Use resource groups for fine-grained resource control - Object Storage Service

You can use resource groups to manage your Object Storage Service (OSS) resources more efficiently by grouping them. Resource groups let you group resources by dimensions such as department, project, or environment. When used with Resource Access Management (RAM), resource groups help you achieve resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how OSS supports resource groups, how to group OSS resources, and how to perform resource group-level authorization.

Terms

Resource group

A resource group is a mechanism for grouping and managing resources under an Alibaba Cloud account. Resource groups help you manage complex tasks, such as resource grouping, permission management, and cost allocation, within a single Alibaba Cloud account. For example, you can create a resource group for each project and transfer the project's resources to the corresponding group. This lets you centrally manage the resources for each project. For more information, see What is a resource group? and Best practices for designing resource groups.

Resource group-level authorization

After you group resources, you can use RAM to grant permissions on a specific resource group to a RAM entity, such as a RAM user, RAM user group, or RAM role. This restricts the entity to managing only the resources within the specified resource group. This authorization method offers excellent extensibility. When you add new resources, you only need to add them to the corresponding resource group without modifying the access policy. For more information, see Resource grouping and authorization.

Procedure for resource group-level authorization

The following procedure describes how to grant a Resource Access Management (RAM) user permissions to manage OSS resources within a specific resource group.

In the RAM console, create a RAM user.
For more information, see Create a RAM user.
In the Resource Group console, create a resource group.
For more information, see Create a resource group.
Assign resources to the corresponding resource group.
- New resources: When you create a resource, specify the resource group to which it belongs.
- Existing resources: Transfer existing resources to the corresponding resource group. For more information, see Manually transfer resources to a resource group.
In the RAM console, create a custom policy.
Create a custom policy that includes the required operation permissions for the RAM user. For more information, see Create a custom policy. You can skip this step if you grant a system policy to the RAM user.
Important
In a production environment, follow the Principle of Least Privilege (PoLP). Grant the RAM user only the minimum permissions required to avoid the security risks of excessive permissions.
The following code provides an example of a custom policy:
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "oss:GetObject",
          "oss:PutObject"
      ],
      "Resource": "*"
    }
  ]
}
```
Grant the RAM user permissions on the specified resource group.
You can use either of the following methods to grant permissions:
- Grant permissions in the Resource Group console. The resource scope is set to the corresponding resource group by default. For more information, see Grant permissions on a resource group to a RAM identity.
- You can grant permissions in the RAM console. When you select the Resource Scope, make sure to select Resource Group Level. For more information, see Grant permissions to a RAM user.

Important

Resource group-level authorization takes effect only for resource types that support resource groups. For resource types that do not support resource groups, granting permissions on a resource group has no effect. In this case, you must select Account Level as the resource scope to grant account-level permissions. For more information, see Operations that do not support resource group-level authorization.

Resource types that support resource groups

OSS supports resource groups for some resource types. The following table lists the supported resource types.

Alibaba Cloud service	Service code	Resource type
Object Storage Service (OSS)	oss	A bucket is a storage space.

Note

To request support for a resource type that does not yet support resource groups, you can submit a ticket.

Operations that do not support resource group-level authorization

The following table lists the operations (actions) and their corresponding API operations in OSS that do not support resource group-level authorization.

Operation (Action)	API	API description
oss:DescribeRegions	DescribeRegions	Queries the endpoint information for all supported regions or a specified region.
oss:ListUserDataRedundancyTransition	ListUserDataRedundancyTransition	Lists all storage redundancy conversion tasks for the requester.
oss:PutPublicAccessBlock	PutPublicAccessBlock	Enables Block Public Access for OSS at the global level.
oss:GetPublicAccessBlock	GetPublicAccessBlock	Retrieves the configuration information for global Block Public Access in OSS.
oss:DeletePublicAccessBlock	DeletePublicAccessBlock	Deletes the configuration information for global Block Public Access in OSS.
oss:InitUserAntiDDosInfo	InitUserAntiDDosInfo	Creates an Anti-DDoS for OSS instance.
oss:UpdateUserAntiDDosInfo	UpdateUserAntiDDosInfo	Changes the status of an Anti-DDoS for OSS instance.
oss:GetUserAntiDDosInfo	GetUserAntiDDosInfo	Queries information about the Anti-DDoS for OSS instances under a specified account.
oss:InitBucketAntiDosInfo	InitBucketAntiDosInfo	Initializes protection for a bucket.
oss:UpdateBucketAntiDDosInfo	UpdateBucketAntiDDosInfo	Updates the protection status of a bucket.
oss:ListBucketAntiDDosInfo	ListBucketAntiDDosInfo	Retrieves a list of protection information for buckets.
oss:ListResourcePools	ListResourcePools	Lists the resource pools in the current region.
oss:GetResourcePoolInfo	GetResourcePoolInfo	Queries resource pool information.
oss:ListResourcePoolBuckets	ListResourcePoolBuckets	Lists the buckets in a resource pool.
oss:PutResourcePoolRequesterQoSInfo	PutResourcePoolRequesterQoSInfo	Configures requester-based throttling for a resource pool.
oss:GetResourcePoolRequesterQoSInfo	GetResourcePoolRequesterQoSInfo	Queries the requester-based throttling configuration of a resource pool.
oss:ListResourcePoolRequesterQoSInfos	ListResourcePoolRequesterQoSInfos	Lists the requester-based throttling configurations of a resource pool.
oss:DeleteResourcePoolRequesterQoSInfo	DeleteResourcePoolRequesterQoSInfo	Deletes the requester-based throttling configuration of a resource pool.

For more information about RAM authorization for OSS, see Use RAM policies to authorize access to OSS.

For resource types that do not support resource groups, you cannot grant permissions at the resource group level. To grant permissions, you must create a custom policy and set the resource scope to Account Level.

The following code provides two examples of custom policies. You can modify the policies as needed.

Allow read-only operations that do not support resource group-level authorization. The Action element lists all read-only operations that do not support resource group-level authorization.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:DescribeRegions",
        "oss:ListUserDataRedundancyTransition",
        "oss:GetPublicAccessBlock",
        "oss:GetUserAntiDDosInfo",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListResourcePools",
        "oss:GetResourcePoolInfo",
        "oss:ListResourcePoolBuckets",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:ListResourcePoolRequesterQoSInfos"
      ],
      "Resource": "*"
    }
  ]
}

Allow all operations that do not support resource group-level authorization. The Action element lists all operations that do not support resource group-level authorization.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:DescribeRegions",
        "oss:ListUserDataRedundancyTransition",
        "oss:PutPublicAccessBlock",
        "oss:GetPublicAccessBlock",
        "oss:DeletePublicAccessBlock",
        "oss:InitUserAntiDDosInfo",
        "oss:UpdateUserAntiDDosInfo",
        "oss:GetUserAntiDDosInfo",
        "oss:InitBucketAntiDosInfo",
        "oss:UpdateBucketAntiDDosInfo",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListResourcePools",
        "oss:GetResourcePoolInfo",
        "oss:ListResourcePoolBuckets",
        "oss:PutResourcePoolRequesterQoSInfo",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:ListResourcePoolRequesterQoSInfos",
        "oss:DeleteResourcePoolRequesterQoSInfo"
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role that is granted account-level permissions can operate on all relevant resources in the entire account. Ensure that the granted permissions align with your security requirements. Follow the PoLP and grant permissions with caution.