All Products
Search

This Product

    Object Storage Service:Fine-grained resource management by using resource groups

    Document Center

    Object Storage Service:Fine-grained resource management by using resource groups

    Last Updated:Feb 08, 2025

    To manage Object Storage Service (OSS) resources in a more efficient manner, you can use resource groups to sort the resources into groups and manage the resource groups. Resource groups allow you to sort the resources into groups by department, project, and environment, and use Resource Access Management (RAM) to isolate resources and manage resource permissions in a fine-grained manner within a single Alibaba Cloud account. This topic describes the support of OSS for resource groups and how to sort OSS resources into groups and authorize resource groups.

    Terms

    Resource groups

    Resource groups allow you to sort the resources owned by your Alibaba Cloud account into groups. This simplifies resource grouping, permission management, and cost allocation within your Alibaba Cloud account. For example, you can create resource groups for different projects and transfer the resources that are used by the projects to the groups corresponding to the projects. This way, you can manage the resources of the projects in a centralized manner. For more information, see What is Resource Group? and Best practices for designing resource groups.

    Resource group-level authorization

    After you sort resources into groups, you can use RAM to grant permissions on a specific resource group to a RAM user, RAM user group, or RAM role. This way, the resources that the authorized RAM user, RAM user group, or RAM role can manage are limited to the resources in the specified resource group. This authorization method has good extensibility. When you add a resource later, you need only to add the resource to the corresponding resource group without modifying the policy that you specify. For more information, see Classify resources into resource groups and grant permissions on the resource groups.

    Procedure for resource group-level authorization

    The following example describes how to grant a RAM user the permissions to manage OSS resources in a specific resource group.

    1. Log on to the RAM console and create a RAM user.

      For more information, see Create a RAM user.

    2. Log on to the Resource Management console and go to the Resource Group page to create a resource group.

      For more information, see Create a resource group.

    3. Sort resources into the resource groups.

      • If you want to create a resource, specify the resource group to which the resource belongs.

      • If you want to use an existing resource, transfer the resource to the corresponding resource group. For more information, see Perform manual resource transfer across resource groups.

    4. Log on to the RAM console and create a custom policy.

      The created custom policy must contain operation permissions that are required by the RAM user For more information, see Create custom policies. If you want to attach a system policy to the RAM user, skip this step.

      Important

      In actual business environments, we recommend that you grant only the required permissions to RAM users based on the principle of least privilege. This prevents security risks caused by excessive user permissions.

      Examples of a custom policy:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "oss:GetObject",
          "oss:PutObject",
      ],
      "Resource": "*"
    }
  ]
}

    5. Attach the custom policy whose effective scope is the resource group to the RAM user.

      You can grant permissions to the RAM user by using one of the following methods:

    Important

    Resource group authorization takes effect only for resource types that support resource groups. For resource types that do not support resource groups, the permissions that are granted to the resource groups do not take effect. When you select a resource scope, select the account-level for account-level authorization. For more information, see Actions that do not support resource group-level authorization.

    Resource types that support resource groups

    The following table describes the resource type that supports resource groups in OSS.

    Service name

    Service code

    Resource type

    OSS

    oss

    bucket

    Note

    If you have requirements for resource types that do not support resource groups, you can submit a ticket.

    Actions that do not support resource group-level authorization

    The following table describes the actions that do not support resource group-level authorization in OSS and APIs corresponding to the actions.

