Use resource groups for fine-grained access control - Object Storage Service

You can use Resource Group to manage Object Storage Service (OSS) resources as a collection and apply Resource Access Management (RAM) policies that authorize actions only on resources within a specific group. This lets you enforce the principle of least privilege (PoLP) in your Alibaba Cloud account.

Note

You can scope permissions to a resource group only for supported resource types and actions. For unsupported actions, any resource group scope in a policy is ignored, and permissions must be granted at the account level instead.

How it works

Resource groups organize your resources by project or environment. Once resources are grouped, you can attach a RAM policy to an identity (such as a RAM user, user group, or role) that scopes its permissions exclusively to that group. For more information, see Resource grouping and authorization.

This approach provides two key benefits:

Fine-grained access control: Instead of granting account-wide permissions, you can limit an identity's access to only the resources within a specific group. This helps isolate project-specific workloads and reduce the risk of unintended access.
Simplified management: When new resources are added to a resource group, RAM identities with permissions scoped to that group automatically gain access. You do not need to update RAM policies each time a new resource is created.

Grant resource group-level permissions to a RAM user

This section demonstrates how to grant a RAM user permission to access only the resources of Object Storage Service (OSS) within a specific resource group.

1. Prerequisites

Create a RAM user.
Create a resource group and ensure that the target resources are in it. If you need help doing this, see Create a resource group, Add resources to a resource group automatically, and Add resources to a resource group manually.

2. Grant permissions

You can grant resource group-level permissions from either the Resource Management console or the RAM console.

Resource Management console

Log on to the Resource Management console.
On the Resource Group page, find the target resource group and click Manage Permission in the Actions column.
On the Permissions tab, click Grant Permission.
In the Grant Permission panel, configure the principal and access policy.
- Principal: Select a RAM user.
- Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.
Click Grant permissions.

For more information, see Grant permissions on resource groups to a RAM identity.

RAM console

Log on to the RAM console using an Alibaba Cloud account or a RAM administrator account.
In the navigation pane on the left, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, add permissions for the RAM user.
- Resource Scope: Select Resource Group.
- Principal: Select an existing RAM user or the RAM user created in the previous step.
- Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.
Click OK.

For more information, see Grant permissions to a RAM user.

Supported resources

The following resources from Object Storage Service (OSS) support resource group-level authorization:

Alibaba Cloud service	Service code	Resource type
Object Storage Service (OSS)	oss	bucket : bucket

Note

To request support for resource types not listed here, submit feedback via Resource Management console.

Unsupported actions

The following actions of Object Storage Service (OSS) do not support resource group-level authorization:

