All Products
Search

This Product

    E-MapReduce:Use resource groups for fine-grained resource control

    Document Center

    E-MapReduce:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    When you use resource groups to manage resources, you can combine them with RAM to isolate resources and apply fine-grained permission management within a single Alibaba Cloud account. This topic explains how EMR Serverless StarRocks supports resource groups and how to grant resource group-level permissions.

    Note

    How it works

    You can use resource groups to organize and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move its resources into that group to manage them centrally. For more information, see What is a resource group?.

    Once your resources are grouped, you can grant permissions for a specific resource group to different principals, such as RAM users, RAM user groups, or RAM roles. This restricts the principal's access to only the resources within that group. For more information, see Resource grouping and authorization.

    This approach offers the following benefits:

    • Fine-grained permissions: Ensures each identity has only the permissions it needs. This isolates resources by project and prevents accidental management across different projects.

    • Scalability: When you add a resource to the resource group, the assigned principal automatically has the necessary permissions for it, with no additional authorization required.

    Grant group-level permissions to a RAM user

    This section explains how to grant a RAM user permissions for EMR Serverless StarRocks resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move the required resources into it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer a resource to another resource group.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions in either of the following ways.

    Method 1: Resource Management console

    Use the permission management feature of resource groups to grant permissions to a specified RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy. For more information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    Method 2: RAM console

    Grant resource group-level permissions to a specified RAM user in the RAM console. For more information, see Manage RAM user permissions.

    • Log on to the RAM console with your Alibaba Cloud account (main account) or as a RAM administrator.

    • In the left navigation bar, select Identities > Users. On the Users page, click Add Permissions in the Actions column of the target RAM user.

    • In the Add Permissions panel, grant permissions to the RAM user.

      • Authorization Scope: Select Specific Resource Group.

      • Principal: Select an existing RAM user or the RAM user you created earlier.

      • Policy: Select a system policy or a custom policy. For more information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    Supported resource types

    The following table lists the resource types in EMR Serverless StarRocks that support resource groups.

    Cloud service

    Service code

    Resource type

    EMR Serverless StarRocks

    starrocks

    instance
    Note

    If a resource type does not yet support resource groups, you can submit feedback through the Resource Management console.

    image

    Actions without resource group authorization

    The following EMR Serverless StarRocks Actions do not support resource group-level authorization:

    Action

    Description

    sr:AddBackupPolicy

    -

    sr:ApplyScalingRules

    -

    sr:CancelBackupTask

    -

    sr:CheckInventory

    -

    sr:CreateInnerIpWhitelistGroup

    -

    sr:CreateInstance

    -

    sr:CreateInstanceV1

    Creates an EMR Serverless StarRocks instance.

    sr:CreateNodeGroup

    -

    sr:CreateScalingRule

    -

    sr:CreateServiceLinkedRole

    Creates the AliyunServiceRoleForEMRStarRocks role for a user.

    sr:DeleteBackupPolicy

    -

    sr:DeleteGateway

    -

    sr:DeleteInnerIpWhitelistGroup

    -

    sr:DeleteScalingRule

    -

    sr:DescribeBackups

    -

    sr:DescribeElasticScalingTasks

    -

    sr:DescribeEventNames

    -

    sr:DescribeEvents

    -

    sr:DescribeMaintainableTimePeriods

    -

    sr:DescribeTimeTriggerScalingRules

    -

    sr:DiagnosticWorkloadResultV1

    -

    sr:DiagnosticWorkloadTaskMetricsV1

    -

    sr:DiagnosticWorkloadTasksV1

    -

    sr:DiagnosticWorkloadV1

    -

    sr:EnableMultiAz

    -

    sr:EnableSSLConnection

    -

    sr:GetDmsConnectionInfo

    -

    sr:GetFeatureGate

    -

    sr:InnerDescribeNodeGroups

    -

    sr:InstallAuditLoader

    -

    sr:KillBigQuery

    -

    sr:ListKmsKeys

    -

    sr:ListTagResources

    -

    sr:ModifyScalingRule

    -

    sr:QueryApmComponents

    -

    sr:QueryCreateNodeGroupPrice

    -

    sr:QueryEnableMultiAzPrice

    -

    sr:QueryMinorVersion

    -

    sr:QueryPrice

    -

    sr:QueryPriceV1

    -

    sr:RestartNodeGroup

    -

    sr:RestoreInstance

    -

    sr:RollbackUpgradeVersion

    -

    sr:TagResources

    Adds tags to specified resources.

    sr:ToggleAutoMinorVersionUpgrade

    -

    sr:UnTagResources

    Removes tags from specified resources.

    sr:UninstallAuditLoader

    -

    sr:UpdateBackup

    -

    sr:UpdateBackupPolicy

    -

    sr:UpdateGateway

    -

    sr:UpdateInnerIpWhitelistGroup

    -

    sr:UpdateNodeGroupDescription

    -

    For Actions that do not support resource group-level authorization, setting the resource scope to resource group level has no effect. If a RAM user needs permissions for these Actions, you must grant them at the account level using a custom permission policy.

    image.pngThe following are two examples of custom permission policies. You can modify them to fit your business requirements.

