You can use resource groups to group and manage your resources. With Resource Access Management (RAM), you can isolate resources and manage permissions at a fine-grained level within a single Alibaba Cloud account. This topic describes how Microservices Engine supports resource groups and provides the steps to grant permissions at the resource group level.
-
Resource group-level authorization is effective only for resource types that support resource groups and operations that support resource group-level authorization.
-
For resource types that do not support resource groups, permissions granted at the resource group level are invalid. To grant permissions for these resource types, you must select the account level as the resource scope. For more information, see Operations that do not support resource group-level authorization.
How resource group authorization works
You can use resource groups to group and manage resources in your Alibaba Cloud account. For example, you can create resource groups for different projects and transfer resources to the corresponding groups to centrally manage the resources for each project. For more information, see What is a Resource Group?.
After you complete resource grouping, you can grant permissions for a specific resource group to different RAM authorization entities, such as RAM users, RAM user groups, or RAM roles. This restricts the entity to managing only the resources within that resource group. For more information, see Resource Grouping and Authorization.
The advantages of this authorization method are:
-
Fine-grained permissions: You can ensure that each identity has only the required access permissions. This prevents the need to manage resources from multiple projects under a single account.
-
Extensibility: When you add new resources, you can simply add them to the resource group. The RAM identity automatically obtains the necessary permissions for the new resources without requiring another authorization.
Grant resource-group-level permissions to a RAM user
This section uses a RAM user as an example to describe how to grant permissions for Microservices Engine resources within a specific resource group.
1. Prerequisites
-
Create a Resource Access Management (RAM) User. For more information, see Create a RAM user.
-
Create a Resource Group and transfer your existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources, and Manually transfer resources.
2. Grant resource-group-level authorization
You can grant resource-group-level authorization in either of the following ways.
Method 1: Grant authorization in the Resource Management console
You can use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant resource group-scoped permissions to a RAM identity.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Grant Permission.
-
In the Grant Permission panel, set the principal and access policy.
-
Principal: Select an existing RAM user.
-
Access Policy: Select System Policy or an existing Custom Policy. For more information, see Create a custom access policy.
-
-
Click Confirm New Authorization.
Method 2: Grant authorization in the RAM console
You can grant resource group-level permissions to a specified RAM user in the RAM console. For more information, see Manage permissions for RAM users.
-
Use your Alibaba Cloud account or a RAM administrator to log on to the RAM console.
-
In the navigation pane on the left, choose . On the Users page, find the target RAM user and click Grant Permission in the Actions column.
-
In the Grant Permission panel, grant permissions to the RAM user.
-
Resource Scope: Select Resource Group.
-
Principal: Select an existing RAM user or the one you created in the previous steps.
-
Access Policy: Select a System Policy or an existing Custom Policy. For more information, see Create a custom policy.
-
-
Click OK.
Resource types that support resource groups
The following table shows the resource types in Microservices Engine that support resource groups:
|
Alibaba Cloud Service |
Service Code |
Resource Type |
|
Microservices Engine |
mse |
cluster: Cluster |
|
Microservices Engine |
mse |
gateway: Gateway |
For resource types that do not yet support resource groups, you can submit feedback in the Resource Management console.
Operations that do not support resource-group-level authorization
The following table lists the operations (Actions) in Microservices Engine that do not support resource-group-level authorization:
|
Action |
Description |
|
mse:AddAuthPolicy |
Creates a service authentication rule by calling the AddAuthPolicy operation. |
|
mse:AddCustomPlugin |
- |
|
mse:AddGatewayOrder |
- |
|
mse:AddGatewayRetry |
- |
|
mse:AddGatewayService |
- |
|
mse:AddLoadBalancePolicy |
- |
|
mse:AddMigrationTask |