Action	Description
oss:ActivateProduct	-
oss:AppendObject	-
oss:BatchDeleteMaliciousFileWhitelistConfig	-
oss:CancelStockOssCheckTask	-
oss:CheckMfdServiceOpen	-
oss:CompleteMultipartUpload	-
oss:CreateImportAddress	-
oss:CreateImportAgent	-
oss:CreateImportJob	-
oss:CreateImportReport	-
oss:CreateImportTunnel	-
oss:CreateJob	-
oss:CreateMaliciousFileWhitelistConfig	-
oss:CreateOrder	-
oss:CreateOssBucketScanTask	-
oss:CreateOssScanConfig	-
oss:CreatePreCheck	-
oss:CreateReservedCapacity	-
oss:CreateSddpDefaultTask	-
oss:CreateStockOssCheckTask	-
oss:DeleteBucketCacheConfiguration	-
oss:DeleteCache	-
oss:DeleteImportAddress	-
oss:DeleteImportAgent	-
oss:DeleteImportJob	-
oss:DeleteImportTunnel	-
oss:DeletePublicAccessBlock	Deletes the Block Public Access configurations of OSS resources.
oss:DeleteResourcePoolBucketGroupQoSInfo	-
oss:DeleteResourcePoolPriorityQosConfiguration	-
oss:DeleteResourcePoolRequesterPriorityQosConfiguration	-
oss:DeleteResourcePoolRequesterQoSInfo	-
oss:DeleteSddpDefaultTask	-
oss:DeleteSystemNotification	-
oss:DescribeExportInfo	-
oss:DescribeJob	-
oss:DescribeRegions	Queries the endpoints of all supported regions or the endpoints of a specific region.
oss:DescribeServiceLinkedRoleStatus	-
oss:DoLogicalDeleteResource	-
oss:DoPhysicalDeleteResource	-
oss:ExportRecord	-
oss:ExportResult	-
oss:GeneratePortraitForOss	-
oss:GetBucket	-
oss:GetCache	-
oss:GetDataLakeStorageTransferJob	-
oss:GetFileDetectReport	-
oss:GetImageSceneLabelListConf	-
oss:GetImportAddress	-
oss:GetImportAgent	-
oss:GetImportJob	-
oss:GetImportJobResult	-
oss:GetImportReport	-
oss:GetImportTunnel	-
oss:GetJobNameList	-
oss:GetObjectMeta	-
oss:GetOssBucketScanStatistic	-
oss:GetOssCheckResultDetail	-
oss:GetOssCheckStatus	-
oss:GetOssScanConfig	-
oss:GetPublicAccessBlock	Queries the Block Public Access configurations of OSS resources.
oss:GetReservedCapacity	-
oss:GetResourcePoolBucketGroupQoSInfo	-
oss:GetResourcePoolInfo	-
oss:GetResourcePoolPriorityQosConfiguration	-
oss:GetResourcePoolRequesterPriorityQosConfiguration	-
oss:GetResourcePoolRequesterQoSInfo	-
oss:GetScanNum	-
oss:GetScanResult	-
oss:GetSddpBucketIdentifyStat	-
oss:GetSddpBucketRuleTop	-
oss:GetSddpDefaultTask	-
oss:GetSddpObject	-
oss:GetSddpUserPortrait	-
oss:GetService	-
oss:GetServiceConfig	-
oss:GetServiceLabelConfig	-
oss:GetStatusList	-
oss:GetStockOssCheckTasksList	-
oss:GetSwitchRegionDetail	-
oss:GetSystemNotification	-
oss:GetUserAntiDDosInfo	Queries the information about an Anti-DDoS instance of an Alibaba Cloud account.
oss:GetUserQoSInfo	-
oss:HandleObjectScanEvent	-
oss:HeadObject	-
oss:InitBucketAntiDDosInfo	Initializes an Anti-DDoS instance for a bucket.
oss:InitUserAntiDDosInfo	Creates an Anti-DDoS instance.
oss:InitiateMultipartUpload	-
oss:List	-
oss:ListAccessPointsForObjectProcess	Lists information about Object FC Access Points in an Alibaba Cloud account.
oss:ListBucketAntiDDosInfo	Queries the protection list of an Anti-DDoS instance of a bucket.
oss:ListCache	-
oss:ListDataLakeStorageTransferJob	-
oss:ListDataLakeStorageTransferJobHistory	-
oss:ListDataRedundancyType	-
oss:ListImportAddress	-
oss:ListImportAgent	-
oss:ListImportJob	-
oss:ListImportJobHistory	-
oss:ListImportTunnel	-
oss:ListJobs	-
oss:ListMaliciousFileWhitelistConfigs	-
oss:ListObjectScanEvent	-
oss:ListObjectsV2	-
oss:ListOssBucket	-
oss:ListOssBucketScanInfo	-
oss:ListReservedCapacity	-
oss:ListResourcePoolBucketGroupQoSInfos	-
oss:ListResourcePoolBucketGroups	-
oss:ListResourcePoolBuckets	-
oss:ListResourcePoolRequesterQoSInfos	-
oss:ListResourcePools	-
oss:ListSddpBuckets	-
oss:ListSddpFileCategorys	-
oss:ListSddpObjects	-
oss:ListSddpRegions	-
oss:ListSddpTasks	-
oss:ListSddpTemplateAllRules	-
oss:ListServiceConfigs	-
oss:ListSupportObjectSuffix	-
oss:ListUserDataRedundancyTransition	-
oss:ListVectorBuckets	-
oss:ModifySddpDefaultTask	-
oss:OpenOssService	Activate Object Storage Service.
oss:OperateBucketScanTask	-
oss:OssCheckResultList	-
oss:PostObject	-
oss:PublishRtmpStream	-
oss:PutBucketACL	-
oss:PutBucketTag	-
oss:PutCache	-
oss:PutDataLakeStorageTransferJob	-
oss:PutObjectACL	-
oss:PutPublicAccessBlock	Enables or disables Block Public Access for Object Storage Service (OSS) resources.
oss:PutResourcePoolBucketGroupQoSInfo	-
oss:PutResourcePoolPriorityQosConfiguration	-
oss:PutResourcePoolRequesterPriorityQosConfiguration	-
oss:PutResourcePoolRequesterQoSInfo	-
oss:PutSystemNotification	-
oss:SddpCreateDataLimit	-
oss:SddpDescribeAllBucketInstances	-
oss:SddpDescribeBucketInstances	-
oss:StartDataLakeStorageTransferJob	-
oss:UpdateBucketAntiDDosInfo	Updates the status of an Anti-DDoS instance of a bucket.
oss:UpdateImportAddress	-
oss:UpdateImportJob	-
oss:UpdateImportTunnel	-
oss:UpdateJobPriority	-
oss:UpdateJobStatus	-
oss:UpdateMaliciousFileWhitelistConfig	-
oss:UpdateOssScanConfig	-
oss:UpdateReservedCapacity	-
oss:UpdateSddpTaskStatus	-
oss:UpdateServiceConfig	-
oss:UpdateUserAntiDDosInfo	Modifies the status of an Anti-DDoS instance.
oss:UpgradeSddpVersion	-
oss:UploadPart	-
oss:UploadPartCopy	-
oss:VerifyAgentTunnel	-
oss:VerifyImportAddress	-
oss:getObects	-