    • Allow all read-only Actions that do not support resource group-level authorization, as specified in the Action element below.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sr:CheckInventory",
        "sr:DescribeBackups",
        "sr:DescribeElasticScalingTasks",
        "sr:DescribeEventNames",
        "sr:DescribeEvents",
        "sr:DescribeMaintainableTimePeriods",
        "sr:DescribeTimeTriggerScalingRules",
        "sr:GetDmsConnectionInfo",
        "sr:GetFeatureGate",
        "sr:ListKmsKeys",
        "sr:ListTagResources",
        "sr:QueryApmComponents",
        "sr:QueryCreateNodeGroupPrice",
        "sr:QueryEnableMultiAzPrice",
        "sr:QueryMinorVersion",
        "sr:QueryPrice",
        "sr:QueryPriceV1"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all Actions that do not support resource group-level authorization, as specified in the Action element below.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sr:AddBackupPolicy",
        "sr:ApplyScalingRules",
        "sr:CancelBackupTask",
        "sr:CheckInventory",
        "sr:CreateInnerIpWhitelistGroup",
        "sr:CreateInstance",
        "sr:CreateInstanceV1",
        "sr:CreateNodeGroup",
        "sr:CreateScalingRule",
        "sr:CreateServiceLinkedRole",
        "sr:DeleteBackupPolicy",
        "sr:DeleteGateway",
        "sr:DeleteInnerIpWhitelistGroup",
        "sr:DeleteScalingRule",
        "sr:DescribeBackups",
        "sr:DescribeElasticScalingTasks",
        "sr:DescribeEventNames",
        "sr:DescribeEvents",
        "sr:DescribeMaintainableTimePeriods",
        "sr:DescribeTimeTriggerScalingRules",
        "sr:DiagnosticWorkloadResultV1",
        "sr:DiagnosticWorkloadTaskMetricsV1",
        "sr:DiagnosticWorkloadTasksV1",
        "sr:DiagnosticWorkloadV1",
        "sr:EnableMultiAz",
        "sr:EnableSSLConnection",
        "sr:GetDmsConnectionInfo",
        "sr:GetFeatureGate",
        "sr:InnerDescribeNodeGroups",
        "sr:InstallAuditLoader",
        "sr:KillBigQuery",
        "sr:ListKmsKeys",
        "sr:ListTagResources",
        "sr:ModifyScalingRule",
        "sr:QueryApmComponents",
        "sr:QueryCreateNodeGroupPrice",
        "sr:QueryEnableMultiAzPrice",
        "sr:QueryMinorVersion",
        "sr:QueryPrice",
        "sr:QueryPriceV1",
        "sr:RestartNodeGroup",
        "sr:RestoreInstance",
        "sr:RollbackUpgradeVersion",
        "sr:TagResources",
        "sr:ToggleAutoMinorVersionUpgrade",
        "sr:UnTagResources",
        "sr:UninstallAuditLoader",
        "sr:UpdateBackup",
        "sr:UpdateBackupPolicy",
        "sr:UpdateGateway",
        "sr:UpdateInnerIpWhitelistGroup",
        "sr:UpdateNodeGroupDescription"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all resources in the account. Always grant permissions according to the principle of least privilege and verify that they are correctly scoped.

    FAQ

    Viewing a resource's group

    • Method 1: Click the resource name to go to its details page, where you can find the resource group to which it belongs.

    • Method 2: Log on to the Resource Management console and click Resource Center > Resource Search. In the left-side pane, select the account to which the target resource belongs (the default is Current Account), and use the filter conditions to locate the target resource to view the resource group to which it belongs.

    Viewing resources in a group

    • Method 1: Log on to the Resource Management console and click Resource Center > Resource Search. In the left-side pane, under the account that owns the resources (Current Account by default), click the name of the target resource group. Then, in the Select Resource Type section on the right, select the current product to view all resources of the product in the resource group.

    • Method 2: Log on to the Resource Management console, click Resource Group > Resource Group, find the target resource group, and click Manage Resources in the Actions column. Then, on the Manage Resources page, select the product from the Product drop-down list at the top of the page to view all resources for that product in the resource group.

    Moving resources to another group

    Log on to the Resource Management console, click Resource Group > Resource Group, and in the Actions column for the target resource group, click Resource Management to go to the Resource Management page. Use filters to locate multiple target resources, select the check boxes in the first column, click Move Resource Group at the bottom of the page, and then follow the on-screen instructions to change the resource group.