All Products
Search

This Product

    Express Connect:Fine-grained control with resource groups

    Document Center

    Express Connect:Fine-grained control with resource groups

    Last Updated:Apr 23, 2026

    You can use resource groups in conjunction with RAM to isolate resources and manage fine-grained permissions within a single Alibaba Cloud account. This topic describes how Express Connect supports resource groups and the steps to authorize operations at the resource group level.

    Note

    Resource group authorization

    You can use resource groups to group and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into that group for centralized management. For more information, see What is a resource group?.

    After you group your resources, you can grant permissions scoped to a specific resource group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This restricts each principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This approach provides the following benefits:

    • Fine-grained permissions: This approach grants each identity only the permissions it needs, isolating resource management for different projects within a single account.

    • Scalability: When you add new resources, you only need to add them to the relevant resource group. The RAM identity automatically gains the appropriate permissions for the new resources, without requiring further authorization.

    Grant resource group-level permissions to a RAM user

    This topic describes how to grant permissions to a RAM user for Express Connect resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources into it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions using one of the following methods.

    Method 1: Resource management console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant resource group-scoped permissions to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.

    • On the Permission Management tab, click Grant Permission.

    • In the Grant Permission panel, set the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click Confirm.

    Method 2: RAM console

    Use the RAM console to grant resource group-level permissions to a specific RAM user. For more information, see Manage permissions for a RAM user.

    • Log on to the RAM console with your Alibaba Cloud account (root account) or as a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, grant permissions to the RAM user.

      • Scope: Select Resource Group.

      • Principal: Select an existing RAM user or the one you created in the prerequisites.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click Confirm.

    Resource types that support resource groups

    Express Connect supports the following resource types in resource groups:

    Cloud service

    Cloud service code

    Resource type

    Express Connect

    expressconnect

    expressconnectrouter: Express Connect Router

    Express Connect

    expressconnect

    physicalconnection: physical connection

    Express Connect

    expressconnect

    routerinterface: router interface

    Express Connect

    expressconnect

    trafficqos: QoS policy

    Express Connect

    expressconnect

    virtualborderrouter: Virtual Border Router (VBR)
    Note

    For resource types that are not yet supported by resource groups, you can submit feedback in the Resource Group console.

    image

    Operations without resource group authorization

    The following Express Connect actions do not support resource group-level authorization:

    Actions

    Description

    expressconnectrouter:CreateCarrierCloudLink

    -

    expressconnectrouter:DeleteCarrierCloudLink

    -

    expressconnectrouter:DescribeCarrierCloudLink

    -

    expressconnectrouter:DescribeCarrierCloudLinks

    -

    expressconnectrouter:DescribeLineProviders

    -

    expressconnectrouter:DescribePartnerAccessPointRegions

    -

    expressconnectrouter:DescribePartnerAccessPoints

    -

    expressconnectrouter:DescribePartnerVendors

    -

    expressconnectrouter:DescribeVpcRelatedAssociation

    -

    expressconnectrouter:ListExpressConnectRouterSupportedRegion

    Lists the regions where Express Connect Router (ECR) is available.

    expressconnectrouter:ModifyCarrierCloudLink

    -

    vpc:AddBandwidthPackageIps

    -

    vpc:AddGlobalAccelerationInstanceIp

    Adds an Elastic IP Address (EIP) to a shared bandwidth instance.

    vpc:AddIPv6TranslatorAclListEntry

    Adds an IP entry to an access control policy group.

    vpc:AllocateVpcIpv6Cidr

    Reserves an IPv6 CIDR block.

    vpc:CancelExpressCloudConnection

    -

    vpc:CheckVpnBgpEnabled

    Checks if an IPsec connection's region supports BGP.

    vpc:ConvertBandwidthPackage

    Converts a NAT bandwidth plan.

    vpc:CreateNatGateway

    -

    vpc:CreateBandwidthPackage

    -

    vpc:CreateBondRouterInterfaceConnection

    -

    vpc:CreateExpressCloudConnection

    Creates an Express Cloud Connect connection.

    vpc:CreateGlobalAccelerationInstance

    Creates a Global Acceleration instance.

    vpc:CreateIPv6Translator

    Creates an IPv6 Translation Service instance.