For these actions, you must create a custom policy with the scope set to Account.

Customize the following policy examples to suit your needs:

Allow read-only access

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:DescribeRegions",
        "oss:GetBucket",
        "oss:GetCache",
        "oss:GetDataLakeStorageTransferJob",
        "oss:GetFileDetectReport",
        "oss:GetImageSceneLabelListConf",
        "oss:GetImportAddress",
        "oss:GetImportAgent",
        "oss:GetImportJob",
        "oss:GetImportJobResult",
        "oss:GetImportReport",
        "oss:GetImportTunnel",
        "oss:GetJobNameList",
        "oss:GetObjectMeta",
        "oss:GetOssBucketScanStatistic",
        "oss:GetOssCheckResultDetail",
        "oss:GetOssCheckStatus",
        "oss:GetOssScanConfig",
        "oss:GetPublicAccessBlock",
        "oss:GetReservedCapacity",
        "oss:GetResourcePoolBucketGroupQoSInfo",
        "oss:GetResourcePoolInfo",
        "oss:GetResourcePoolPriorityQosConfiguration",
        "oss:GetResourcePoolRequesterPriorityQosConfiguration",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:GetScanNum",
        "oss:GetScanResult",
        "oss:GetSddpBucketIdentifyStat",
        "oss:GetSddpBucketRuleTop",
        "oss:GetSddpDefaultTask",
        "oss:GetSddpObject",
        "oss:GetSddpUserPortrait",
        "oss:GetService",
        "oss:GetServiceConfig",
        "oss:GetServiceLabelConfig",
        "oss:GetStatusList",
        "oss:GetStockOssCheckTasksList",
        "oss:GetSwitchRegionDetail",
        "oss:GetSystemNotification",
        "oss:GetUserAntiDDosInfo",
        "oss:GetUserQoSInfo",
        "oss:List",
        "oss:ListAccessPointsForObjectProcess",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListCache",
        "oss:ListDataLakeStorageTransferJob",
        "oss:ListDataLakeStorageTransferJobHistory",
        "oss:ListDataRedundancyType",
        "oss:ListImportAddress",
        "oss:ListImportAgent",
        "oss:ListImportJob",
        "oss:ListImportJobHistory",
        "oss:ListImportTunnel",
        "oss:ListJobs",
        "oss:ListMaliciousFileWhitelistConfigs",
        "oss:ListObjectScanEvent",
        "oss:ListObjectsV2",
        "oss:ListOssBucket",
        "oss:ListOssBucketScanInfo",
        "oss:ListReservedCapacity",
        "oss:ListResourcePoolBucketGroupQoSInfos",
        "oss:ListResourcePoolBucketGroups",
        "oss:ListResourcePoolBuckets",
        "oss:ListResourcePoolRequesterQoSInfos",
        "oss:ListResourcePools",
        "oss:ListSddpBuckets",
        "oss:ListSddpFileCategorys",
        "oss:ListSddpObjects",
        "oss:ListSddpRegions",
        "oss:ListSddpTasks",
        "oss:ListSddpTemplateAllRules",
        "oss:ListServiceConfigs",
        "oss:ListSupportObjectSuffix",
        "oss:ListUserDataRedundancyTransition",
        "oss:ListVectorBuckets"
      ],
      "Resource": "*"
    }
  ]
}

