All Products
Search

This Product

    Network Intelligence Service:Use resource groups for fine-grained control

    Document Center

    Network Intelligence Service:Use resource groups for fine-grained control

    Last Updated:Apr 23, 2026

    Use resource groups with RAM to isolate resources and apply fine-grained access control in your Alibaba Cloud account. Learn how Network Intelligence Service supports resource groups and how to grant permissions at the resource group level.

    Note

    Resource group authorization

    You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into that group to manage them centrally. For more information, see What is a resource group?

    After grouping your resources, you can grant permissions scoped to a specific resource group to RAM principals, such as RAM users, RAM user groups, or RAM roles. This restricts a RAM principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This authorization method offers the following advantages:

    • Fine-grained permissions: Ensure that each RAM identity is granted the precise resource access it requires, which prevents resources from different projects from being managed together.

    • Scalability: When you add new resources, you only need to add them to the resource group. The associated RAM identity automatically gains the necessary permissions for these new resources, eliminating the need for repeated authorization.

    Grant resource group-level permissions to a RAM user

    This topic uses a RAM User as an example to describe how to grant permissions on Network Intelligence resources within a specified resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    2. Grant resource group-level permissions

    Use one of the following methods to grant permissions at the resource group level.

    Resource Management console

    Use a resource group's permission management feature to grant permissions to a RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click permission management in the Actions column.

    • On the permission management tab, click Add Permission.

    • In the Add Permission panel, configure the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Permission policy: Select a System Policy or an existing Custom Policy. For more information, see Create a custom permission policy.

    • Click OK.

    RAM console

    You can grant resource group-level permissions to a specified RAM user on the RAM console. For more information, see Manage the permissions of a RAM user.

    • Log on to the RAM console by using your Alibaba Cloud account or as a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permission in the Actions column.

    • In the Add Permission panel, configure the following settings.

      • Resource scope: Select Resource group.

      • Principal: Select an existing RAM user, such as the one you created in the prerequisites.

      • Permission policy: Select a System Policy or an existing Custom Policy. For more information, see Create a custom permission policy.

    • Click OK.

    Resource types that support resource groups

    Network Intelligence supports resource groups for the following resource types:

    Cloud service

    Cloud service code

    Resource type

    Network Intelligence

    netana

    diagnosis: diagnosis

    Network Intelligence

    netana

    networkpath: network path analysis
    Note

    If a resource type you need does not support resource groups, you can submit feedback in the resource group console.

    image

    Unsupported resource group operations

    The following Network Intelligence Service actions do not support resource group-level authorization:

    Actions

    Description

    nis:ActiveNonPublicFlowAnalysis

    -

    nis:AddNisTrafficAnalyzerDataMapping

    -

    nis:BatchCreateFlowLogsToTrafficAnalyzer

    -

    nis:BatchUpdateFlowlogsForTrafficAnalyzer

    -

    nis:CheckFlowLogStatus

    -

    nis:CloseInsight

    -

    nis:CloseNetworkObservability

    -

    nis:CloseNis

    -

    nis:CloseNonPublicFlowAnalysis

    -

    nis:ConfigNetworkObservability

    -

    nis:CountNetworkPath

    -

    nis:CountNetworkResource

    -

    nis:CountNisEvent

    -

    nis:CreateAndAnalyzeNetworkPath

    Starts a network reachability analysis task.

    nis:CreateInsight

    -

    nis:CreateInspectionTask

    -

    nis:CreateNISTrafficAnalyzer

    -

    nis:CreateNisAssistantTask

    -

    nis:DeleteInsight

    -

    nis:DeleteNISTrafficAnalyzer

    -

    nis:DeleteNisAssistantSession

    -

    nis:DeleteNisAssistantTask

    -

    nis:DeleteNisInspectionReport

    Deletes an inspection report.

    nis:DeleteNisInspectionTask

    Deletes an inspection task.

