All Products
Search

This Product

    Realtime Compute for Apache Flink:Use resource groups for fine-grained access control

    Document Center

    Realtime Compute for Apache Flink:Use resource groups for fine-grained access control

    Last Updated:Apr 23, 2026

    You can use Resource Group to manage Realtime Compute for Apache Flink resources as a collection and apply Resource Access Management (RAM) policies that authorize actions only on resources within a specific group. This lets you enforce the principle of least privilege (PoLP) in your Alibaba Cloud account.

    Note

    You can scope permissions to a resource group only for supported resource types and actions. For unsupported actions, any resource group scope in a policy is ignored, and permissions must be granted at the account level instead.

    How it works

    Resource groups organize your resources by project or environment. Once resources are grouped, you can attach a RAM policy to an identity (such as a RAM user, user group, or role) that scopes its permissions exclusively to that group. For more information, see Resource grouping and authorization.

    This approach provides two key benefits:

    • Fine-grained access control: Instead of granting account-wide permissions, you can limit an identity's access to only the resources within a specific group. This helps isolate project-specific workloads and reduce the risk of unintended access.

    • Simplified management: When new resources are added to a resource group, RAM identities with permissions scoped to that group automatically gain access. You do not need to update RAM policies each time a new resource is created.

    Grant resource group-level permissions to a RAM user

    This section demonstrates how to grant a RAM user permission to access only the resources of Realtime Compute for Apache Flink within a specific resource group.

    1. Prerequisites

    2. Grant permissions

    You can grant resource group-level permissions from either the Resource Management console or the RAM console.

    Resource Management console

    • Log on to the Resource Management console.

    • On the Resource Group page, find the target resource group and click Manage Permission in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and access policy.

    • Click Grant permissions.

    For more information, see Grant permissions on resource groups to a RAM identity.

    RAM console

    • Log on to the RAM console using an Alibaba Cloud account or a RAM administrator account.

    • In the navigation pane on the left, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Grant Permission panel, add permissions for the RAM user.

      • Resource Scope: Select Resource Group.

      • Principal: Select an existing RAM user or the RAM user created in the previous step.

      • Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.

    • Click OK.

    For more information, see Grant permissions to a RAM user.

    Supported resources

    The following resources from Realtime Compute for Apache Flink support resource group-level authorization:

    Alibaba Cloud service

    Service code

    Resource type

    Realtime Compute for Apache Flink

    flinkasi

    vvpinstance : workspace
    Note

    To request support for resource types not listed here, submit feedback via Resource Management console.

    image

    Unsupported actions

    The following actions of Realtime Compute for Apache Flink do not support resource group-level authorization:

    Action

    Description

    stream:ActOnBehalfOfAnotherUser

    -

    stream:ApplyScheduledPlan

    Executes a scheduled plan.

    stream:CancelSqlPreview

    -

    stream:CheckNamespaceName

    -

    stream:CheckOssBucket

    -

    stream:CheckUserVSwitch

    -

    stream:CheckUserVpc

    -

    stream:CreateDeployment

    Creates a deployment.

    stream:CreateDeploymentDraft

    Creates an SQL draft.

    stream:CreateDeploymentDraftV1

    -

    stream:CreateDeploymentTarget

    Creates a deployment target.

    stream:CreateDeploymentTargetV2

    -

    stream:CreateDeploymentV1

    -

    stream:CreateFolder

    Creates a folder.

    stream:CreateFolderV1

    -

    stream:CreateInstance

    -

    stream:CreateLxCommodity

    -

    stream:CreateMember

    Adds a user to a namespace as a member and grants permissions to the user.

    stream:CreateSavepoint

    Creates a savepoint.

    stream:CreateScheduledPlan

    Creates a scheduled tuning plan.

    stream:CreateSessionCluster

    Create a session cluster

    stream:CreateSqlFile

    -

    stream:CreateUdfArtifact

    Parses all user-defined function (UDF) methods in your JAR or Python file and creates an artifact configuration for a UDF.

    stream:CreateVariable

    Creates a variable.