Allow full access

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ActivateProduct",
        "oss:AppendObject",
        "oss:BatchDeleteMaliciousFileWhitelistConfig",
        "oss:CancelStockOssCheckTask",
        "oss:CheckMfdServiceOpen",
        "oss:CompleteMultipartUpload",
        "oss:CreateImportAddress",
        "oss:CreateImportAgent",
        "oss:CreateImportJob",
        "oss:CreateImportReport",
        "oss:CreateImportTunnel",
        "oss:CreateJob",
        "oss:CreateMaliciousFileWhitelistConfig",
        "oss:CreateOrder",
        "oss:CreateOssBucketScanTask",
        "oss:CreateOssScanConfig",
        "oss:CreatePreCheck",
        "oss:CreateReservedCapacity",
        "oss:CreateSddpDefaultTask",
        "oss:CreateStockOssCheckTask",
        "oss:DeleteBucketCacheConfiguration",
        "oss:DeleteCache",
        "oss:DeleteImportAddress",
        "oss:DeleteImportAgent",
        "oss:DeleteImportJob",
        "oss:DeleteImportTunnel",
        "oss:DeletePublicAccessBlock",
        "oss:DeleteResourcePoolBucketGroupQoSInfo",
        "oss:DeleteResourcePoolPriorityQosConfiguration",
        "oss:DeleteResourcePoolRequesterPriorityQosConfiguration",
        "oss:DeleteResourcePoolRequesterQoSInfo",
        "oss:DeleteSddpDefaultTask",
        "oss:DeleteSystemNotification",
        "oss:DescribeExportInfo",
        "oss:DescribeJob",
        "oss:DescribeRegions",
        "oss:DescribeServiceLinkedRoleStatus",
        "oss:DoLogicalDeleteResource",
        "oss:DoPhysicalDeleteResource",
        "oss:ExportRecord",
        "oss:ExportResult",
        "oss:GeneratePortraitForOss",
        "oss:GetBucket",
        "oss:GetCache",
        "oss:GetDataLakeStorageTransferJob",
        "oss:GetFileDetectReport",
        "oss:GetImageSceneLabelListConf",
        "oss:GetImportAddress",
        "oss:GetImportAgent",
        "oss:GetImportJob",
        "oss:GetImportJobResult",
        "oss:GetImportReport",
        "oss:GetImportTunnel",
        "oss:GetJobNameList",
        "oss:GetObjectMeta",
        "oss:GetOssBucketScanStatistic",
        "oss:GetOssCheckResultDetail",
        "oss:GetOssCheckStatus",
        "oss:GetOssScanConfig",
        "oss:GetPublicAccessBlock",
        "oss:GetReservedCapacity",
        "oss:GetResourcePoolBucketGroupQoSInfo",
        "oss:GetResourcePoolInfo",
        "oss:GetResourcePoolPriorityQosConfiguration",
        "oss:GetResourcePoolRequesterPriorityQosConfiguration",
        "oss:GetResourcePoolRequesterQoSInfo",
        "oss:GetScanNum",
        "oss:GetScanResult",
        "oss:GetSddpBucketIdentifyStat",
        "oss:GetSddpBucketRuleTop",
        "oss:GetSddpDefaultTask",
        "oss:GetSddpObject",
        "oss:GetSddpUserPortrait",
        "oss:GetService",
        "oss:GetServiceConfig",
        "oss:GetServiceLabelConfig",
        "oss:GetStatusList",
        "oss:GetStockOssCheckTasksList",
        "oss:GetSwitchRegionDetail",
        "oss:GetSystemNotification",
        "oss:GetUserAntiDDosInfo",
        "oss:GetUserQoSInfo",
        "oss:HandleObjectScanEvent",
        "oss:HeadObject",
        "oss:InitBucketAntiDDosInfo",
        "oss:InitUserAntiDDosInfo",
        "oss:InitiateMultipartUpload",
        "oss:List",
        "oss:ListAccessPointsForObjectProcess",
        "oss:ListBucketAntiDDosInfo",
        "oss:ListCache",
        "oss:ListDataLakeStorageTransferJob",
        "oss:ListDataLakeStorageTransferJobHistory",
        "oss:ListDataRedundancyType",
        "oss:ListImportAddress",
        "oss:ListImportAgent",
        "oss:ListImportJob",
        "oss:ListImportJobHistory",
        "oss:ListImportTunnel",
        "oss:ListJobs",
        "oss:ListMaliciousFileWhitelistConfigs",
        "oss:ListObjectScanEvent",
        "oss:ListObjectsV2",
        "oss:ListOssBucket",
        "oss:ListOssBucketScanInfo",
        "oss:ListReservedCapacity",
        "oss:ListResourcePoolBucketGroupQoSInfos",
        "oss:ListResourcePoolBucketGroups",
        "oss:ListResourcePoolBuckets",
        "oss:ListResourcePoolRequesterQoSInfos",
        "oss:ListResourcePools",
        "oss:ListSddpBuckets",
        "oss:ListSddpFileCategorys",
        "oss:ListSddpObjects",
        "oss:ListSddpRegions",
        "oss:ListSddpTasks",
        "oss:ListSddpTemplateAllRules",
        "oss:ListServiceConfigs",
        "oss:ListSupportObjectSuffix",
        "oss:ListUserDataRedundancyTransition",
        "oss:ListVectorBuckets",
        "oss:ModifySddpDefaultTask",
        "oss:OpenOssService",
        "oss:OperateBucketScanTask",
        "oss:OssCheckResultList",
        "oss:PostObject",
        "oss:PublishRtmpStream",
        "oss:PutBucketACL",
        "oss:PutBucketTag",
        "oss:PutCache",
        "oss:PutDataLakeStorageTransferJob",
        "oss:PutObjectACL",
        "oss:PutPublicAccessBlock",
        "oss:PutResourcePoolBucketGroupQoSInfo",
        "oss:PutResourcePoolPriorityQosConfiguration",
        "oss:PutResourcePoolRequesterPriorityQosConfiguration",
        "oss:PutResourcePoolRequesterQoSInfo",
        "oss:PutSystemNotification",
        "oss:SddpCreateDataLimit",
        "oss:SddpDescribeAllBucketInstances",
        "oss:SddpDescribeBucketInstances",
        "oss:StartDataLakeStorageTransferJob",
        "oss:UpdateBucketAntiDDosInfo",
        "oss:UpdateImportAddress",
        "oss:UpdateImportJob",
        "oss:UpdateImportTunnel",
        "oss:UpdateJobPriority",
        "oss:UpdateJobStatus",
        "oss:UpdateMaliciousFileWhitelistConfig",
        "oss:UpdateOssScanConfig",
        "oss:UpdateReservedCapacity",
        "oss:UpdateSddpTaskStatus",
        "oss:UpdateServiceConfig",
        "oss:UpdateUserAntiDDosInfo",
        "oss:UpgradeSddpVersion",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:VerifyAgentTunnel",
        "oss:VerifyImportAddress",
        "oss:getObects"
      ],
      "Resource": "*"
    }
  ]
}