    nis:DeleteNisMetricSubscription

    -

    nis:DescribeBatchFlowLogCacheTask

    -

    nis:DescribeInspectionObjectList

    -

    nis:DescribeInspectionReportDetail

    -

    nis:DescribeNISTrafficAnalyzer

    -

    nis:DescribeNetworkAnalyticsNetQuality

    -

    nis:DescribeNisInspectionRecommendationResources

    Retrieves a list of instances with issues found in an inspection report.

    nis:DescribeNisInspectionReportCheckItems

    Retrieves the details of check items in an inspection report.

    nis:DescribeNisInspectionReportStatus

    Queries the status of an inspection report.

    nis:DescribeNisInspectionReportSummary

    Queries the summary of an inspection report.

    nis:DescribeNisInspectionTask

    Queries the details of an inspection task.

    nis:DescribeNisMetricEnums

    -

    nis:DescribeNisTrafficRanking

    -

    nis:DescribeRegions

    -

    nis:DescribeTopologyNode

    -

    nis:DisableMultiAccount

    -

    nis:GetInsightPredictBytes

    -

    nis:GetInsightSummary

    -

    nis:GetInspectionSummary

    -

    nis:GetInternetFiveTupleHistory

    -

    nis:GetInternetMetric

    -

    nis:GetInternetQuality

    -

    nis:GetInternetScoreMetric

    -

    nis:GetInternetTopN

    -

    nis:GetInternetTuple

    Retrieves internet traffic rankings at 1-tuple, 2-tuple, and 5-tuple granularities, sortable by metrics such as traffic volume and packet count.

    nis:GetMultiAccountStatus

    -

    nis:GetNatMetric

    -

    nis:GetNatTopN

    Retrieves real-time rankings of SNAT forwarding data for a NAT gateway.

    nis:GetNetworkObservability

    -

    nis:GetNisEventDetail

    -

    nis:GetNisEventHistory

    -

    nis:GetNisNetworkMetrics

    Retrieves detailed trend data for monitoring metrics in a specified network analysis scenario. This data includes traffic metrics for traffic analysis and performance metrics for performance observation.

    nis:GetNisNetworkRanking

    Retrieves rankings of traffic and performance metrics to help identify network bottlenecks, optimize resource configurations, and improve network performance.

    nis:GetNisTrafficMetrics

    -

    nis:GetNisTrafficStatistics

    -

    nis:GetSameRegionSumBytes

    -

    nis:GetSameRegionTopN

    -

    nis:GetSameRegionVpcMetric

    -

    nis:GetTopoSummary

    -

    nis:GetTrafficAnalyzerOpenStatus

    -

    nis:GetTransitRouterFlowMetric

    -

    nis:GetTransitRouterFlowTopN

    Retrieves cross-domain traffic rankings at 1-tuple, 2-tuple, and 5-tuple granularities, sortable by metrics such as traffic volume and packet count.

    nis:GetVbrFlowMetric

    -

    nis:GetVbrFlowTopN

    Retrieves hybrid cloud traffic rankings at 1-tuple, 2-tuple, and 5-tuple granularities, sortable by metrics such as traffic volume and packet count.

    nis:IsOpenService

    -

    nis:ListDiagnosisInstance

    -

    nis:ListInsight

    -

    nis:ListInsightCycleIp

    -

    nis:ListInsightEvent

    -

    nis:ListInstance

    -

    nis:ListInternetEnum

    -

    nis:ListLatencyInfoBetweenClusters

    -

    nis:ListLatencyInfoBetweenRegions

    -

    nis:ListLatencyInfoBetweenZones

    -

    nis:ListMetricSubscriptions

    -

    nis:ListMultiAccount

    -

    nis:ListNISTrafficAnalyzers

    -

    nis:ListNisAssistantSessions

    -

    nis:ListNisAssistantTasks

    -

    nis:ListNisEvent

    -

    nis:ListNisInspectionResourceType

    Lists the product types for inspection objects.

    nis:ListNisInspectionTaskReports

    Lists the inspection reports for specified inspection tasks.

    nis:ListNisInspectionTasks

    Lists network inspection tasks.