    Action

    API

    API Description

    oss:DescribeRegions

    DescribeRegions

    Queries the endpoints of all supported regions or a specific region.

    oss:ListUserDataRedundancyTransition

    ListUserDataRedundancyTransition

    Lists all redundancy type change tasks of the requester.

    oss:PutPublicAccessBlock

    PutPublicAccessBlock

    Enables Block Public Access for OSS resources.

    oss:GetPublicAccessBlock

    GetPublicAccessBlock

    Queries the Block Public Access configurations of OSS resources.

    oss:DeletePutblicAccessBlock

    DeletePublicAccessBlock

    Deletes the Block Public Access configurations of OSS resources.

    oss:InitUserAntiDDosInfo

    InitUserAntiDDosInfo

    Create an Anti-DDoS instance.

    oss:UpdateUserAntiDDosInfo

    UpdateUserAntiDDosInfo

    Changes the status of an Anti-DDoS instance.

    oss:GetUserAntiDDosInfo

    GetUserAntiDDosInfo

    Queries information about Anti-DDoS instances that belong to a specific Alibaba Cloud account.

    oss:InitBucketAntiDosInfo

    InitBucketAntiDosInfo

    Initializes Anti-DDoS instances for a bucket.

    oss:UpdateBucketAntiDDosInfo

    UpdateBucketAntiDDosInfo

    Updates the status of the Anti-DDoS instances of a bucket.

    oss:ListBucketAntiDDosInfo

    ListBucketAntiDDosInfo

    Queries the protection list of an Anti-DDoS instance of a bucket.

    oss:ListResourcePools

    ListResourcePools

    Lists the resource pools of the current Alibaba Cloud account.

    oss:GetResourcePoolInfo

    GetResourcePoolInfo

    Queries information about a resource pool.

    oss:ListResourcePoolBuckets

    ListResourcePoolBuckets

    Lists the buckets in a resource pool.

    oss:PutResourcePoolRequesterQoSInfo

    PutResourcePoolRequesterQoSInfo

    Configures throttling for a requester in a resource pool.

    oss:GetResourcePoolRequesterQoSInfo

    GetResourcePoolRequesterQoSInfo

    Queries the throttling configurations of a requester in a resource pool.

    oss:ListResourcePoolRequesterQoSInfos

    ListResourcePoolRequesterQoSInfos

    Lists the throttling configurations of all requesters in a resource pool.

    oss:DeleteResourcePoolRequesterQoSInfo

    DeleteResourcePoolRequesterQoSInfo

    Deletes the throttling configurations of a requester in a resource pool.

    For more information, see RAM policies.

    For resource types that do not support resource groups, the permissions that are granted to the resource groups do not take effect. You must create a custom policy and set the Resource Scope parameter to Account in the RAM console.

    image.pngThe following sample code shows two custom policies. You can modify the policy content based on your requirements.

    • The following custom policy allows read-only operations that do not support resource group-level authorization. In the custom policy, the Action field contains all read-only operations that do not support resource group-level authorization. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:DescribeRegions",
        "oss:ListUserDataRedundancyTransition",
        "oss:GetPublicAccessBlock",
        "oss:GetUserAntiDDosInfo",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListResourcePools",
        "oss:GetResourcePoolInfo",
        "oss:ListResourcePoolBuckets",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:ListResourcePoolRequesterQoSInfos",
      ],
      "Resource": "*"
    }
  ]
}

    • The following custom policy allows all operations that do not support resource group-level authorization. In the custom policy, the Action field contains all operations that do not support resource group-level authorization. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:DescribeRegions",
        "oss:ListUserDataRedundancyTransition",
        "oss:PutPublicAccessBlock",
        "oss:GetPublicAccessBlock",
        "oss:DeletePutblicAccessBlock",
        "oss:InitUserAntiDDosInfo",
        "oss:UpdateUserAntiDDosInfo",
        "oss:GetUserAntiDDosInfo",
        "oss:InitBucketAntiDosInfo",
        "oss:UpdateBucketAntiDDosInfo",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListResourcePools",
        "oss:GetResourcePoolInfo",
        "oss:ListResourcePoolBuckets",
        "oss:PutResourcePoolRequesterQoSInfo",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:ListResourcePoolRequesterQoSInfos",
        "oss:DeleteResourcePoolRequesterQoSInfo",
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role that has account-level permissions can manage all resources owned by the Alibaba Cloud account. Make sure that the permissions you grant to the RAM user or RAM role meet your expectations and follow the principle of least privilege.