    vpc:CreateIPv6TranslatorAclList

    Creates an access control policy group.

    vpc:CreateIPv6TranslatorEntry

    Adds an IPv6 translation entry to an IPv6 Translation Service instance.

    vpc:CreateNqa

    -

    vpc:DeleteBandwidthPackage

    -

    vpc:DeleteGlobalAccelerationInstance

    Deletes a Global Acceleration instance.

    vpc:DeleteIPv6Translator

    Deletes an IPv6 Translation Service instance.

    vpc:DeleteIPv6TranslatorAclList

    Deletes an access control policy group. The group cannot be deleted if it is associated with any IPv6 translation entries.

    vpc:DeleteIPv6TranslatorEntry

    Deletes an IPv6 translation entry.

    vpc:DeleteIpv6EgressOnlyRule

    Deletes an egress-only rule.

    vpc:DescribeAccessPoints

    -

    vpc:DescribeBandwidthPackageMonitorData

    -

    vpc:DescribeBandwidthPackagePublicIpMonitorData

    -

    vpc:DescribeGlobalAccelerationInstances

    Lists Global Acceleration instances.

    vpc:DescribeGrantRulesToCbn

    -

    vpc:DescribeIPv6TranslatorAclListAttributes

    Queries the details of an access control policy group, including its IP addresses and associated IPv6 translation entries.

    vpc:DescribeIPv6TranslatorAclLists

    Lists access control policy groups.

    vpc:DescribeIPv6TranslatorEntries

    Lists IPv6 translation entries.

    vpc:DescribeInstances

    -

    vpc:DescribeNetworkQuotas

    -

    vpc:DescribePublicIpAddress

    Queries available public IP address ranges for a Virtual Private Cloud (VPC) in a region.

    vpc:DescribeRouterInterfacesForGlobal

    -

    vpc:DescribeServerRelatedGlobalAccelerationInstances

    Queries Global Acceleration instances associated with a backend server.

    vpc:DescribeVPCs

    -

    vpc:DescribeVpnGatewayAvailableZones

    Lists availability zones that support IPsec connections in a region.

    vpc:DescribeVrouters

    -

    vpc:DescribeZones

    -

    vpc:DiagnoseVpnConnections

    Diagnoses an IPsec connection.

    vpc:DiagnoseVpnConnectionsHistory

    -

    vpc:DiagnoseVpnGateway

    Diagnoses a VPN Gateway instance.

    vpc:DisableNatGatewayEcsMetric

    Disables ECS traffic monitoring.

    vpc:EnableNatGatewayEcsMetric

    Enables ECS traffic monitoring.

    vpc:GetBusinessAccessPointDetail

    -

    vpc:GetFlowLogServiceStatus

    Gets the status of the flow log service.

    vpc:GetNatIpCidrAttribute

    -

    vpc:GetObject

    -

    vpc:GetPhysicalConnectionServiceStatus

    Checks if the Express Connect service is enabled.

    vpc:GetPublicIpAddressPoolServiceStatus

    Gets the status of the IP address pool service.

    vpc:GetTrafficMirrorServiceStatus

    Gets the status of the traffic mirroring feature.

    vpc:GetVpcIpamServiceStatus

    Gets the status of the IPAM service.

    vpc:GetVpnGatewayDiagnoseResult

    Gets the diagnosis result for a VPN Gateway instance.

    vpc:GrantInstanceToCbn

    -

    vpc:InnerVpcCreateDscp

    -

    vpc:InnerVpcDeleteDscp

    -

    vpc:InnerVpcDescribeCrossBorderRouterInterface

    -

    vpc:InnerVpcDescribeDscp

    -

    vpc:InnerVpcModifyDscp

    -

    vpc:InnerVpcRefreshDscp

    -

    vpc:ListBusinessAccessPointPortUsage

    -

    vpc:ListBusinessAccessPoints

    Lists the access points for Express Connect.

    vpc:ListBusinessRegions

    Lists the regions where Express Connect is available.

    vpc:ListGeographicSubRegions

    Lists region information.

    vpc:ListNatGatewayEcsMetric

    -

    vpc:ListVpcCloudInstance

    -

    vpc:ListVpcEndpointServicesByEndUser

    Lists available endpoint services.