    nis:ListNisTrafficAnalyzerDataMapping

    -

    nis:ListNisTrafficAnalyzerDataMappings

    -

    nis:ListNonPublicFlowAnalysis

    -

    nis:ListNoneInsightEvent

    -

    nis:ListSameRegionVpc

    -

    nis:ListTagResources

    -

    nis:ListTrafficAnalyzerFlowLogs

    -

    nis:ListTrafficAnalyzerMappingResources

    -

    nis:ModifyNisTrafficAnalyzerDataMapping

    -

    nis:OpenInsight

    -

    nis:OpenMultiAccount

    -

    nis:OpenNISTrafficAnalyzer

    -

    nis:OpenNonPublicFlowAnalysis

    -

    nis:RefreshMultiAccount

    -

    nis:RemoveNisTrafficAnalyzerDataMapping

    -

    nis:StartNisInspectionTask

    Starts an inspection task to generate an inspection report.

    nis:StartNisTrafficRanking

    -

    nis:StopNisAssistantTask

    -

    nis:SubmitNisAssistantTaskFeedback

    -

    nis:UpdateInsight

    -

    nis:UpdateInsightCycleIp

    -

    nis:UpdateInspectionObjects

    -

    nis:UpdateInspectionTaskStatus

    -

    nis:UpdateNISTrafficAnalyzer

    -

    nis:UpdateNisInspectionTask

    Updates an inspection task.

    nis:UpdateSameRegionFlowAnalysis

    -

    For operations that do not support resource group authorization, selecting Resource Group Level as the Resource Scope has no effect. To grant a RAM User these permissions, create a custom policy and set the Resource Scope to Account Level.

    image.pngHere are two examples of custom permission policies. You can modify the policy content as needed.

    • Grants permissions for all read-only actions that do not support resource group-level authorization, as listed in the Action element.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "nis:CheckFlowLogStatus",
        "nis:CountNetworkPath",
        "nis:CountNetworkResource",
        "nis:CountNisEvent",
        "nis:DescribeBatchFlowLogCacheTask",
        "nis:DescribeInspectionObjectList",
        "nis:DescribeInspectionReportDetail",
        "nis:DescribeNISTrafficAnalyzer",
        "nis:DescribeNetworkAnalyticsNetQuality",
        "nis:DescribeNisInspectionRecommendationResources",
        "nis:DescribeNisInspectionReportCheckItems",
        "nis:DescribeNisInspectionReportStatus",
        "nis:DescribeNisInspectionReportSummary",
        "nis:DescribeNisInspectionTask",
        "nis:DescribeNisMetricEnums",
        "nis:DescribeNisTrafficRanking",
        "nis:DescribeRegions",
        "nis:DescribeTopologyNode",
        "nis:GetInsightPredictBytes",
        "nis:GetInsightSummary",
        "nis:GetInspectionSummary",
        "nis:GetInternetFiveTupleHistory",
        "nis:GetInternetMetric",
        "nis:GetInternetQuality",
        "nis:GetInternetScoreMetric",
        "nis:GetInternetTopN",
        "nis:GetInternetTuple",
        "nis:GetMultiAccountStatus",
        "nis:GetNatMetric",
        "nis:GetNatTopN",
        "nis:GetNetworkObservability",
        "nis:GetNisEventDetail",
        "nis:GetNisEventHistory",
        "nis:GetNisNetworkMetrics",
        "nis:GetNisNetworkRanking",
        "nis:GetNisTrafficMetrics",
        "nis:GetNisTrafficStatistics",
        "nis:GetSameRegionSumBytes",
        "nis:GetSameRegionTopN",
        "nis:GetSameRegionVpcMetric",
        "nis:GetTopoSummary",
        "nis:GetTrafficAnalyzerOpenStatus",
        "nis:GetTransitRouterFlowMetric",
        "nis:GetTransitRouterFlowTopN",
        "nis:GetVbrFlowMetric",
        "nis:GetVbrFlowTopN",
        "nis:IsOpenService",
        "nis:ListDiagnosisInstance",
        "nis:ListInsight",
        "nis:ListInsightCycleIp",
        "nis:ListInsightEvent",
        "nis:ListInstance",
        "nis:ListInternetEnum",
        "nis:ListLatencyInfoBetweenClusters",
        "nis:ListLatencyInfoBetweenRegions",
        "nis:ListLatencyInfoBetweenZones",
        "nis:ListMetricSubscriptions",
        "nis:ListMultiAccount",
        "nis:ListNISTrafficAnalyzers",
        "nis:ListNisAssistantSessions",
        "nis:ListNisAssistantTasks",
        "nis:ListNisEvent",
        "nis:ListNisInspectionResourceType",
        "nis:ListNisInspectionTaskReports",
        "nis:ListNisInspectionTasks",
        "nis:ListNisTrafficAnalyzerDataMapping",
        "nis:ListNisTrafficAnalyzerDataMappings",
        "nis:ListNonPublicFlowAnalysis",
        "nis:ListNoneInsightEvent",
        "nis:ListSameRegionVpc",
        "nis:ListTagResources",
        "nis:ListTrafficAnalyzerFlowLogs",
        "nis:ListTrafficAnalyzerMappingResources"
      ],
      "Resource": "*"
    }
  ]
}

