All Products
Search

This Product

    Global Accelerator:Use resource groups for fine-grained resource control

    Document Center

    Global Accelerator:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    You can use resource groups with Resource Access Management (RAM) to isolate resources and implement fine-grained permission management within a single Alibaba Cloud account. This topic describes how Global Accelerator supports resource groups and explains how to grant permissions at the resource group level.

    Note

    How it works

    Resource groups help you manage resources in your Alibaba Cloud account by organizing them. For more information, see What is a resource group?.

    After you group your resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, scoped to a specific resource group. This limits the principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This approach provides the following benefits:

    • Fine-grained permissions: Ensures that each identity has the precise permissions required, which prevents resource management from overlapping across different projects within an account.

    • Scalability: When you add new resources, simply add them to the resource group. The RAM principal automatically inherits the required permissions for the new resources.

    Granting resource group-level permissions to a RAM user

    This section uses a RAM user as an example to show how to grant permissions on Global Accelerator resources within a specific resource group.

    1. Prerequisites

    1. Create the RAM user that you want to use. For more information, see Create a RAM user.

    2. Create a resource group and move your existing resources to it. For more information, see Create a resource group, Automatically add resources to a resource group, and Manually add resources to a resource group.

    2. Grant resource group-level permissions

    You can grant permissions at the resource group level in either of the following ways.

    Method 1: Resource Management console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For detailed steps, see Grant permissions on a resource group to a RAM principal.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Permissions in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and the permission policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click OK.

    Method 2: RAM console

    Grant permissions to a specific RAM user at the resource group level in the RAM console. For detailed steps, see Manage permissions for a RAM user.

    • Log on to the RAM console with your Alibaba Cloud account (root account) or as a RAM administrator.

    • In the left navigation bar, select Identity Management > Users.On the Users page, click Add Permissions in the Actions column for the target RAM user.

    • In the Add Permissions panel, add permissions to the RAM user.

      • Authorized Scope: Select Specified Resource Groups.

      • Principal: Select an existing RAM user or the RAM user that you created in the preceding steps.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click OK.

    Resource types that support resource groups

    The following Global Accelerator resource types support resource groups.

    Cloud service

    Service code

    Resource type

    Global Accelerator

    ga

    accelerator: standard-plan accelerator

    Global Accelerator

    ga

    acl: access control

    Global Accelerator

    ga

    bandwidthpackage: bandwidth plan

    Global Accelerator

    ga

    basicaccelerator: basic-plan accelerator
    Note

    For resource types that do not currently support resource groups, you can submit feedback in the Resource Management console.

    image

    Actions without resource group-level authorization

    The following Global Accelerator actions do not support resource group-level authorization:

    Action

    Description

    ga:CheckTrialQualification

    -

    ga:CopyTrialAcceleratorConfig

    -

    ga:CreateCustomRoutingEndpointGroups

    Creates multiple endpoint groups for a custom routing listener.

    ga:CreateCustomRoutingEndpoints

    Creates endpoints for a custom routing listener.

    ga:CreateTrialAccelerator

    -

    ga:DeleteCustomRoutingEndpointGroupDestinations

    Deletes the port mapping configuration of an endpoint group for a custom routing listener.

    ga:DeleteCustomRoutingEndpointGroups

    Deletes multiple endpoint groups that are associated with a custom routing listener.

    ga:DeleteCustomRoutingEndpoints

    Deletes endpoints of a custom routing listener.

    ga:DescribeAcceleratorPrice

    -

    ga:DescribeAcceleratorServiceStatus

    Checks if the pay-as-you-go Global Accelerator service is activated.

    ga:DescribeBandwidthPackageAutoRenewAttribute

    Queries the auto-renewal status of a bandwidth plan.

    ga:DescribeCommodity

    Queries the product information of Global Accelerator.

    ga:DescribeCommodityPrice

    Queries the price information of Global Accelerator products.

    ga:DescribeCustomRoutingEndpoint

    Queries a custom endpoint.

    ga:DescribeRegions

    Queries the regions where Global Accelerator instances can be deployed.

    ga:DescribeTrialAccelerator

    -

    ga:DescriberCommodity

    -

    ga:DescriberCommodityPrice

    -

    ga:GetInvalidDomainCount

    Obtains the total number of non-compliant domains.

    ga:ListAccelerateAreas

    Queries available acceleration areas and regions.

    ga:ListApplicationMonitor

    Queries the list of origin probing tasks.

    ga:ListApplicationMonitorDetectResult

    Queries the diagnostic results of an origin probing task.

    ga:ListBusiRegions

    Queries the regions where Global Accelerator is supported.

    ga:ListCommonAreas

    Queries available acceleration areas and regions.

    ga:ListCrossBorderCdtUsageDetailForGa

    -

    ga:ListCrossBorderPackageForCompliance

    -

    ga:ListCrossBorderPackageUsageDetail

    -

    ga:ListCustomRoutingPortMappingsByDestination

    Queries the port mappings of a specified backend instance for a custom routing listener.

    ga:ListEips

    -

    ga:ListEndpointChangeRecord

    -

    ga:ListGaCrossBorderPackageForComplianceCheck

    -

    ga:ListIspTypes

    Queries the line types supported by an acceleration region.

    ga:ListSystemSecurityPolicies

    Queries the list of TLS system security policies supported by an HTTPS listener.

    ga:ListTrialAccelerators

    -

    ga:OpenAcceleratorService

    If you use a pay-as-you-go Global Accelerator instance, you must enable the pay-as-you-go Global Accelerator service. This operation enables the service.