    stream:DeleteConnectorV1

    -

    stream:DeleteCustomConnector

    Deletes a registered custom connector from a workspace.

    stream:DeleteDeployment

    Deletes a deployment based on the deployment ID.

    stream:DeleteDeploymentByName

    -

    stream:DeleteDeploymentDraft

    Deletes an SQL draft. If the draft is deployed as a deployment and the deployment is published or the deployment status is RUNNING, the deployment for the draft cannot be deleted.

    stream:DeleteDeploymentDraftV1

    -

    stream:DeleteDeploymentTarget

    Deletes a deployment target.

    stream:DeleteDeploymentV1

    -

    stream:DeleteFolder

    Deletes an empty folder. If files or folders exist in a folder, the folder cannot be deleted.

    stream:DeleteFormatV1

    -

    stream:DeleteJob

    Deletes the information about a job that is not in the running state in a deployment.

    stream:DeleteMember

    Revokes the permissions from a member.

    stream:DeleteMemberV1

    -

    stream:DeleteSavepoint

    Deletes a savepoint.

    stream:DeleteScheduledPlan

    Deletes a scheduled tuning plan.

    stream:DeleteSecretValueV1

    -

    stream:DeleteSessionCluster

    Deletes a session cluster.

    stream:DeleteSqlFile

    -

    stream:DeleteUdfArtifact

    Deletes resources of a user-defined function (UDF) from a namespace. Before you delete the resources of a UDF, you must delete the UDF.

    stream:DeleteUdfFunction

    Deletes an existing user-defined function (UDF) from a Realtime Compute for Apache Flink workspace.

    stream:DeleteVariable

    Deletes a variable.

    stream:DeployDeploymentDraftAsync

    Deploys an SQL draft.

    stream:DeployDeploymentDraftV1

    -

    stream:DescribeFlussInstances

    -

    stream:DescribeLxCommodity

    -

    stream:ExecuteSqlScriptV1

    -

    stream:ExecuteSqlStatement

    Executes SQL statements to query the metadata. Only DDL and DML statements are supported. DQL statements are not supported.

    stream:FetchSqlExecutionResult

    -

    stream:FetchSqlPreviewResults

    -

    stream:FlinkApiProxy

    Provides a proxy for Realtime Compute for Apache Flink requests.

    stream:ForcefullyCreateLockV1

    -

    stream:GenerateResourcePlanV1

    -

    stream:GenerateResourcePlanWithFlinkConfAsync

    Submits a ticket that applies for asynchronous generation of the fine-grained resources. This operation returns the ID of the ticket for you to query the asynchronous generation result.

    stream:GetAppliedScheduledPlan

    Queries the scheduled plan of an application.

    stream:GetArtifactMetadataV1

    -

    stream:GetCatalogs

    Obtains details of the specified catalog or all catalogs.

    stream:GetCatalogsSnapshot

    -

    stream:GetClusterQuantityByRegion

    -

    stream:GetCommodityCode

    -

    stream:GetCustomFlinkArtifactsSnapshot

    -

    stream:GetDatabases

    Obtains the information about a database in a specified catalog or lists all databases in a specified catalog.

    stream:GetDeployDeploymentDraftResult

    Obtains the deployment result based on the ID of the asynchronous ticket.

    stream:GetDeployment

    Obtains the details of a deployment.

    stream:GetDeploymentDefaultsV1

    -

    stream:GetDeploymentDraft

    Obtains the details of an SQL draft.

    stream:GetDeploymentDraftByIdV1

    -

    stream:GetDeploymentDraftByNameV1

    -

    stream:GetDeploymentDraftLock

    Obtains the lock that is used to edit a draft. This can prevent operations performed on the page and API operations from affecting each other.

    stream:GetDeploymentDraftResourcePlanV1

    -

    stream:GetDeploymentDraftResourcePlanWithBestEffortV1

    -

    stream:GetDeploymentV1

    -

    stream:GetDeploymentsByIp

    -

    stream:GetDeploymentsByLabel

    -

    stream:GetDeploymentsByName

    -

    stream:GetEvents

    Queries events.