    • Grants permissions for all actions that do not support resource group-level authorization, as listed in the Action element.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "nis:ActiveNonPublicFlowAnalysis",
        "nis:AddNisTrafficAnalyzerDataMapping",
        "nis:BatchCreateFlowLogsToTrafficAnalyzer",
        "nis:BatchUpdateFlowlogsForTrafficAnalyzer",
        "nis:CheckFlowLogStatus",
        "nis:CloseInsight",
        "nis:CloseNetworkObservability",
        "nis:CloseNis",
        "nis:CloseNonPublicFlowAnalysis",
        "nis:ConfigNetworkObservability",
        "nis:CountNetworkPath",
        "nis:CountNetworkResource",
        "nis:CountNisEvent",
        "nis:CreateAndAnalyzeNetworkPath",
        "nis:CreateInsight",
        "nis:CreateInspectionTask",
        "nis:CreateNISTrafficAnalyzer",
        "nis:CreateNisAssistantTask",
        "nis:DeleteInsight",
        "nis:DeleteNISTrafficAnalyzer",
        "nis:DeleteNisAssistantSession",
        "nis:DeleteNisAssistantTask",
        "nis:DeleteNisInspectionReport",
        "nis:DeleteNisInspectionTask",
        "nis:DeleteNisMetricSubscription",
        "nis:DescribeBatchFlowLogCacheTask",
        "nis:DescribeInspectionObjectList",
        "nis:DescribeInspectionReportDetail",
        "nis:DescribeNISTrafficAnalyzer",
        "nis:DescribeNetworkAnalyticsNetQuality",
        "nis:DescribeNisInspectionRecommendationResources",
        "nis:DescribeNisInspectionReportCheckItems",
        "nis:DescribeNisInspectionReportStatus",
        "nis:DescribeNisInspectionReportSummary",
        "nis:DescribeNisInspectionTask",
        "nis:DescribeNisMetricEnums",
        "nis:DescribeNisTrafficRanking",
        "nis:DescribeRegions",
        "nis:DescribeTopologyNode",
        "nis:DisableMultiAccount",
        "nis:GetInsightPredictBytes",
        "nis:GetInsightSummary",
        "nis:GetInspectionSummary",
        "nis:GetInternetFiveTupleHistory",
        "nis:GetInternetMetric",
        "nis:GetInternetQuality",
        "nis:GetInternetScoreMetric",
        "nis:GetInternetTopN",
        "nis:GetInternetTuple",
        "nis:GetMultiAccountStatus",
        "nis:GetNatMetric",
        "nis:GetNatTopN",
        "nis:GetNetworkObservability",
        "nis:GetNisEventDetail",
        "nis:GetNisEventHistory",
        "nis:GetNisNetworkMetrics",
        "nis:GetNisNetworkRanking",
        "nis:GetNisTrafficMetrics",
        "nis:GetNisTrafficStatistics",
        "nis:GetSameRegionSumBytes",
        "nis:GetSameRegionTopN",
        "nis:GetSameRegionVpcMetric",
        "nis:GetTopoSummary",
        "nis:GetTrafficAnalyzerOpenStatus",
        "nis:GetTransitRouterFlowMetric",
        "nis:GetTransitRouterFlowTopN",
        "nis:GetVbrFlowMetric",
        "nis:GetVbrFlowTopN",
        "nis:IsOpenService",
        "nis:ListDiagnosisInstance",
        "nis:ListInsight",
        "nis:ListInsightCycleIp",
        "nis:ListInsightEvent",
        "nis:ListInstance",
        "nis:ListInternetEnum",
        "nis:ListLatencyInfoBetweenClusters",
        "nis:ListLatencyInfoBetweenRegions",
        "nis:ListLatencyInfoBetweenZones",