Adds a migration task by calling an API operation. |
|
mse:AddMockRule |
Creates a mock rule. |
|
mse:AddRateLimit |
- |
|
mse:AddRoutePolicy |
- |
|
mse:AddServiceTimeConfig |
- |
|
mse:AddWhiteScreenRule |
- |
|
mse:ApplyCanaryPolicy |
- |
|
mse:ApplyGlobalReadWriteSplitRule |
- |
|
mse:ApplyReadWriteSplitRule |
- |
|
mse:ApplyTagPolicies |
Modifies a tag routing rule. |
|
mse:BatchUpdateRulesEnable |
- |
|
mse:BindSentinelBlockFallbackDefinition |
Binds a traffic protection behavior. |
|
mse:BindSentinelBlockFallbackDefinitionBatch |
- |
|
mse:ChangeOperateTaskTime |
- |
|
mse:CheckAuthPolicyName |
- |
|
mse:CheckCanaryPolicy |
- |
|
mse:CheckCsRole |
- |
|
mse:CheckEciRole |
- |
|
mse:CheckGatewayIngressMigrateTask |
- |
|
mse:CheckKmsStatus |
- |
|
mse:CheckMigrationServiceAnnotation |
- |
|
mse:CheckRole |
- |
|
mse:CheckServiceLinkRole |
- |
|
mse:CheckUserReadinessConfig |
- |
|
mse:CheckXTraceServiceStatus |
- |
|
mse:CloneSentinelRuleFromAhas |
Migrates AHAS rules. |
|
mse:ConvertSwaggerToMcpConfig |
- |
|
mse:CreateApplication |
Creates an application. |
|
mse:CreateCircuitBreakerRule |
Creates a circuit breaking rule. |
|
mse:CreateDemoToUserCluster |
- |
|
mse:CreateFlowRule |
Creates a throttling rule. |
|
mse:CreateGovernanceKubernetesCluster |
- |
|
mse:CreateGovernanceService |
- |
|
mse:CreateHotParamRule |
- |
|
mse:CreateIsolationRule |
Creates an isolation rule. |
|
mse:CreateLicenseKey |
- |
|
mse:CreateMseServiceApplication |
Creates an application. |
|
mse:CreateNamespace |
Creates a microservice governance namespace. |
|
mse:CreateOrUpdateEmptyPushSetting |
- |
|
mse:CreateOrUpdateSwimmingLane |
Creates or updates an end-to-end canary release lane. |
|
mse:CreateOrUpdateSwimmingLaneGroup |
Creates or updates an end-to-end canary release lane group. |
|
mse:CreateOutlierConfig |
- |
|
mse:CreateSentinelBlockFallbackDefinition |
Creates a behavior management rule. |
|
mse:CreateWebFlowRule |
Creates a hot spot parameter protection rule for HTTP requests. |
|
mse:DeleteBackupTask |
- |
|
mse:DeleteCircuitBreakerRules |
Deletes a circuit breaking rule. |
|
mse:DeleteCustomPlugin |
- |
|
mse:DeleteFaultInjectionRule |
- |
|
mse:DeleteFlowRules |
Deletes a throttling rule. |
|
mse:DeleteGatewayCircuitBreakerRule |
Deletes the gateway circuit breaking rule. |
|
mse:DeleteGatewayIngressMigrateTask |
- |
|
mse:DeleteGatewayIsolationRule |
Deletes the gateway concurrency rule. |
|
mse:DeleteGovernanceKubernetesCluster |
- |
|
mse:DeleteHotParamRules |
- |
|
mse:DeleteIsolationRules |
Deletes an isolation rule. |
|
mse:DeleteMigrationTask |
Deletes a cloud migration task by calling an API operation. |
|
mse:DeleteNacosDatasourceResource |
- |
|
mse:DeleteNamespace |
Deletes an MSE namespace. |
|
mse:DeleteRateLimit |
- |
|
mse:DeleteRetryRule |
- |
|
mse:DeleteSSLCert |
- |
|
mse:DeleteSentinelBlockFallbackDefinition |
- |
|
mse:DeleteServiceTimeConfig |
- |
|
mse:DeleteSwimmingLane |
Deletes an end-to-end lane. |
|
mse:DeleteSwimmingLaneGroup |
Deletes an end-to-end lane group. |
|
mse:DeleteTimeoutRule |
- |
|
mse:DeleteTrace |
- |
|
mse:DeleteUpstreamGroupOfSingleService |
- |
|
mse:DeleteWebFlowRules |
Deletes a hot spot parameter protection rule for HTTP requests. |
|
mse:DeleteWhiteScreenRule |
- |
|
mse:DescribeAppAgentStatus |
- |
|
mse:DescribeScenarioRecordsForAhas |
- |
|
mse:FallbackGateway |
- |
|
mse:FetchAppLogConfig |
- |
|
mse:FetchDataSourceConfig |
- |
|
mse:FetchGlobalReadWriteSplitRules |
- |
|
mse:FetchLogConfig |
- |
|
mse:FetchLosslessRuleList |
Obtains a list of graceful online and offline rules. |
|
mse:FetchReadWriteSplitRules |
- |
|
mse:FetchRoutePolicyList |
- |
|
mse:FixGateway |
- |
|
mse:GatewayAdmin |
- |
|
mse:GetAccountMockRule |
- |
|
mse:GetApiTestHistory |
- |
|
mse:GetAppMessageQueueRoute |
Obtains information about message canary release for an application. |
|
mse:GetApplicationDetail |
- |
|
mse:GetApplicationInstanceList |
Queries the list of microservice application instances. |
|
mse:GetApplicationInstancesWithMetircs |
- |
|
mse:GetApplicationList |
Obtains the application list by calling the GetApplicationList operation. |
|
mse:GetApplicationListWithMetircs |
- |
|
mse:GetApplicationTagList |
- |
|
mse:GetArmsAlarms |
- |
|
mse:GetAuthPolicyInfo |
- |
|
mse:GetCanaryStatus |
- |
|
mse:GetConfig |
- |
|
mse:GetDubboServicePageWithMetrics |
- |
|
mse:GetDubboTestMethod |
- |
|
mse:GetEventDetail |
- |
|
mse:GetEventFilterOptions |
- |
|
mse:GetFaultInjectionRule |
- |
|
mse:GetGatewayAlarms |
- |
|
mse:GetGatewayIngressMigrateTaskDetail |
- |
|
mse:GetGatewayMigrateNamespacedServices |
- |
|
mse:GetGatewayNotice |
- |
|
mse:GetGatewaySelection |
- |
|
mse:GetGovernanceKubernetesClusterList |
- |
|
mse:GetGraySwimmingLaneGroupInfo |
- |
|
mse:GetHistorys |
- |