    stream:GetFolder

    Obtains the details of a folder.

    stream:GetFolderByIdV1

    -

    stream:GetGenerateResourcePlanResult

    Obtains the asynchronous generation result of fine-grained resources based on the ID of the ticket that applies for an asynchronous generation.

    stream:GetGlobalDeploymentDefaultsV1

    -

    stream:GetHotUpdateJobResult

    Obtains the dynamic update result of a deployment when you dynamically update the deployment.

    stream:GetJob

    Obtains the details of a job.

    stream:GetJobDiagnosis

    Queries information about abnormal diagnostic items based on the intelligent deployment diagnostics feature.

    stream:GetLatestJobStartLog

    Obtains the latest startup logs of a job.

    stream:GetLineageInfo

    Obtains the lineage information of a deployment.

    stream:GetMember

    Queries the permissions of a member.

    stream:GetPreSignedUrlForPutObject

    -

    stream:GetResourcePlanV1

    -

    stream:GetRootFolderByTypeV1

    -

    stream:GetSavepoint

    Queries details of a savepoint and checkpoint.

    stream:GetSessionCluster

    Queries the information about a session cluster.

    stream:GetSpecifications

    -

    stream:GetSqlFile

    -

    stream:GetTables

    Obtains the details of a specific table in a database of a specific catalog or the information about all tables in a database.

    stream:GetUdfArtifacts

    Obtains the details of the JAR or Python file that corresponds to the user-defined function (UDF) that you upload and create.

    stream:GetValidateDeploymentDraftResult

    Get validate DeploymentDraft result

    stream:HandleCatalogChanges

    -

    stream:HasStreamDefaultRole

    -

    stream:HotUpdateJob

    Dynamically updates parameters or resources of a deployment that is running.

    stream:ListArtifactsV1

    -

    stream:ListConnectorsV1

    -

    stream:ListCustomConnectors

    Obtains a list of existing custom connectors.

    stream:ListDeploymentDrafts

    Queries a list of SQL drafts.

    stream:ListDeploymentTargets

    Obtains a list of clusters in which deployments can be deployed. The cluster can be a session cluster or a per-job cluster.

    stream:ListDeploymentTargetsV1

    -

    stream:ListDeployments

    Obtains information about all deployments.

    stream:ListDeploymentsV1

    -

    stream:ListEngineVersionMetadata

    Obtains a list of engine versions that are supported by Realtime Compute for Apache Flink.

    stream:ListFlinkVersionsV1

    -

    stream:ListFormatsV1

    -

    stream:ListJobs

    Queries the information about all jobs in a deployment.

    stream:ListJobsV1

    -

    stream:ListMembers

    Queries the mappings between the ID and permissions of a member in a specific namespace.

    stream:ListNamespacesV1

    -

    stream:ListOssInfo

    -

    stream:ListRegionWithClusterQuantity

    -

    stream:ListSavepoints

    Obtains a list of savepoints or checkpoints.

    stream:ListSavepointsV1

    -

    stream:ListScheduledPlan

    Obtains a list of scheduled tuning plans.

    stream:ListScheduledPlanExecutedHistory

    Queries the execution history of a scheduled plan.

    stream:ListSecretValuesV1

    -

    stream:ListSessionClusters

    Queries a list of session clusters.

    stream:ListSessionClustersV1

    -

    stream:ListTablesV1

    -

    stream:ListTagKeys

    -

    stream:ListTagResources

    -

    stream:ListTagValues

    -

    stream:ListUserVswitch

    -

    stream:ListVariables

    Obtains a list of variables.

    stream:ModifyDns

    -

    stream:ModifyInstanceMetadata

    -

    stream:ModifyInstanceVswitch

    -

    stream:QueryCloneNamespace

    -

    stream:QueryCreateLxCommodityPrice

    -

    stream:QueryCreateVvpInstancePrice

    Queries the fee of creating a workspace.

    stream:QueryTagVvpResources

    Queries the tags of specified resources. You can query the key of a tag by tag value, or query the value of a tag by tag key. You can also obtain information about all tags that you use in a workspace in the console of fully managed Flink.

