Use resource groups for fine-grained access control - PrivateLink

You can use resource groups with Resource Access Management (RAM) to isolate resources and manage permissions with fine-grained control within a single Alibaba Cloud account. This topic describes the support for resource groups in PrivateLink and the steps to grant permissions at the resource group level.

Note

Resource group-level authorization applies only to resource types that support resource groups and actions that support this level of authorization.
For resource types that do not support resource groups, granting permissions scoped to a resource group has no effect. You must grant permissions at the account level. For more information, see Actions that do not support resource group-level authorization.

How resource group authorization works

You can use a resource group to manage resources within your Alibaba Cloud account as a single unit. For example, you can create a dedicated resource group for each of your projects and move project-related resources into their respective groups. This allows you to manage all resources for each project from a central location. For more information, see What is a resource group?

After you organize your resources into groups, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, for each resource group. This ensures that a principal can manage only resources within the specified resource group. For more information, see Resource grouping and authorization.

This authorization method offers the following advantages:

Fine-grained permissions: You can grant precise access rights to each identity, which prevents the commingled management of resources across different projects within your account.
Scalability: When you add a new resource, you can simply add it to the appropriate resource group. The RAM identity automatically gains the necessary permissions for the new resource.

Grant resource group-level permissions

This section uses a RAM user as an example to show how to grant permissions on PrivateLink resources within a specific resource group.

1. Prerequisites

Create a RAM user. For more information, see Create a RAM user.
Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

2. Grant resource group-level permissions

You can grant resource group-level permissions by using either of the following methods.

Resource Management console

Use the permission management feature of resource groups to grant permissions to a specific RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

Log on to the Resource Management console.
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
On the Permission Management tab, click Add Permissions.
In the Add Permissions panel, configure the principal and permission policy.
- Principal: Select an existing RAM user.
- Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
Click OK.

RAM console

Use the RAM console to grant resource group-level permissions to a specific RAM user. For more information, see Manage permissions for a RAM user.

Log on to the RAM console with an Alibaba Cloud account or as a RAM administrator.
In the left-side navigation pane, choose Identity Management > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
- Resource Scope: Select Resource Group Level.
- Principal: Select an existing RAM user or the RAM user that you created in the prerequisites.
- Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
Click OK.

Resource types that support resource groups

The following table lists the PrivateLink resource types that support resource groups.

Cloud service	Cloud service code	Resource type
PrivateLink	privatelink	vpcendpoint: endpoint
PrivateLink	privatelink	vpcendpointservice: endpoint service

Note

If a resource type does not support resource groups, you can submit feedback in the Resource Management console.

Actions without resource group authorization

The following PrivateLink actions do not support resource group-level authorization:

Action	Description
privatelink:CheckProductOpen	Checks whether PrivateLink is activated.
privatelink:DescribeZones	-
privatelink:InnerEnableVpcePolicy	-
privatelink:OpenPrivateLinkService	Activates the PrivateLink service.

For actions that do not support resource group-level authorization, setting the resource scope to Resource Group Level has no effect. To grant these permissions to a RAM user, you must create a custom policy and set the resource scope to Account Level.

The following examples show two custom permission policies. You can modify the policies as needed.

Allow all read-only actions that do not support resource group-level authorization: List all unsupported read-only actions in the Action element.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}
```

Allow all actions that do not support resource group-level authorization: List all unsupported actions in the Action element.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "privatelink:CheckProductOpen",
        "privatelink:DescribeZones",
        "privatelink:InnerEnableVpcePolicy",
        "privatelink:OpenPrivateLinkService"
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role with account-level permissions can operate on all relevant resources within the entire account. Always follow the principle of least privilege and grant permissions with caution to meet your security requirements.

FAQ

Find a resource's resource group

Method 1: Click the resource name to go to its details page, where you can find its resource group.
Method 2: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, select the account that owns the resource. By default, Current Account is selected. Use the filter conditions to locate the resource and view its resource group.

View all resources in a resource group

Method 1: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side navigation pane, under the account that owns the resources (by default, Current Account is selected), click the name of the target resource group. Then, select the product from the Select Resource Type drop-down list on the right to view all of its resources in that resource group.
Method 2: Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all of its resources in that resource group.

Bulk move resources to a resource group

Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column to go to the resource management page. Use the filter conditions to locate the resources, select the checkboxes in the first column for the resources that you want to move, and then click Transfer Resources at the bottom. Follow the on-screen instructions to complete the process.