|
mse:GetImage |
Queries the latest major version to which the current version can be upgraded. |
|
mse:GetLicenseKey |
- |
|
mse:GetLocalityDistributionMetrics |
- |
|
mse:GetLocalityRule |
Obtains the same-zone-first routing rule. |
|
mse:GetLosslessRuleByApp |
Obtains the graceful online and offline rule for a specific application. |
|
mse:GetMockRuleByConsumerAppId |
- |
|
mse:GetMockRuleById |
- |
|
mse:GetMockRuleByProviderAppId |
- |
|
mse:GetMseFeatureSwitch |
Obtains the MSE feature switch. |
|
mse:GetNacosDatasourceResource |
- |
|
mse:GetNetworkInfo |
- |
|
mse:GetOutlierApplicationList |
- |
|
mse:GetOutlierPolicyInfo |
- |
|
mse:GetOverview |
Queries the overview information of administration. |
|
mse:GetPluginGuide |
- |
|
mse:GetRegExpCheck |
- |
|
mse:GetRegExpTest |
- |
|
mse:GetResourcePackageStatus |
- |
|
mse:GetResourcePackageStatusWithVersion |
- |
|
mse:GetRetryRule |
- |
|
mse:GetRoutePolicy |
- |
|
mse:GetServiceConsumersPage |
- |
|
mse:GetServiceDetail |
- |
|
mse:GetServiceList |
Queries application service information by calling the GetServiceList operation. |
|
mse:GetServiceListPage |
Obtains the service list. |
|
mse:GetServiceMethodPage |
Obtains the list of service interfaces. |
|
mse:GetServiceMethodPageWithMetrics |
- |
|
mse:GetServiceProvidersPage |
- |
|
mse:GetSpringCloudTestMethod |
- |
|
mse:GetTagKey |
- |
|
mse:GetTagVal |
- |
|
mse:GetTagsBySwimmingLaneGroupId |
Obtains all tags in the current lane group. |
|
mse:GetTimeoutRule |
- |
|
mse:GetTrace |
- |
|
mse:GetUpstreamGroupOfSingleService |
- |
|
mse:GetUserStatus |
- |
|
mse:ImportMcpConfigFromSwagger |
- |
|
mse:InitializeServiceLinkRole |
Creates an MSE service-linked role (SLR). |
|
mse:InvokeDubboTestMethod |
- |
|
mse:InvokeIstioTestMethod |
- |
|
mse:InvokeSpringCloudTestMethod |
- |
|
mse:ListAdaptiveOverloadProtectionConfig |
- |
|
mse:ListAppBySwimmingLaneGroupTag |
Obtains the list of applications with a specified tag in the current lane group. |
|
mse:ListAppBySwimmingLaneGroupTags |
Obtains the list of applications with a specified tag in the specified lane group. |
|
mse:ListAppResource |
- |
|
mse:ListAppResourceWithMetrics |
- |
|
mse:ListApplicationTagInstancese |
- |
|
mse:ListApplicationsWithTagRules |
Obtains the routing rules of an application by calling the ListApplicationsWithTagRules operation. |
|
mse:ListAuthPolicy |
Queries the list of service authentication rules by calling the ListAuthPolicy operation. |
|
mse:ListAutoDeployAvailableVsws |
- |
|
mse:ListAutoDeployAvailableZones |
- |
|
mse:ListBackupTasks |
- |
|
mse:ListBackups |
- |
|
mse:ListCircuitBreakerRules |
Obtains the list of circuit breaking rules. |
|
mse:ListClusterConnectionTypes |
Queries the supported cluster connection types. |
|
mse:ListClusterSelection |
- |
|
mse:ListClusterTypes |
Queries the supported engine types that can be activated. |
|
mse:ListClusterVersions |
Queries information about supported cluster versions. |
|
mse:ListCommunites |
- |
|
mse:ListCsKubernetesClusters |
- |
|
mse:ListCsSecurityGroup |
- |
|
mse:ListDefaultCircuitBreakerRules |
- |
|
mse:ListEurekaInstances |
Queries the list of Eureka instances. |
|
mse:ListEventOfReource |
- |
|
mse:ListEventRecords |
- |
|
mse:ListEventsByType |
- |
|
mse:ListEventsPageByType |
- |
|
mse:ListFcServiceAliases |
- |
|
mse:ListFcServiceVersions |
- |
|
mse:ListFcServices |
- |
|
mse:ListFlowRules |
Obtains the list of throttling rules. |
|
mse:ListGatewayDomainSSL |
- |
|
mse:ListGatewayIngressMigrateTask |
- |
|
mse:ListGatewayZone |
Obtains the list of zones for a gateway. |
|
mse:ListHotParamRules |
- |
|
mse:ListInstanceCount |
Lists the number of nodes that can be activated for a cluster. |
|
mse:ListInstances |
- |
|
mse:ListIpOrHosts |
- |
|
mse:ListIsolationRules |
Queries isolation rules. |
|
mse:ListKubernetesNamespace |
- |
|
mse:ListLogSpanServices |
- |
|
mse:ListMethods |
- |
|
mse:ListMigrationTask |
Queries cloud migration tasks by calling an API operation. |
|
mse:ListMscEventRecords |
- |
|
mse:ListNacosDatasourceResourceChangeEvent |
- |
|
mse:ListNamespaces |
Displays a list of namespaces, including the number of online nodes and total applications in each. This operation also supports fuzzy search by namespace name. |
|
mse:ListOutlierPolicy |
- |
|
mse:ListProtectedAppResourceWithMetrics |
- |
|
mse:ListResourceWhiteListConfigs |
- |
|
mse:ListResources |
- |
|
mse:ListSentinelBlockFallbackDefinitions |
Obtains custom traffic protection behaviors. |
|
mse:ListServiceQuotas |
- |
|
mse:ListSpanNames |
- |
|
mse:ListSwimPathPercent |
- |
|
mse:ListTaskBackups |
- |
|
mse:ListUpgradableGatewayVersions |
- |
|
mse:ListUserK8sByVpc |
- |
|
mse:ListWebFlowRules |
Queries hot spot parameter protection rules for HTTP requests. |
|