    vpc:ModifyBandwidthPackageAttribute

    -

    vpc:ModifyBandwidthPackageSpec

    -

    vpc:ModifyBypassToaAttribute

    -

    vpc:ModifyExpressCloudConnectionAttribute

    Modifies an Express Cloud Connect connection.

    vpc:ModifyGlobalAccelerationInstanceAttributes

    Modifies the name and description of a Global Acceleration instance.

    vpc:ModifyGlobalAccelerationInstanceSpec

    Modifies the bandwidth of a Global Acceleration instance.

    vpc:ModifyIPv6TranslatorAclAttribute

    Modifies the name of an access control policy group.

    vpc:ModifyIPv6TranslatorAclListEntry

    Modifies an IP entry in an access control policy group.

    vpc:ModifyIPv6TranslatorAttribute

    Modifies the name and description of an IPv6 Translation Service instance.

    vpc:ModifyIPv6TranslatorBandwidth

    Modifies the bandwidth of an IPv6 Translation Service instance.

    vpc:ModifyIPv6TranslatorEntry

    Modifies an IPv6 translation entry.

    vpc:ModifyIpv6GatewaySpec

    -

    vpc:OpenFlowLogService

    Enables the flow log service.

    vpc:OpenPhysicalConnectionService

    Enables the Express Connect service.

    vpc:OpenPublicIpAddressPoolService

    Enables the IP address pool service.

    vpc:OpenTrafficMirrorService

    Enables the traffic mirroring service.

    vpc:OpenVpcIpamService

    Enables the IPAM service.

    vpc:QueryPconnTrafficPrice

    -

    vpc:QueryPhysicalConnectionPrice

    -

    vpc:RejectVpcPeerConnection

    Rejects a VPC peering connection request.

    vpc:RemoveBandwidthPackageIps

    -

    vpc:RemoveGlobalAccelerationInstanceIp

    Removes an Elastic IP Address (EIP) from a shared bandwidth instance.

    vpc:RemoveIPv6TranslatorAclListEntry

    Removes an IP entry from an access control policy group.

    vpc:RevokeInstanceFromCbn

    -

    vpc:SetHaVipMasterInstance

    -

    vpc:TransformEipSegmentToPublicIpAddressPool

    Migrates an EIP segment to an IP address pool.

    vpc:UnAssociateEipAddress

    -

    vpc:UnassociateGlobalAccelerationInstance

    Unassociates a backend server from a Global Acceleration instance.

    vpc:UpdateCrossBoarderStatus

    -

    vpc:associatevpccidrblock

    -

    vpc:createvpc

    -

    vpc:deleteBgpNetwork

    -

    vpc:describeVpcs

    -

    vpc:releaseIpv6Address

    -

    For operations that do not support resource group authorization, setting the resource scope to resource group level has no effect. To grant a RAM User permissions for these operations, create a custom policy and set the resource scope to account level.

    image.pngHere are two examples of custom permission policies. You can modify the policy content as needed.