    stream:RegisterCustomConnector

    Registers a custom connector in a namespace. The registered custom connector can be used in SQL statements.

    stream:RegisterUdfFunction

    Registers specific or all of the user-defined functions (UDFs) that are parsed from the JAR files. The registered functions can be used in SQL statements.

    stream:ReplaceDeploymentV1

    -

    stream:SaveDeploymentDraftResourcePlanV1

    -

    stream:SearchFoldersByKeywordV1

    -

    stream:SearchOrderStatistics

    -

    stream:SetDeploymentResourceModeV1

    -

    stream:StartJob

    Creates and starts a job.

    stream:StartJobWithParams

    Starts a job.

    stream:StartOrGetNonTerminalSqlExecution

    -

    stream:StartSessionCluster

    Starts a session cluster.

    stream:StartSqlExecution

    -

    stream:StopApplyScheduledPlan

    Stops the scheduled plan of an application.

    stream:StopJob

    Stops a job.

    stream:StopSessionCluster

    Stops a session cluster.

    stream:StopSqlExecution

    -

    stream:SubmitSqlPreview

    -

    stream:TagVvpResources

    Adds tags to specified resources.

    stream:UnTagVvpResources

    Removes tags from specified resources.

    stream:UpdateDeployment

    Updates information about a deployment.

    stream:UpdateDeploymentByName

    -

    stream:UpdateDeploymentDesiredStateV1

    -

    stream:UpdateDeploymentDraft

    Updates an SQL draft.

    stream:UpdateDeploymentDraftV1

    -

    stream:UpdateDeploymentTarget

    Updates a cluster on which the deployment is deployed.

    stream:UpdateDeploymentTargetV2

    -

    stream:UpdateDeploymentV1

    -

    stream:UpdateFolder

    Updates a folder.

    stream:UpdateInstanceMonitorType

    -

    stream:UpdateMember

    Updates the permissions of one or more members in a specific namespace.

    stream:UpdateMemberV1

    -

    stream:UpdateScheduledPlan

    Update a scheduled tuning plan.

    stream:UpdateSessionCluster

    Updates a session cluster.

    stream:UpdateSqlFile

    -

    stream:UpdateUdfArtifact

    Updates the JAR file of the user-defined function (UDF) that you create.

    stream:UpdateVariable

    Updates the information about a variable in a namespace.

    stream:ValidateDeploymentDraftAsync

    validate DeploymentDraft async

    stream:ValidateSqlScriptV1

    -

    stream:ValidateSqlStatement

    Verifies the code of an SQL deployment.

    stream:WorkflowCallbackQueryNodeStatus

    -

    stream:WorkflowCallbackStartNode

    -

    stream:WorkflowCallbackStopNode

    -

    For these actions, you must create a custom policy with the scope set to Account.

    image.pngCustomize the following policy examples to suit your needs:

    • Allow read-only access

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "stream:CheckNamespaceName",
        "stream:CheckOssBucket",
        "stream:CheckUserVSwitch",
        "stream:CheckUserVpc",
        "stream:DescribeFlussInstances",
        "stream:DescribeLxCommodity",
        "stream:GetAppliedScheduledPlan",
        "stream:GetArtifactMetadataV1",
        "stream:GetCatalogs",
        "stream:GetCatalogsSnapshot",
        "stream:GetClusterQuantityByRegion",
        "stream:GetCommodityCode",
        "stream:GetCustomFlinkArtifactsSnapshot",
        "stream:GetDatabases",
        "stream:GetDeployDeploymentDraftResult",
        "stream:GetDeployment",
        "stream:GetDeploymentDefaultsV1",
        "stream:GetDeploymentDraft",
        "stream:GetDeploymentDraftByIdV1",
        "stream:GetDeploymentDraftByNameV1",
        "stream:GetDeploymentDraftLock",
        "stream:GetDeploymentDraftResourcePlanV1",
        "stream:GetDeploymentDraftResourcePlanWithBestEffortV1",
        "stream:GetDeploymentV1",
        "stream:GetDeploymentsByIp",
        "stream:GetDeploymentsByLabel",
        "stream:GetDeploymentsByName",
        "stream:GetEvents",
        "stream:GetFolder",
        "stream:GetFolderByIdV1",
        "stream:GetGenerateResourcePlanResult",
        "stream:GetGlobalDeploymentDefaultsV1",
        "stream:GetHotUpdateJobResult",
        "stream:GetJob",
        "stream:GetJobDiagnosis",
        "stream:GetLatestJobStartLog",
        "stream:GetLineageInfo",
        "stream:GetMember",
        "stream:GetPreSignedUrlForPutObject",
        "stream:GetResourcePlanV1",
        "stream:GetRootFolderByTypeV1",
        "stream:GetSavepoint",
        "stream:GetSessionCluster",
        "stream:GetSpecifications",
        "stream:GetSqlFile",
        "stream:GetTables",
        "stream:GetUdfArtifacts",
        "stream:GetValidateDeploymentDraftResult",
        "stream:HasStreamDefaultRole",
        "stream:ListArtifactsV1",
        "stream:ListConnectorsV1",
        "stream:ListCustomConnectors",
        "stream:ListDeploymentDrafts",
        "stream:ListDeploymentTargets",
        "stream:ListDeploymentTargetsV1",
        "stream:ListDeployments",
        "stream:ListDeploymentsV1",
        "stream:ListEngineVersionMetadata",
        "stream:ListFlinkVersionsV1",
        "stream:ListFormatsV1",
        "stream:ListJobs",
        "stream:ListJobsV1",
        "stream:ListMembers",
        "stream:ListNamespacesV1",
        "stream:ListOssInfo",
        "stream:ListRegionWithClusterQuantity",
        "stream:ListSavepoints",
        "stream:ListSavepointsV1",
        "stream:ListScheduledPlan",
        "stream:ListScheduledPlanExecutedHistory",
        "stream:ListSecretValuesV1",
        "stream:ListSessionClusters",
        "stream:ListSessionClustersV1",
        "stream:ListTablesV1",
        "stream:ListTagKeys",
        "stream:ListTagResources",
        "stream:ListTagValues",
        "stream:ListUserVswitch",
        "stream:ListVariables",
        "stream:QueryCloneNamespace",
        "stream:QueryCreateLxCommodityPrice",
        "stream:QueryCreateVvpInstancePrice",
        "stream:QueryTagVvpResources",
        "stream:SearchFoldersByKeywordV1",
        "stream:SearchOrderStatistics"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow full access