    ga:QueryCrossBorderApprovalStatus

    Queries the approval status of cross-border permissions for an Alibaba Cloud account (root account).

    ga:QueryCrossPrivatePermission

    -

    ga:TagResources

    Adds tags to Global Accelerator resources.

    ga:UntagResources

    Removes tags from Global Accelerator resources.

    ga:UpdateBandwidthPackagaAutoRenewAttribute

    Modifies the auto-renewal attribute of a bandwidth plan.

    ga:UpdateDomain

    Updates a domain name.

    ga:UpdateDomainState

    Updates the ICP filing status of an accelerated domain name.

    ga:VerifyGaCrossBorderPackageForCompliance

    -

    For actions that do not support resource group-level authorization, setting the scope to Specified Resource Groups has no effect. To grant these permissions, you must create a custom policy with the scope set to Account Level.

    image.pngThe following are two examples of custom permission policies. You can modify these policies as needed.

    • Allows all read-only actions that do not support resource group-level authorization. The Action element lists all read-only actions that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ga:CheckTrialQualification",
        "ga:DescribeAcceleratorPrice",
        "ga:DescribeAcceleratorServiceStatus",
        "ga:DescribeBandwidthPackageAutoRenewAttribute",
        "ga:DescribeCommodity",
        "ga:DescribeCommodityPrice",
        "ga:DescribeCustomRoutingEndpoint",
        "ga:DescribeRegions",
        "ga:DescribeTrialAccelerator",
        "ga:DescriberCommodity",
        "ga:DescriberCommodityPrice",
        "ga:GetInvalidDomainCount",
        "ga:ListAccelerateAreas",
        "ga:ListApplicationMonitor",
        "ga:ListApplicationMonitorDetectResult",
        "ga:ListBusiRegions",
        "ga:ListCommonAreas",
        "ga:ListCrossBorderCdtUsageDetailForGa",
        "ga:ListCrossBorderPackageForCompliance",
        "ga:ListCrossBorderPackageUsageDetail",
        "ga:ListCustomRoutingPortMappingsByDestination",
        "ga:ListEips",
        "ga:ListEndpointChangeRecord",
        "ga:ListGaCrossBorderPackageForComplianceCheck",
        "ga:ListIspTypes",
        "ga:ListSystemSecurityPolicies",
        "ga:ListTrialAccelerators",
        "ga:QueryCrossBorderApprovalStatus",
        "ga:QueryCrossPrivatePermission"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all actions that do not support resource group-level authorization. The Action element lists all actions that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ga:CheckTrialQualification",
        "ga:CopyTrialAcceleratorConfig",
        "ga:CreateCustomRoutingEndpointGroups",
        "ga:CreateCustomRoutingEndpoints",
        "ga:CreateTrialAccelerator",
        "ga:DeleteCustomRoutingEndpointGroupDestinations",
        "ga:DeleteCustomRoutingEndpointGroups",
        "ga:DeleteCustomRoutingEndpoints",
        "ga:DescribeAcceleratorPrice",
        "ga:DescribeAcceleratorServiceStatus",
        "ga:DescribeBandwidthPackageAutoRenewAttribute",
        "ga:DescribeCommodity",
        "ga:DescribeCommodityPrice",
        "ga:DescribeCustomRoutingEndpoint",
        "ga:DescribeRegions",
        "ga:DescribeTrialAccelerator",
        "ga:DescriberCommodity",
        "ga:DescriberCommodityPrice",
        "ga:GetInvalidDomainCount",
        "ga:ListAccelerateAreas",
        "ga:ListApplicationMonitor",
        "ga:ListApplicationMonitorDetectResult",
        "ga:ListBusiRegions",
        "ga:ListCommonAreas",
        "ga:ListCrossBorderCdtUsageDetailForGa",
        "ga:ListCrossBorderPackageForCompliance",
        "ga:ListCrossBorderPackageUsageDetail",
        "ga:ListCustomRoutingPortMappingsByDestination",
        "ga:ListEips",
        "ga:ListEndpointChangeRecord",
        "ga:ListGaCrossBorderPackageForComplianceCheck",
        "ga:ListIspTypes",
        "ga:ListSystemSecurityPolicies",
        "ga:ListTrialAccelerators",
        "ga:OpenAcceleratorService",
        "ga:QueryCrossBorderApprovalStatus",
        "ga:QueryCrossPrivatePermission",
        "ga:TagResources",
        "ga:UntagResources",
        "ga:UpdateBandwidthPackagaAutoRenewAttribute",
        "ga:UpdateDomain",
        "ga:UpdateDomainState",
        "ga:VerifyGaCrossBorderPackageForCompliance"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A principal with account-level permissions can manage all relevant resources in your account. Therefore, you must grant only necessary permissions and always follow the principle of least privilege.

    FAQ

    Viewing a resource's resource group

    • Method 1: Click the resource name to go to its details page, where you can find its resource group.

    • Method 2: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, select the account to which the resource belongs (the default is Current Account). Use the filter conditions to locate the target resource and view its resource group.

    Finding product resources in a resource group

    • Method 1: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, under the account (the default is Current Account), click the name of the target resource group. Then, in the Select Resource Type filter on the right, select the product to view all its resources in that resource group.

    • Method 2: Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all its resources in that resource group.

    Moving resources to another resource group

    Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column to go to the resource management page. Use the filter conditions to find the target resources. Select the checkboxes for the resources that you want to move, click Transfer Resources at the bottom of the list, and follow the on-screen instructions.