All Products
Search

This Product

    :Granular control with resource groups

    Document Center

    :Granular control with resource groups

    Last Updated:Apr 23, 2026

    You can integrate resource groups with RAM for resource isolation and fine-grained permission management within your Alibaba Cloud account. This topic explains how Tair (compatible with Redis®) supports resource groups and how to grant permissions to them.

    Note

    Resource group authorization

    You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move its resources into that group to manage them centrally. For more information, see What is a Resource Group.

    After you organize your resources, you can grant permissions scoped to a specific resource group to different principals, such as RAM users, RAM user groups, and RAM roles. This limits a principal to managing only the resources within that resource group. For more information, see Resource Grouping and Authorization.

    This authorization method provides the following benefits:

    • Fine-grained permissions: You can grant each identity only the permissions it needs to access specific resources. This prevents resources from different projects from being managed together.

    • Scalability: When you add new resources to a resource group, the associated principal automatically gains permissions for them. No further authorization is required.

    Grant resource group permissions to a RAM user

    This topic explains how to grant a RAM user permissions on ApsaraDB for Tair (compatible with Redis®) resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    2. Grant resource group-level permissions

    Use one of the following methods to grant resource group-level permissions.

    Resource management console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant resource group-scoped permissions to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, in the Actions column of the target resource group, click Permission Management.

    • On the Permission Management tab, click Add Authorization.

    • In the Add Authorization panel, configure the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a System Policy or an existing Custom Policy. For more information, see Create a custom policy.

    • Click OK.

    RAM console

    Use the RAM console to grant resource group-level permissions to a specified RAM user. For more information, see Manage permissions for a RAM user.

    • Log on to the RAM console as your Alibaba Cloud account (main account) or a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, in the Actions column of the target RAM user, click Add Permissions.

    • In the Add Authorization panel, configure the following settings:

      • Resource Scope: Select Resource Group.

      • Principal: Select the RAM user you created in the prerequisites.

      • Permission Policy: Select a System Policy or an existing Custom Policy. For more information, see Create a custom policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the resource types for ApsaraDB for Tair (compatible with Redis®) that support resource groups.

    Cloud service

    Cloud service code

    Resource type

    ApsaraDB for Tair (compatible with Redis®)

    kvstore

    instance
    Note

    To request support for a resource type that is not yet supported, you can submit feedback in the resource group console.

    image

    Actions without resource group authorization

    The following Tair actions do not support resource group-level authorization:

    Actions

    Description

    kvstore:CancelActiveOperationTasks

    Cancels maintenance events in batches.

    kvstore:CreateParameterGroup

    Creates a parameter template.

    kvstore:CreateTairKVCacheInferInstance

    -

    kvstore:CreateTairKVCacheInferModule

    -

    kvstore:CreateTairKVCacheInferModuleNode

    -

    kvstore:CreateTairKVCacheVNode

    Creates a Tair VNode virtual node instance.

    kvstore:DeleteGlobalSecurityIPGroup

    Deletes a global IP whitelist template.

    kvstore:DeleteParameterGroup

    Deletes a parameter template.

    kvstore:DeleteTairKVCacheInferModule

    -

    kvstore:DeleteTairKVCacheInferModuleNode

    -

    kvstore:DescribeActiveOperationMaintainConfig

    -

    kvstore:DescribeActiveOperationMaintenanceConfig

    Queries the maintenance task configurations for an instance.

    kvstore:DescribeActiveOperationTask

    Queries maintenance task details for a Tair instance.

    kvstore:DescribeActiveOperationTaskCount

    Queries the number of maintenance tasks for a Tair instance.

    kvstore:DescribeActiveOperationTaskType

    -

    kvstore:DescribeActiveOperationTasks

    Queries the details of maintenance events for an instance.

    kvstore:DescribeConnectionDomain

    -

    kvstore:DescribeDedicatedUserCluster

    -

    kvstore:DescribeDetachedInstances

    -

    kvstore:DescribeErrorLogRecords

    -

    kvstore:DescribeEventMetaInfo

    -

    kvstore:DescribeHistoryEventsStat

    Queries historical event statistics.

    kvstore:DescribeHistoryTasksStat

    Queries task statistics from the task center.

    kvstore:DescribeInstanceClasses

    -

    kvstore:DescribeInstanceForInner

    -

    kvstore:DescribeInstanceKeywords

    -

    kvstore:DescribeInstanceSpec

    -

    kvstore:DescribeInstancesByExpireTime

    -

    kvstore:DescribeMonitorItems

    Queries monitoring items supported by a Tair instance.

    kvstore:DescribeParameterGroup

    Queries basic information about a parameter template.

    kvstore:DescribeParameterGroupSupportParam

    Queries configurable parameters for different versions of a parameter template.

    kvstore:DescribeParameterGroupTemplateList

    Queries the details of configurable parameters in a parameter template, such as default values, value ranges, and descriptions.

    kvstore:DescribeParameterGroups

    Queries available parameter templates.

    kvstore:DescribeRdsVSwitchs

    -

    kvstore:DescribeRdsVpcs

    -

    kvstore:DescribeRdsVswitchs

    -

    kvstore:DescribeRecommendBuyUrlForRds

    -

    kvstore:DescribeServiceLinkedRoleExists

    Checks whether a service-linked role is granted to Tair.

    kvstore:DescribeTags

    Queries all tags in a specified region.