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "stream:ActOnBehalfOfAnotherUser",
        "stream:ApplyScheduledPlan",
        "stream:CancelSqlPreview",
        "stream:CheckNamespaceName",
        "stream:CheckOssBucket",
        "stream:CheckUserVSwitch",
        "stream:CheckUserVpc",
        "stream:CreateDeployment",
        "stream:CreateDeploymentDraft",
        "stream:CreateDeploymentDraftV1",
        "stream:CreateDeploymentTarget",
        "stream:CreateDeploymentTargetV2",
        "stream:CreateDeploymentV1",
        "stream:CreateFolder",
        "stream:CreateFolderV1",
        "stream:CreateInstance",
        "stream:CreateLxCommodity",
        "stream:CreateMember",
        "stream:CreateSavepoint",
        "stream:CreateScheduledPlan",
        "stream:CreateSessionCluster",
        "stream:CreateSqlFile",
        "stream:CreateUdfArtifact",
        "stream:CreateVariable",
        "stream:DeleteConnectorV1",
        "stream:DeleteCustomConnector",
        "stream:DeleteDeployment",
        "stream:DeleteDeploymentByName",
        "stream:DeleteDeploymentDraft",
        "stream:DeleteDeploymentDraftV1",
        "stream:DeleteDeploymentTarget",
        "stream:DeleteDeploymentV1",
        "stream:DeleteFolder",
        "stream:DeleteFormatV1",
        "stream:DeleteJob",
        "stream:DeleteMember",
        "stream:DeleteMemberV1",
        "stream:DeleteSavepoint",
        "stream:DeleteScheduledPlan",
        "stream:DeleteSecretValueV1",
        "stream:DeleteSessionCluster",
        "stream:DeleteSqlFile",
        "stream:DeleteUdfArtifact",
        "stream:DeleteUdfFunction",
        "stream:DeleteVariable",
        "stream:DeployDeploymentDraftAsync",
        "stream:DeployDeploymentDraftV1",
        "stream:DescribeFlussInstances",
        "stream:DescribeLxCommodity",
        "stream:ExecuteSqlScriptV1",
        "stream:ExecuteSqlStatement",
        "stream:FetchSqlExecutionResult",
        "stream:FetchSqlPreviewResults",
        "stream:FlinkApiProxy",
        "stream:ForcefullyCreateLockV1",
        "stream:GenerateResourcePlanV1",
        "stream:GenerateResourcePlanWithFlinkConfAsync",
        "stream:GetAppliedScheduledPlan",
        "stream:GetArtifactMetadataV1",
        "stream:GetCatalogs",
        "stream:GetCatalogsSnapshot",
        "stream:GetClusterQuantityByRegion",
        "stream:GetCommodityCode",
        "stream:GetCustomFlinkArtifactsSnapshot",
        "stream:GetDatabases",
        "stream:GetDeployDeploymentDraftResult",
        "stream:GetDeployment",
        "stream:GetDeploymentDefaultsV1",
        "stream:GetDeploymentDraft",
        "stream:GetDeploymentDraftByIdV1",
        "stream:GetDeploymentDraftByNameV1",
        "stream:GetDeploymentDraftLock",
        "stream:GetDeploymentDraftResourcePlanV1",
        "stream:GetDeploymentDraftResourcePlanWithBestEffortV1",
        "stream:GetDeploymentV1",
        "stream:GetDeploymentsByIp",
        "stream:GetDeploymentsByLabel",
        "stream:GetDeploymentsByName",
        "stream:GetEvents",
        "stream:GetFolder",
        "stream:GetFolderByIdV1",
        "stream:GetGenerateResourcePlanResult",
        "stream:GetGlobalDeploymentDefaultsV1",
        "stream:GetHotUpdateJobResult",
        "stream:GetJob",
        "stream:GetJobDiagnosis",
        "stream:GetLatestJobStartLog",
        "stream:GetLineageInfo",
        "stream:GetMember",
        "stream:GetPreSignedUrlForPutObject",
        "stream:GetResourcePlanV1",
        "stream:GetRootFolderByTypeV1",
        "stream:GetSavepoint",
        "stream:GetSessionCluster",
        "stream:GetSpecifications",
        "stream:GetSqlFile",
        "stream:GetTables",
        "stream:GetUdfArtifacts",
        "stream:GetValidateDeploymentDraftResult",
        "stream:HandleCatalogChanges",
        "stream:HasStreamDefaultRole",
        "stream:HotUpdateJob",
        "stream:ListArtifactsV1",
        "stream:ListConnectorsV1",
        "stream:ListCustomConnectors",
        "stream:ListDeploymentDrafts",
        "stream:ListDeploymentTargets",
        "stream:ListDeploymentTargetsV1",
        "stream:ListDeployments",
        "stream:ListDeploymentsV1",
        "stream:ListEngineVersionMetadata",
        "stream:ListFlinkVersionsV1",
        "stream:ListFormatsV1",
        "stream:ListJobs",
        "stream:ListJobsV1",
        "stream:ListMembers",
        "stream:ListNamespacesV1",
        "stream:ListOssInfo",
        "stream:ListRegionWithClusterQuantity",
        "stream:ListSavepoints",
        "stream:ListSavepointsV1",
        "stream:ListScheduledPlan",
        "stream:ListScheduledPlanExecutedHistory",
        "stream:ListSecretValuesV1",
        "stream:ListSessionClusters",
        "stream:ListSessionClustersV1",
        "stream:ListTablesV1",
        "stream:ListTagKeys",
        "stream:ListTagResources",
        "stream:ListTagValues",
        "stream:ListUserVswitch",
        "stream:ListVariables",
        "stream:ModifyDns",
        "stream:ModifyInstanceMetadata",
        "stream:ModifyInstanceVswitch",
        "stream:QueryCloneNamespace",
        "stream:QueryCreateLxCommodityPrice",
        "stream:QueryCreateVvpInstancePrice",
        "stream:QueryTagVvpResources",
        "stream:RegisterCustomConnector",
        "stream:RegisterUdfFunction",
        "stream:ReplaceDeploymentV1",
        "stream:SaveDeploymentDraftResourcePlanV1",
        "stream:SearchFoldersByKeywordV1",
        "stream:SearchOrderStatistics",
        "stream:SetDeploymentResourceModeV1",
        "stream:StartJob",
        "stream:StartJobWithParams",
        "stream:StartOrGetNonTerminalSqlExecution",
        "stream:StartSessionCluster",
        "stream:StartSqlExecution",
        "stream:StopApplyScheduledPlan",
        "stream:StopJob",
        "stream:StopSessionCluster",
        "stream:StopSqlExecution",
        "stream:SubmitSqlPreview",
        "stream:TagVvpResources",
        "stream:UnTagVvpResources",
        "stream:UpdateDeployment",
        "stream:UpdateDeploymentByName",
        "stream:UpdateDeploymentDesiredStateV1",
        "stream:UpdateDeploymentDraft",
        "stream:UpdateDeploymentDraftV1",
        "stream:UpdateDeploymentTarget",
        "stream:UpdateDeploymentTargetV2",
        "stream:UpdateDeploymentV1",
        "stream:UpdateFolder",
        "stream:UpdateInstanceMonitorType",
        "stream:UpdateMember",
        "stream:UpdateMemberV1",
        "stream:UpdateScheduledPlan",
        "stream:UpdateSessionCluster",
        "stream:UpdateSqlFile",
        "stream:UpdateUdfArtifact",
        "stream:UpdateVariable",
        "stream:ValidateDeploymentDraftAsync",
        "stream:ValidateSqlScriptV1",
        "stream:ValidateSqlStatement",
        "stream:WorkflowCallbackQueryNodeStatus",
        "stream:WorkflowCallbackStartNode",
        "stream:WorkflowCallbackStopNode"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    Granting account-level permissions allows access to all relevant resources in the account. Always follow PoLP.