    • Allows all read-only operations that do not support resource group-level authorization: The Action element lists all read-only operations that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "expressconnectrouter:DescribeCarrierCloudLink",
        "expressconnectrouter:DescribeCarrierCloudLinks",
        "expressconnectrouter:DescribeLineProviders",
        "expressconnectrouter:DescribePartnerAccessPointRegions",
        "expressconnectrouter:DescribePartnerAccessPoints",
        "expressconnectrouter:DescribePartnerVendors",
        "expressconnectrouter:DescribeVpcRelatedAssociation",
        "expressconnectrouter:ListExpressConnectRouterSupportedRegion",
        "vpc:CheckVpnBgpEnabled",
        "vpc:DescribeAccessPoints",
        "vpc:DescribeBandwidthPackageMonitorData",
        "vpc:DescribeBandwidthPackagePublicIpMonitorData",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeGrantRulesToCbn",
        "vpc:DescribeIPv6TranslatorAclListAttributes",
        "vpc:DescribeIPv6TranslatorAclLists",
        "vpc:DescribeIPv6TranslatorEntries",
        "vpc:DescribeInstances",
        "vpc:DescribeNetworkQuotas",
        "vpc:DescribePublicIpAddress",
        "vpc:DescribeRouterInterfacesForGlobal",
        "vpc:DescribeServerRelatedGlobalAccelerationInstances",
        "vpc:DescribeVPCs",
        "vpc:DescribeVpnGatewayAvailableZones",
        "vpc:DescribeVrouters",
        "vpc:DescribeZones",
        "vpc:GetBusinessAccessPointDetail",
        "vpc:GetFlowLogServiceStatus",
        "vpc:GetNatIpCidrAttribute",
        "vpc:GetObject",
        "vpc:GetPhysicalConnectionServiceStatus",
        "vpc:GetPublicIpAddressPoolServiceStatus",
        "vpc:GetTrafficMirrorServiceStatus",
        "vpc:GetVpcIpamServiceStatus",
        "vpc:GetVpnGatewayDiagnoseResult",
        "vpc:ListBusinessAccessPointPortUsage",
        "vpc:ListBusinessAccessPoints",
        "vpc:ListBusinessRegions",
        "vpc:ListGeographicSubRegions",
        "vpc:ListNatGatewayEcsMetric",
        "vpc:ListVpcCloudInstance",
        "vpc:ListVpcEndpointServicesByEndUser"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all operations that do not support resource group-level authorization: The Action element lists all operations that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "expressconnectrouter:CreateCarrierCloudLink",
        "expressconnectrouter:DeleteCarrierCloudLink",
        "expressconnectrouter:DescribeCarrierCloudLink",
        "expressconnectrouter:DescribeCarrierCloudLinks",
        "expressconnectrouter:DescribeLineProviders",
        "expressconnectrouter:DescribePartnerAccessPointRegions",
        "expressconnectrouter:DescribePartnerAccessPoints",
        "expressconnectrouter:DescribePartnerVendors",
        "expressconnectrouter:DescribeVpcRelatedAssociation",
        "expressconnectrouter:ListExpressConnectRouterSupportedRegion",
        "expressconnectrouter:ModifyCarrierCloudLink",
        "vpc:AddBandwidthPackageIps",
        "vpc:AddGlobalAccelerationInstanceIp",
        "vpc:AddIPv6TranslatorAclListEntry",
        "vpc:AllocateVpcIpv6Cidr",
        "vpc:CancelExpressCloudConnection",
        "vpc:CheckVpnBgpEnabled",
        "vpc:ConvertBandwidthPackage",
        "vpc:CreaeNatGateway",
        "vpc:CreateBandwidthPackage",
        "vpc:CreateBondRouterInterfaceConnection",
        "vpc:CreateExpressCloudConnection",
        "vpc:CreateGlobalAccelerationInstance",
        "vpc:CreateIPv6Translator",
        "vpc:CreateIPv6TranslatorAclList",
        "vpc:CreateIPv6TranslatorEntry",
        "vpc:CreateNqa",
        "vpc:DeleteBandwidthPackage",
        "vpc:DeleteGlobalAccelerationInstance",
        "vpc:DeleteIPv6Translator",
        "vpc:DeleteIPv6TranslatorAclList",
        "vpc:DeleteIPv6TranslatorEntry",
        "vpc:DeleteIpv6EgressOnlyRule",
        "vpc:DescribeAccessPoints",
        "vpc:DescribeBandwidthPackageMonitorData",
        "vpc:DescribeBandwidthPackagePublicIpMonitorData",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeGrantRulesToCbn",
        "vpc:DescribeIPv6TranslatorAclListAttributes",
        "vpc:DescribeIPv6TranslatorAclLists",
        "vpc:DescribeIPv6TranslatorEntries",
        "vpc:DescribeInstances",
        "vpc:DescribeNetworkQuotas",
        "vpc:DescribePublicIpAddress",
        "vpc:DescribeRouterInterfacesForGlobal",
        "vpc:DescribeServerRelatedGlobalAccelerationInstances",
        "vpc:DescribeVPCs",