        "nis:ListMetricSubscriptions",
        "nis:ListMultiAccount",
        "nis:ListNISTrafficAnalyzers",
        "nis:ListNisAssistantSessions",
        "nis:ListNisAssistantTasks",
        "nis:ListNisEvent",
        "nis:ListNisInspectionResourceType",
        "nis:ListNisInspectionTaskReports",
        "nis:ListNisInspectionTasks",
        "nis:ListNisTrafficAnalyzerDataMapping",
        "nis:ListNisTrafficAnalyzerDataMappings",
        "nis:ListNonPublicFlowAnalysis",
        "nis:ListNoneInsightEvent",
        "nis:ListSameRegionVpc",
        "nis:ListTagResources",
        "nis:ListTrafficAnalyzerFlowLogs",
        "nis:ListTrafficAnalyzerMappingResources",
        "nis:ModifyNisTrafficAnalyzerDataMapping",
        "nis:OpenInsight",
        "nis:OpenMultiAccount",
        "nis:OpenNISTrafficAnalyzer",
        "nis:OpenNonPublicFlowAnalysis",
        "nis:RefreshMultiAccount",
        "nis:RemoveNisTrafficAnalyzerDataMapping",
        "nis:StartNisInspectionTask",
        "nis:StartNisTrafficRanking",
        "nis:StopNisAssistantTask",
        "nis:SubmitNisAssistantTaskFeedback",
        "nis:UpdateInsight",
        "nis:UpdateInsightCycleIp",
        "nis:UpdateInspectionObjects",
        "nis:UpdateInspectionTaskStatus",
        "nis:UpdateNISTrafficAnalyzer",
        "nis:UpdateNisInspectionTask",
        "nis:UpdateSameRegionFlowAnalysis"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or a RAM role with account-level permissions is highly privileged and can manage all resources in your account. Grant these permissions only when necessary and always follow the principle of least privilege.

    FAQ

    Find the resource group for a resource

    • Option 1: Click the resource name to open its details page, where you can find its resource group.

    • Option 2: Log on to the Resource Management console and go to Resource Center > Resource Search. On the left, select the account that owns the resource. The Current Account is selected by default. Use the filters to find your resource and view its resource group.

    View product resources in a resource group

    • Option 1: Log on to the Resource Management console and go to Resource Center > Resource Search. On the left, under the account that owns the resources (the Current Account is selected by default), click the target resource group. On the right, select the product from the Select Resource Type filter to view all of its resources.

    • Option 2: Log on to the Resource Management console and go to Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product dropdown list to view all of its resources.

    Move resources to another resource group

    Log on to the Resource Management console and go to Resource Group > Resource Group. Find the resource group that contains the resources you want to move and click Manage Resources in the Actions column. On the page that opens, use the filters to find the resources you want to move. Select the checkbox for each resource, click Transfer Resources at the bottom of the list, and then follow the on-screen instructions to complete the transfer.