Important

Granting account-level permissions allows access to all relevant resources in the account. Always follow PoLP.

FAQ

How do I find which resource group a resource belongs to?

Method 1: From the service console
- Navigate to the service console where the resource was created. On the resource's details page, you can typically find the resource group listed in the basic information section.
Method 2: From the Resource Management console
- Log on to the Resource Management console.
- Choose Resource Center > Resource Search.
- In the left pane, select the account that owns the target resource (the default is Current Account).
- Use filter conditions to find your resource.
- The Resource Group column shows which group the resource belongs to.

How do I view all resources in a specific resource group?

Method 1:
- Log on to the Resource Management console.
- Choose Resource Center > Resource Search.
- In the left pane, under the account that owns the resources (the default is Current Account), click the name of the desired resource group.
- In the right pane, select the cloud service from the Select resource types drop-down list.
- All resources in that group will be displayed.
Method 2:
- Log on to the Resource Management console.
- Choose Resource Group > Resource Group.
- Find the desired resource group and click Manage Resource in the Actions column.
- On the resource management page, select the cloud service from the Service drop-down list.
- All resources in that group will be displayed.

How do I move multiple resources to a different resource group in batch?

Log on to the Resource Management console.
Choose Resource Group > Resource Group.
Find the desired resource group and click Manage Resource in the Actions column.
On the resource management page, use filter conditions to find the resources you want to move.
Select the checkbox for each resource.
At the bottom of the page, click Transfer.
In the dialog box, select the destination resource group and click Confirm.