mse:ModifyAdaptiveOverloadProtectionConfig |
- |
|
mse:ModifyLosslessRule |
Modifies the graceful online and offline configuration for a user. |
|
mse:ModifyNamespace |
- |
|
mse:ModifyServiceQuota |
- |
|
mse:OnAhas |
- |
|
mse:OpenXTraceService |
- |
|
mse:ProcessMessage |
- |
|
mse:QueryAhasUserStatus |
- |
|
mse:QueryAllSwimmingLane |
Obtains information about all lanes. |
|
mse:QueryAllSwimmingLaneGroup |
Queries all lane groups. |
|
mse:QueryAppDataSourceList |
- |
|
mse:QueryAppListMetrics |
- |
|
mse:QueryAppMethodMetrics |
- |
|
mse:QueryAppMethodMetricsWithSentinel |
- |
|
mse:QueryAppRPCMacMetrics |
- |
|
mse:QueryAppResourceMetrics |
- |
|
mse:QueryAppResourceMetricsByInstance |
- |
|
mse:QueryAppSummaryMetricsOverview |
- |
|
mse:QueryAppSummaryMetricsOverviewWithSentinel |
- |
|
mse:QueryAppSystemMetricsOfGroup |
- |
|
mse:QueryAppSystemMetricsOfGroupByInstance |
- |
|
mse:QueryAppTopNMacs |
- |
|
mse:QueryBusinessLocations |
Queries region information. |
|
mse:QueryClusterDiskSpecification |
Queries information about supported cluster disk specifications. |
|
mse:QueryClusterSpecification |
Queries the list of supported cluster specifications. |
|
mse:QueryClustersWithLabel |
- |
|
mse:QueryDatabaseRoute |
- |
|
mse:QueryEmptyPushSetting |
- |
|
mse:QueryEventOverview |
- |
|
mse:QueryGatewayRegion |
Queries the regions supported by the gateway. |
|
mse:QueryGatewayTask |
- |
|
mse:QueryGatewayType |
Queries the available gateway types. |
|
mse:QueryGatewaysWithLabel |
- |
|
mse:QueryGovernanceKubernetesCluster |
Obtains a list of Kubernetes clusters for microservice governance. |
|
mse:QueryMetricsAveragedByInstance |
- |
|
mse:QueryMseHomeDetail |
- |
|
mse:QueryNacosAi |
- |
|
mse:QueryNacosConfig |
- |
|
mse:QueryNacosGrayConfig |
- |
|
mse:QueryNacosNaming |
- |
|
mse:QueryNamespace |
Queries an MSE namespace. |
|
mse:QueryQuickStartStatus |
- |
|
mse:QueryResourceTopN |
- |
|
mse:QuerySentinelBlockFallbackDefinition |
- |
|
mse:QueryServiceAppId |
- |
|
mse:QueryServiceDetailWithMetrics |
- |
|
mse:QueryServiceMethodConsumerPageWithMetrics |
- |
|
mse:QueryServiceTimeConfig |
- |
|
mse:QuerySlbSpec |
Queries SLB types. |
|
mse:QuerySwimmingLaneById |
Queries lane information by lane ID. |
|
mse:QueryUserKmsType |
- |
|
mse:RemoveApplication |
Deletes a single application. |
|
mse:RemoveApplications |
- |
|
mse:RemoveAuthPolicy |
Deletes a service authentication rule by calling the RemoveAuthPolicy operation. |
|
mse:RemoveOutlierPolicy |
- |
|
mse:RemoveRoutePolicy |
- |
|
mse:ReportMetadata |
- |
|
mse:ReportOnePilotInfo |
- |
|
mse:RevertApplicationRoutePolicy |
- |
|
mse:RevertBackup |
- |
|
mse:RunApiTest |
- |
|
mse:RunServiceTest |
- |
|
mse:SearchTraces |
- |
|
mse:TestService |
- |
|
mse:UnbindSentinelBlockFallbackDefinition |
- |
|
mse:UpdateAppLogConfig |
- |
|
mse:UpdateAuthPolicy |
Updates a service authentication rule by calling the UpdateAuthPolicy operation. |
|
mse:UpdateBackupTask |
- |
|
mse:UpdateCircuitBreakerRule |
Updates a circuit breaking rule. |
|
mse:UpdateCircuitBreakerRulesStatus |
- |
|
mse:UpdateCustomPlugin |
- |
|
mse:UpdateDataSourceConfig |
- |
|
mse:UpdateDatabaseRoute |
- |
|
mse:UpdateDefaultCircuitBreakerRule |
- |
|
mse:UpdateFlowRule |
Updates a throttling rule. |
|
mse:UpdateFlowRulesStatus |
- |
|
mse:UpdateGatewayIngressMigrateTask |
- |
|
mse:UpdateGatewayIngressMigrateTaskStatus |
- |
|
mse:UpdateGatewayServicePort |
- |
|
mse:UpdateGovernanceServiceSubscribe |
- |
|
mse:UpdateHotParamRule |
- |
|
mse:UpdateHotParamRulesStatus |
- |
|
mse:UpdateInstanceRegisterStatus |
- |
|
mse:UpdateIsolationRule |
Updates an isolation rule. |
|
mse:UpdateIsolationRulesStatus |
- |
|
mse:UpdateLocalityRule |
Updates the same-zone-first routing rule. |
|
mse:UpdateLogConfig |
- |
|
mse:UpdateMessageQueueRoute |
Updates the message canary release configuration for an application. |
|
mse:UpdateMigrationTask |
Updates a cloud migration task by calling an API operation. |
|
mse:UpdateNacosAi |
- |
|
mse:UpdateNacosDatasourceResource |
- |
|
mse:UpdateNacosNaming |
- |
|
mse:UpdateOutlierConfig |
- |
|
mse:UpdateQuickStartStatus |
- |
|
mse:UpdateRateLimit |
- |
|
mse:UpdateResourceWhiteListConfig |
- |
|
mse:UpdateSentinelBlockFallbackDefinition |
- |
|
mse:UpdateUpstreamGroupOfSingleService |
- |
|
mse:UpdateWebFlowRule |
Updates a hot spot parameter protection rule for HTTP requests. |
|
mse:UpdateWebFlowRulesStatus |
- |
|
mse:UpdateWhiteScreenRule |
- |
|
mse:listGrayTag |
- |
For operations that do not support resource group authorization, setting the resource scope to Resource Group has no effect. If a RAM user requires permissions for these operations, you must create a custom policy and set the resource scope to Account when you grant permissions.
