicInfo",
        "emr:ModifyFlow",
        "emr:ModifyFlowProject",
        "emr:ModifyFlowProjectClusterSetting",
        "emr:ModifyFlowProjectGeneralSetting",
        "emr:ModifyFlowVariableCollection",
        "emr:ModifyHealthRuleConfig",
        "emr:ModifyJob",
        "emr:ModifyJobExecutionPlanFolder",
        "emr:ModifyJobExecutionPlanParam",
        "emr:ModifyScalingConfigItemV2",
        "emr:ModifyScalingGroupV2",
        "emr:ModifyScalingRule",
        "emr:ModifyUserChannelInfo",
        "emr:ModifyUserStatistics",
        "emr:PassRole",
        "emr:PreCheckClusterBootstrapAction",
        "emr:QueryGrafanaData",
        "emr:QueryInfoByToken",
        "emr:QueryLogKey",
        "emr:QueryPrice",
        "emr:QuerySlsMetricData",
        "emr:QueryTableData",
        "emr:QueryTrendData",
        "emr:QueryUserById",
        "emr:ReassignKafka",
        "emr:RefreshBackupList",
        "emr:RemoveBackupPlan",
        "emr:RemoveBackupRule",
        "emr:RemoveScalingConfigItemV2",
        "emr:RestoreBackup",
        "emr:RestoreFlowEntitySnapshot",
        "emr:ResumeExecutionPlanInstance",
        "emr:ResumeExecutionPlanScheduler",
        "emr:ResumeFlow",
        "emr:RetryCreateLdapUser",
        "emr:RetryCreateUserPassword",
        "emr:RetryExecutionPlan",
        "emr:RetryExecutionPlanInstance",
        "emr:RetryOperationActivity",
        "emr:RunApiTemplate",
        "emr:RunDisasterRecoveryPlan",
        "emr:RunDiskOpsActivity",
        "emr:RunExecutionPlan",
        "emr:RunNoteParagraphs",
        "emr:RunParagraph",
        "emr:RunScalingActionV2",
        "emr:SaveParagraph",
        "emr:SaveReport",
        "emr:StartFlow",
        "emr:StartKafkaPreferredReplicaElection",
        "emr:StopParagraph",
        "emr:SuspendExecutionPlanInstance",
        "emr:SuspendExecutionPlanScheduler",
        "emr:UninstallLibraries",
        "emr:UpdateClusterCost",
        "emr:UpdateClusterMetaCollect",
        "emr:UpdateDisasterRecoveryPlan",
        "emr:UpdateKafkaReassignParam",
        "emr:UpdateLibraryInstallTaskStatus",
        "emr:UpdateNodeMaintenanceStatus",
        "emr:UpgradeHistory",
        "emr:UploadCostBucket",
        "emr:describeOperationTask",
        "emr:queryTableData",
        "emr:queryTrendData"
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role with account-level permissions can manage all resources within the account. Ensure you grant only necessary permissions and strictly follow the principle of least privilege.

FAQ

Check the resource group of a resource

Method 1: Click the resource name to go to its details page. You can view the resource group on this page.
Method 2: Log in to the Resource Management console and click Resource Center > Resource Search. In the navigation pane on the left, select the account to which the resource belongs (defaults to current account). Use the filters to locate the target resource. You can then view its resource group.

View product resources in a resource group

Method 1: Log in to the Resource Management console and click Resource Center > Resource Search. In the navigation pane on the left, under the account section (defaults to current account), click the name of the target resource group. Then, on the right, select the product from the Select Resource Type dropdown list to view all its resources in that resource group.
Method 2: Log in to the Resource Management console and click Resource Groups > Resource Groups. Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the Product dropdown list at the top to view all its resources in the resource group.

Bulk transfer resources to a resource group

Log in to the Resource Management console and click Resource Groups > Resource Groups. In the target resource group's row, click Resource Management in the Actions column to go to the Resource Management page. Use the filters to locate the target resources. Select the checkboxes for the resources in the first column, click Transfer Resource Group at the bottom, and then follow the on-screen prompts to complete the transfer.