    FAQ

    How do I find which resource group a resource belongs to?

    • Method 1: From the service console

      • Navigate to the service console where the resource was created. On the resource's details page, you can typically find the resource group listed in the basic information section.

    • Method 2: From the Resource Management console

      • Log on to the Resource Management console.

      • Choose Resource Center > Resource Search.

      • In the left pane, select the account that owns the target resource (the default is Current Account).

      • Use filter conditions to find your resource.

      • The Resource Group column shows which group the resource belongs to.

    How do I view all resources in a specific resource group?

    • Method 1:

      • Log on to the Resource Management console.

      • Choose Resource Center > Resource Search.

      • In the left pane, under the account that owns the resources (the default is Current Account), click the name of the desired resource group.

      • In the right pane, select the cloud service from the Select resource types drop-down list.

      • All resources in that group will be displayed.

    • Method 2:

      • Log on to the Resource Management console.

      • Choose Resource Group > Resource Group.

      • Find the desired resource group and click Manage Resource in the Actions column.

      • On the resource management page, select the cloud service from the Service drop-down list.

      • All resources in that group will be displayed.

    How do I move multiple resources to a different resource group in batch?

    1. Log on to the Resource Management console.

    2. Choose Resource Group > Resource Group.

    3. Find the desired resource group and click Manage Resource in the Actions column.

    4. On the resource management page, use filter conditions to find the resources you want to move.

    5. Select the checkbox for each resource.

    6. At the bottom of the page, click Transfer.

    7. In the dialog box, select the destination resource group and click Confirm.