The following are two examples of custom policies. You can adjust the policy content as needed.
-
Allow all read-only operations that do not support resource-group-level authorization: The
Actionelement lists all read-only operations that do not support resource-group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mse:CheckServiceLinkRole", "mse:GetAccountMockRule", "mse:GetApiTestHistory", "mse:GetAppMessageQueueRoute", "mse:GetApplicationDetail", "mse:GetApplicationInstanceList", "mse:GetApplicationInstancesWithMetircs", "mse:GetApplicationList", "mse:GetApplicationListWithMetircs", "mse:GetApplicationTagList", "mse:GetArmsAlarms", "mse:GetAuthPolicyInfo", "mse:GetCanaryStatus", "mse:GetConfig", "mse:GetDubboServicePageWithMetrics", "mse:GetDubboTestMethod", "mse:GetEventDetail", "mse:GetEventFilterOptions", "mse:GetFaultInjectionRule", "mse:GetGatewayAlarms", "mse:GetGatewayIngressMigrateTaskDetail", "mse:GetGatewayMigrateNamespacedServices", "mse:GetGatewayNotice", "mse:GetGatewaySelection", "mse:GetGovernanceKubernetesClusterList", "mse:GetGraySwimmingLaneGroupInfo", "mse:GetHistorys", "mse:GetImage", "mse:GetLicenseKey", "mse:GetLocalityDistributionMetrics", "mse:GetLocalityRule", "mse:GetLosslessRuleByApp", "mse:GetMockRuleByConsumerAppId", "mse:GetMockRuleById", "mse:GetMockRuleByProviderAppId", "mse:GetMseFeatureSwitch", "mse:GetNacosDatasourceResource", "mse:GetNetworkInfo", "mse:GetOutlierApplicationList", "mse:GetOutlierPolicyInfo", "mse:GetOverview", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:GetResourcePackageStatus", "mse:GetResourcePackageStatusWithVersion", "mse:GetRetryRule", "mse:GetRoutePolicy", "mse:GetServiceConsumersPage", "mse:GetServiceDetail", "mse:GetServiceList", "mse:GetServiceListPage", "mse:GetServiceMethodPage", "mse:GetServiceMethodPageWithMetrics", "mse:GetServiceProvidersPage", "mse:GetSpringCloudTestMethod", "mse:GetTagKey", "mse:GetTagVal", "mse:GetTagsBySwimmingLaneGroupId", "mse:GetTimeoutRule", "mse:GetTrace", "mse:GetUpstreamGroupOfSingleService", "mse:GetUserStatus", "mse:ListAdaptiveOverloadProtectionConfig", "mse:ListAppBySwimmingLaneGroupTag", "mse:ListAppBySwimmingLaneGroupTags", "mse:ListAppResource", "mse:ListAppResourceWithMetrics", "mse:ListApplicationTagInstancese", "mse:ListApplicationsWithTagRules", "mse:ListAuthPolicy", "mse:ListAutoDeployAvailableVsws", "mse:ListAutoDeployAvailableZones", "mse:ListBackupTasks", "mse:ListBackups", "mse:ListCircuitBreakerRules", "mse:ListClusterConnectionTypes", "mse:ListClusterSelection", "mse:ListClusterTypes", "mse:ListClusterVersions", "mse:ListCommunites", "mse:ListCsKubernetesClusters", "mse:ListCsSecurityGroup", "mse:ListDefaultCircuitBreakerRules", "mse:ListEurekaInstances", "mse:ListEventOfReource", "mse:ListEventRecords", "mse:ListEventsByType", "mse:ListEventsPageByType", "mse:ListFcServiceAliases", "mse:ListFcServiceVersions", "mse:ListFcServices", "mse:ListFlowRules", "mse:ListGatewayDomainSSL", "mse:ListGatewayIngressMigrateTask", "mse:ListGatewayZone", "mse:ListHotParamRules", "mse:ListInstanceCount", "mse:ListInstances", "mse:ListIpOrHosts", "mse:ListIsolationRules", "mse:ListKubernetesNamespace", "mse:ListLogSpanServices", "mse:ListMethods", "mse:ListMigrationTask", "mse:ListMscEventRecords", "mse:ListNacosDatasourceResourceChangeEvent", "mse:ListNamespaces", "mse:ListOutlierPolicy", "mse:ListProtectedAppResourceWithMetrics", "mse:ListResourceWhiteListConfigs", "mse:ListResources", "mse:ListSentinelBlockFallbackDefinitions", "mse:ListServiceQuotas", "mse:ListSpanNames", "mse:ListSwimPathPercent", "mse:ListTaskBackups", "mse:ListUpgradableGatewayVersions", "mse:ListUserK8sByVpc", "mse:ListWebFlowRules", "mse:QueryAhasUserStatus", "mse:QueryAllSwimmingLane", "mse:QueryAllSwimmingLaneGroup", "mse:QueryAppDataSourceList", "mse:QueryAppListMetrics", "mse:QueryAppMethodMetrics", "mse:QueryAppMethodMetricsWithSentinel", "mse:QueryAppRPCMacMetrics", "mse:QueryAppResourceMetrics", "mse:QueryAppResourceMetricsByInstance", "mse:QueryAppSummaryMetricsOverview", "mse:QueryAppSummaryMetricsOverviewWithSentinel", "mse:QueryAppSystemMetricsOfGroup", "mse:QueryAppSystemMetricsOfGroupByInstance", "mse:QueryAppTopNMacs", "mse:QueryBusinessLocations", "mse:QueryClusterDiskSpecification", "mse:QueryClusterSpecification", "mse:QueryClustersWithLabel", "mse:QueryDatabaseRoute", "mse:QueryEmptyPushSetting", "mse:QueryEventOverview", "mse:QueryGatewayRegion", "mse:QueryGatewayTask", "mse:QueryGatewayType", "mse:QueryGatewaysWithLabel", "mse:QueryGovernanceKubernetesCluster", "mse:QueryMetricsAveragedByInstance", "mse:QueryMseHomeDetail", "mse:QueryNacosAi", "mse:QueryNacosConfig", "mse:QueryNacosGrayConfig", "mse:QueryNacosNaming", "mse:QueryNamespace", "mse:QueryQuickStartStatus", "mse:QueryResourceTopN", "mse:QuerySentinelBlockFallbackDefinition", "mse:QueryServiceAppId", "mse:QueryServiceDetailWithMetrics", "mse:QueryServiceMethodConsumerPageWithMetrics", "mse:QueryServiceTimeConfig", "mse:QuerySlbSpec", "mse:QuerySwimmingLaneById", "mse:QueryUserKmsType" ], "Resource": "*" } ] } -
Allow all operations that do not support resource-group-level authorization: The
Actionelement lists all operations that do not support resource-group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mse:AddAuthPolicy", "mse:AddCustomPlugin", "mse:AddGatewayOrder", "mse:AddGatewayRetry", "mse:AddGatewayService", "mse:AddLoadBalancePolicy", "mse:AddMigrationTask", "mse:AddMockRule", "mse:AddRateLimit", "mse:AddRoutePolicy", "mse:AddServiceTimeConfig", "mse:AddWhiteScreenRule", "mse:ApplyCanaryPolicy", "mse:ApplyGlobalReadWriteSplitRule", "mse:ApplyReadWriteSplitRule", "mse:ApplyTagPolicies", "mse:BatchUpdateRulesEnable", "mse:BindSentinelBlockFallbackDefinition", "mse:BindSentinelBlockFallbackDefinitionBatch", "mse:ChangeOperateTaskTime", "mse:CheckAuthPolicyName", "mse:CheckCanaryPolicy", "mse:CheckCsRole", "mse:CheckEciRole", "mse:CheckGatewayIngressMigrateTask", "mse:CheckKmsStatus", "mse:CheckMigrationServiceAnnotation", "mse:CheckRole", "mse:CheckServiceLinkRole", "mse:CheckUserReadinessConfig", "mse:CheckXTraceServiceStatus", "mse:CloneSentinelRuleFromAhas", "mse:ConvertSwaggerToMcpConfig", "mse:CreateApplication", "mse:CreateCircuitBreakerRule", "mse:CreateDemoToUserCluster", "mse:CreateFlowRule", "mse:CreateGovernanceKubernetesCluster", "mse:CreateGovernanceService", "mse:CreateHotParamRule", "mse:CreateIsolationRule", "mse:CreateLicenseKey", "mse:CreateMseServiceApplication", "mse:CreateNamespace", "mse:CreateOrUpdateEmptyPushSetting", "mse:CreateOrUpdateSwimmingLane", "mse:CreateOrUpdateSwimmingLaneGroup", "mse:CreateOutlierConfig", "mse:CreateSentinelBlockFallbackDefinition", "mse:CreateWebFlowRule", "mse:DeleteBackupTask", "mse:DeleteCircuitBreakerRules", "mse:DeleteCustomPlugin", "mse:DeleteFaultInjectionRule", "mse:DeleteFlowRules", "mse:DeleteGatewayCircuitBreakerRule", "mse:DeleteGatewayIngressMigrateTask", "mse:DeleteGatewayIsolationRule", "mse:DeleteGovernanceKubernetesCluster", "mse:DeleteHotParamRules", "mse:DeleteIsolationRules", "mse:DeleteMigrationTask", "mse:DeleteNacosDatasourceResource", "mse:DeleteNamespace", "mse:DeleteRateLimit", "mse:DeleteRetryRule", "mse:DeleteSSLCert", "mse:DeleteSentinelBlockFallbackDefinition", "mse:DeleteServiceTimeConfig", "mse:DeleteSwimmingLane", "mse:DeleteSwimmingLaneGroup", "mse:DeleteTimeoutRule", "mse:DeleteTrace", "mse:DeleteUpstreamGroupOfSingleService", "mse:DeleteWebFlowRules", "mse:DeleteWhiteScreenRule", "mse:DescribeAppAgentStatus", "mse:DescribeScenarioRecordsForAhas", "mse:FallbackGateway", "mse:FetchAppLogConfig", "mse:FetchDataSourceConfig", "mse:FetchGlobalReadWriteSplitRules", "mse:FetchLogConfig", "mse:FetchLosslessRuleList", "mse:FetchReadWriteSplitRules", "mse:FetchRoutePolicyList", "mse:FixGateway", "mse:GatewayAdmin", "mse:GetAccountMockRule", "mse:GetApiTestHistory", "mse:GetAppMessageQueueRoute", "mse:GetApplicationDetail", "mse:GetApplicationInstanceList", "mse:GetApplicationInstancesWithMetircs", "mse:GetApplicationList", "mse:GetApplicationListWithMetircs", "mse:GetApplicationTagList", "mse:GetArmsAlarms", "mse:GetAuthPolicyInfo", "mse:GetCanaryStatus", "mse:GetConfig", "mse:GetDubboServicePageWithMetrics", "mse:GetDubboTestMethod", "mse:GetEventDetail", "mse:GetEventFilterOptions", "mse:GetFaultInjectionRule", "mse:GetGatewayAlarms", "mse:GetGatewayIngressMigrateTaskDetail", "mse:GetGatewayMigrateNamespacedServices", "mse:GetGatewayNotice", "mse:GetGatewaySelection", "mse:GetGovernanceKubernetesClusterList", "mse:GetGraySwimmingLaneGroupInfo", "mse:GetHistorys", "mse:GetImage", "mse:GetLicenseKey", "mse:GetLocalityDistributionMetrics", "mse:GetLocalityRule", "mse:GetLosslessRuleByApp", "mse:GetMockRuleByConsumerAppId", "mse:GetMockRuleById", "mse:GetMockRuleByProviderAppId", "mse:GetMseFeatureSwitch", "mse:GetNacosDatasourceResource", "mse:GetNetworkInfo", "mse:GetOutlierApplicationList", "mse:GetOutlierPolicyInfo", "mse:GetOverview", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:GetResourcePackageStatus", "mse:GetResourcePackageStatusWithVersion", "mse:GetRetryRule", "mse:GetRoutePolicy", "mse:GetServiceConsumersPage", "mse:GetServiceDetail", "mse:GetServiceList", "mse:GetServiceListPage", "mse:GetServiceMethodPage", "mse:GetServiceMethodPageWithMetrics", "mse:GetServiceProvidersPage", "mse:GetSpringCloudTestMethod", "mse:GetTagKey", "mse:GetTagVal", "mse:GetTagsBySwimmingLaneGroupId", "mse:GetTimeoutRule", "mse:GetTrace", "mse:GetUpstreamGroupOfSingleService", "mse:GetUserStatus", "mse:ImportMcpConfigFromSwagger", "mse:InitializeServiceLinkRole", "mse:InvokeDubboTestMethod", "mse:InvokeIstioTestMethod", "mse:InvokeSpringCloudTestMethod", "mse:ListAdaptiveOverloadProtectionConfig", "mse:ListAppBySwimmingLaneGroupTag", "mse:ListAppBySwimmingLaneGroupTags", "mse:ListAppResource", "mse:ListAppResourceWithMetrics", "mse:ListApplicationTagInstancese", "mse:ListApplicationsWithTagRules", "mse:ListAuthPolicy", "mse:ListAutoDeployAvailableVsws", "mse:ListAutoDeployAvailableZones", "mse:ListBackupTasks", "mse:ListBackups", "mse:ListCircuitBreakerRules", "mse:ListClusterConnectionTypes", "mse:ListClusterSelection", "mse:ListClusterTypes", "mse:ListClusterVersions", "mse:ListCommunites", "mse:ListCsKubernetesClusters", "mse:ListCsSecurityGroup", "mse:ListDefaultCircuitBreakerRules", "mse:ListEurekaInstances", "mse:ListEventOfReource", "mse:ListEventRecords", "mse:ListEventsByType", "mse:ListEventsPageByType", "mse:ListFcServiceAliases", "mse:ListFcServiceVersions", "mse:ListFcServices", "mse:ListFlowRules", "mse:ListGatewayDomainSSL", "mse:ListGatewayIngressMigrateTask", "mse:ListGatewayZone", "mse:ListHotParamRules", "mse:ListInstanceCount", "mse:ListInstances", "mse:ListIpOrHosts", "mse:ListIsolationRules", "mse:ListKubernetesNamespace", "mse:ListLogSpanServices", "mse:ListMethods", "mse:ListMigrationTask", "mse:ListMscEventRecords", "mse:ListNacosDatasourceResourceChangeEvent", "mse:ListNamespaces", "mse:ListOutlierPolicy", "mse:ListProtectedAppResourceWithMetrics", "mse:ListResourceWhiteListConfigs", "mse:ListResources", "mse:ListSentinelBlockFallbackDefinitions", "mse:ListServiceQuotas", "mse:ListSpanNames", "mse:ListSwimPathPercent", "mse:ListTaskBackups", "mse:ListUpgradableGatewayVersions", "mse:ListUserK8sByVpc", "mse:ListWebFlowRules", "mse:ModifyAdaptiveOverloadProtectionConfig", "mse:ModifyLosslessRule", "mse:ModifyNamespace", "mse:ModifyServiceQuota", "mse:OnAhas", "mse:OpenXTraceService", "mse:ProcessMessage", "mse:QueryAhasUserStatus", "mse:QueryAllSwimmingLane", "mse:QueryAllSwimmingLaneGroup", "mse:QueryAppDataSourceList", "mse:QueryAppListMetrics", "mse:QueryAppMethodMetrics", "mse:QueryAppMethodMetricsWithSentinel", "mse:QueryAppRPCMacMetrics", "mse:QueryAppResourceMetrics", "mse:QueryAppResourceMetricsByInstance", "mse:QueryAppSummaryMetricsOverview", "mse:QueryAppSummaryMetricsOverviewWithSentinel", "mse:QueryAppSystemMetricsOfGroup", "mse:QueryAppSystemMetricsOfGroupByInstance", "mse:QueryAppTopNMacs", "mse:QueryBusinessLocations", "mse:QueryClusterDiskSpecification", "mse:QueryClusterSpecification", "mse:QueryClustersWithLabel", "mse:QueryDatabaseRoute", "mse:QueryEmptyPushSetting", "mse:QueryEventOverview", "mse:QueryGatewayRegion", "mse:QueryGatewayTask", "mse:QueryGatewayType", "mse:QueryGatewaysWithLabel", "mse:QueryGovernanceKubernetesCluster", "mse:QueryMetricsAveragedByInstance", "mse:QueryMseHomeDetail", "mse:QueryNacosAi", "mse:QueryNacosConfig", "mse:QueryNacosGrayConfig", "mse:QueryNacosNaming", "mse:QueryNamespace", "mse:QueryQuickStartStatus", "mse:QueryResourceTopN", "mse:QuerySentinelBlockFallbackDefinition", "mse:QueryServiceAppId", "mse:QueryServiceDetailWithMetrics", "mse:QueryServiceMethodConsumerPageWithMetrics", "mse:QueryServiceTimeConfig", "mse:QuerySlbSpec", "mse:QuerySwimmingLaneById", "mse:QueryUserKmsType", "mse:RemoveApplication", "mse:RemoveApplications", "mse:RemoveAuthPolicy", "mse:RemoveOutlierPolicy", "mse:RemoveRoutePolicy", "mse:ReportMetadata", "mse:ReportOnePilotInfo", "mse:RevertApplicationRoutePolicy", "mse:RevertBackup", "mse:RunApiTest", "mse:RunServiceTest", "mse:SearchTraces", "mse:TestService", "mse:UnbindSentinelBlockFallbackDefinition", "mse:UpdateAppLogConfig", "mse:UpdateAuthPolicy", "mse:UpdateBackupTask", "mse:UpdateCircuitBreakerRule", "mse:UpdateCircuitBreakerRulesStatus", "mse:UpdateCustomPlugin", "mse:UpdateDataSourceConfig", "mse:UpdateDatabaseRoute", "mse:UpdateDefaultCircuitBreakerRule", "mse:UpdateFlowRule", "mse:UpdateFlowRulesStatus", "mse:UpdateGatewayIngressMigrateTask", "mse:UpdateGatewayIngressMigrateTaskStatus", "mse:UpdateGatewayServicePort", "mse:UpdateGovernanceServiceSubscribe", "mse:UpdateHotParamRule", "mse:UpdateHotParamRulesStatus", "mse:UpdateInstanceRegisterStatus", "mse:UpdateIsolationRule", "mse:UpdateIsolationRulesStatus", "mse:UpdateLocalityRule", "mse:UpdateLogConfig", "mse:UpdateMessageQueueRoute", "mse:UpdateMigrationTask", "mse:UpdateNacosAi", "mse:UpdateNacosDatasourceResource", "mse:UpdateNacosNaming", "mse:UpdateOutlierConfig", "mse:UpdateQuickStartStatus", "mse:UpdateRateLimit", "mse:UpdateResourceWhiteListConfig", "mse:UpdateSentinelBlockFallbackDefinition", "mse:UpdateUpstreamGroupOfSingleService", "mse:UpdateWebFlowRule", "mse:UpdateWebFlowRulesStatus", "mse:UpdateWhiteScreenRule", "mse:listGrayTag" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all relevant resources in the account. Always verify that the granted permissions are as intended. Grant permissions carefully by following the Principle of Least Privilege (PoLP).
FAQ
How do I view the resource group of a resource?
-
Method 1: Click the resource name to go to its details page, where you can view its resource group.
-
Method 2: Log on to the Resource Management console and click . In the navigation pane on the left, select the account that contains the target resource. By default, Current Account is selected. Use the filter conditions to find the target resource and view its resource group.
How do I view all resources of a product in a specific resource group?
-
Method 1: Log on to the Resource Management console and click . In the navigation pane on the left, under the account that contains the resources (Current Account is selected by default), click the name of the target resource group. In the Select Resource Type section on the right, select the product to view all of its resources in the specified resource group.
-
Method 2: Log on to the Resource Management console. In the navigation pane on the left, choose . Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all of its resources in that group.
How do I move multiple resources to a different resource group in a batch operation?
Log on to the Resource Management console. In the navigation pane on the left, choose . Find the target resource group and click Manage Resources in the Actions column. On the resource management page, use the filter conditions to find the resources that you want to move. Select the check box next to each resource, click Transfer Resource Group, and then follow the on-screen instructions.