        "vpc:DescribeVpnGatewayAvailableZones",
        "vpc:DescribeVrouters",
        "vpc:DescribeZones",
        "vpc:DiagnoseVpnConnections",
        "vpc:DiagnoseVpnConnectionsHistory",
        "vpc:DiagnoseVpnGateway",
        "vpc:DisableNatGatewayEcsMetric",
        "vpc:EnableNatGatewayEcsMetric",
        "vpc:GetBusinessAccessPointDetail",
        "vpc:GetFlowLogServiceStatus",
        "vpc:GetNatIpCidrAttribute",
        "vpc:GetObject",
        "vpc:GetPhysicalConnectionServiceStatus",
        "vpc:GetPublicIpAddressPoolServiceStatus",
        "vpc:GetTrafficMirrorServiceStatus",
        "vpc:GetVpcIpamServiceStatus",
        "vpc:GetVpnGatewayDiagnoseResult",
        "vpc:GrantInstanceToCbn",
        "vpc:InnerVpcCreateDscp",
        "vpc:InnerVpcDeleteDscp",
        "vpc:InnerVpcDescribeCrossBorderRouterInterface",
        "vpc:InnerVpcDescribeDscp",
        "vpc:InnerVpcModifyDscp",
        "vpc:InnerVpcRefreshDscp",
        "vpc:ListBusinessAccessPointPortUsage",
        "vpc:ListBusinessAccessPoints",
        "vpc:ListBusinessRegions",
        "vpc:ListGeographicSubRegions",
        "vpc:ListNatGatewayEcsMetric",
        "vpc:ListVpcCloudInstance",
        "vpc:ListVpcEndpointServicesByEndUser",
        "vpc:ModifyBandwidthPackageAttribute",
        "vpc:ModifyBandwidthPackageSpec",
        "vpc:ModifyBypassToaAttribute",
        "vpc:ModifyExpressCloudConnectionAttribute",
        "vpc:ModifyGlobalAccelerationInstanceAttributes",
        "vpc:ModifyGlobalAccelerationInstanceSpec",
        "vpc:ModifyIPv6TranslatorAclAttribute",
        "vpc:ModifyIPv6TranslatorAclListEntry",
        "vpc:ModifyIPv6TranslatorAttribute",
        "vpc:ModifyIPv6TranslatorBandwidth",
        "vpc:ModifyIPv6TranslatorEntry",
        "vpc:ModifyIpv6GatewaySpec",
        "vpc:OpenFlowLogService",
        "vpc:OpenPhysicalConnectionService",
        "vpc:OpenPublicIpAddressPoolService",
        "vpc:OpenTrafficMirrorService",
        "vpc:OpenVpcIpamService",
        "vpc:QueryPconnTrafficPrice",
        "vpc:QueryPhysicalConnectionPrice",
        "vpc:RejectVpcPeerConnection",
        "vpc:RemoveBandwidthPackageIps",
        "vpc:RemoveGlobalAccelerationInstanceIp",
        "vpc:RemoveIPv6TranslatorAclListEntry",
        "vpc:RevokeInstanceFromCbn",
        "vpc:SetHaVipMasterInstance",
        "vpc:TransformEipSegmentToPublicIpAddressPool",
        "vpc:UnAssociateEipAddress",
        "vpc:UnassociateGlobalAccelerationInstance",
        "vpc:UpdateCrossBoarderStatus",
        "vpc:associatevpccidrblock",
        "vpc:createvpc",
        "vpc:deleteBgpNetwork",
        "vpc:describeVpcs",
        "vpc:releaseIpv6Address"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can manage all resources in the account. Always grant these permissions with caution. Ensure they align with your intent and follow the principle of least privilege.

    FAQ

    Find the resource group for a resource

    • Method 1: Click the resource name to open its details page, which displays the resource group.

    • Method 2: Log on to the Resource Management console and go to Resource Center > Resource Search. In the left-side pane, select the account that owns the resource (the current account is selected by default). Use filters to find the resource, and its resource group is displayed in the results.

    View product resources in a resource group

    • Method 1: Log on to the Resource Management console and go to Resource Center > Resource Search. In the left-side pane, under the account section (which defaults to the current account), click the name of your target resource group. In the right-side pane, select the product from the Select Resource Type list. The page then displays all resources for the selected product within that resource group.

    • Method 2: Log on to the Resource Management console and go to Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. On the Resource Management page, select a product from the Product dropdown list. The page then displays all resources for the selected product in that resource group.

    Move resources to another resource group

    Log on to the Resource Management console and go to Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. On the resource management page, use filters to find the resources that you want to move. Select their checkboxes in the first column, click Transfer Resource Group at the bottom of the list, and follow the on-screen instructions to complete the move.