    kvstore:DescribeTairKVCacheCustomInstances

    -

    kvstore:DescribeTairKVCacheInferSupportModule

    -

    kvstore:DescribeTairKVCacheVNode

    -

    kvstore:DescribeTairUserACKClusterInfo

    -

    kvstore:DescribeUserClusterHost

    -

    kvstore:DescribeUserClusterHostInstance

    -

    kvstore:DescribeUserEventConfig

    -

    kvstore:DescribeVSwitches

    -

    kvstore:DescribeVswitches

    -

    kvstore:DoLogicalDeleteResource

    -

    kvstore:GetPrice

    -

    kvstore:InitializeKvstorePermission

    Grants a service-linked role to Tair.

    kvstore:ModifyActiveOperationMaintainConfig

    -

    kvstore:ModifyActiveOperationTask

    Modifies the scheduled switchover time of a maintenance task.

    kvstore:ModifyActiveOperationTasks

    Modifies the switchover time of a scheduled maintenance event for an instance.

    kvstore:ModifyEventInfo

    -

    kvstore:ModifyGlobalSecurityIPGroupName

    Modifies the name of a global IP whitelist template.

    kvstore:ModifyInstanceParameter

    Applies a parameter template to an instance. Changes to a template take effect only after you reapply it to the instance.

    kvstore:ModifyParameterGroup

    Modifies the settings of a parameter template.

    kvstore:ModifyTaskInfo

    Modifies a task. This action currently supports modifying the execution time of a task.

    kvstore:ModifyUserEventConfig

    -

    kvstore:RenewAdditionalBandwidth

    The bandwidth for Tair instances has been upgraded to the pay-as-you-go model. This action is no longer recommended.

    kvstore:ResetAccount

    -

    kvstore:describeBackupPolicy

    -

    For actions that do not support resource group-level authorization, granting permissions at the resource group level has no effect. To grant a RAM user permissions for these actions, you must create a custom policy and grant permissions at the account level.

    image.pngThe following are two example custom policies. You can adjust the policy content to meet your business requirements.

    • Allows all read-only operations that do not support resource group-level authorization: The Action element lists all such operations.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kvstore:DescribeActiveOperationMaintainConfig",
        "kvstore:DescribeActiveOperationMaintenanceConfig",
        "kvstore:DescribeActiveOperationTask",
        "kvstore:DescribeActiveOperationTaskCount",
        "kvstore:DescribeActiveOperationTaskType",
        "kvstore:DescribeActiveOperationTasks",
        "kvstore:DescribeConnectionDomain",
        "kvstore:DescribeDedicatedUserCluster",
        "kvstore:DescribeDetachedInstances",
        "kvstore:DescribeErrorLogRecords",
        "kvstore:DescribeEventMetaInfo",
        "kvstore:DescribeHistoryEventsStat",
        "kvstore:DescribeHistoryTasksStat",
        "kvstore:DescribeInstanceClasses",
        "kvstore:DescribeInstanceForInner",
        "kvstore:DescribeInstanceKeywords",
        "kvstore:DescribeInstanceSpec",
        "kvstore:DescribeInstancesByExpireTime",
        "kvstore:DescribeMonitorItems",
        "kvstore:DescribeParameterGroup",
        "kvstore:DescribeParameterGroupSupportParam",
        "kvstore:DescribeParameterGroupTemplateList",
        "kvstore:DescribeParameterGroups",
        "kvstore:DescribeRdsVSwitchs",
        "kvstore:DescribeRdsVpcs",
        "kvstore:DescribeRdsVswitchs",
        "kvstore:DescribeRecommendBuyUrlForRds",
        "kvstore:DescribeServiceLinkedRoleExists",
        "kvstore:DescribeTags",
        "kvstore:DescribeTairKVCacheCustomInstances",
        "kvstore:DescribeTairKVCacheInferSupportModule",
        "kvstore:DescribeTairKVCacheVNode",
        "kvstore:DescribeTairUserACKClusterInfo",
        "kvstore:DescribeUserClusterHost",
        "kvstore:DescribeUserClusterHostInstance",
        "kvstore:DescribeUserEventConfig",
        "kvstore:DescribeVSwitches",
        "kvstore:DescribeVswitches"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all operations that do not support resource group-level authorization: The Action element lists these operations.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kvstore:CancelActiveOperationTasks",
        "kvstore:CreateParameterGroup",
        "kvstore:CreateTairKVCacheInferInstance",
        "kvstore:CreateTairKVCacheInferModule",
        "kvstore:CreateTairKVCacheInferModuleNode",
        "kvstore:CreateTairKVCacheVNode",
        "kvstore:DeleteGlobalSecurityIPGroup",
        "kvstore:DeleteParameterGroup",
        "kvstore:DeleteTairKVCacheInferModule",
        "kvstore:DeleteTairKVCacheInferModuleNode",
        "kvstore:DescribeActiveOperationMaintainConfig",
        "kvstore:DescribeActiveOperationMaintenanceConfig",
        "kvstore:DescribeActiveOperationTask",
        "kvstore:DescribeActiveOperationTaskCount",
        "kvstore:DescribeActiveOperationTaskType",
        "kvstore:DescribeActiveOperationTasks",
        "kvstore:DescribeConnectionDomain",
        "kvstore:DescribeDedicatedUserCluster",
        "kvstore:DescribeDetachedInstances",
        "kvstore:DescribeErrorLogRecords",
        "kvstore:DescribeEventMetaInfo",
        "kvstore:DescribeHistoryEventsStat",
        "kvstore:DescribeHistoryTasksStat",
        "kvstore:DescribeInstanceClasses",
        "kvstore:DescribeInstanceForInner",
        "kvstore:DescribeInstanceKeywords",
        "kvstore:DescribeInstanceSpec",
        "kvstore:DescribeInstancesByExpireTime",
        "kvstore:DescribeMonitorItems",
        "kvstore:DescribeParameterGroup",
        "kvstore:DescribeParameterGroupSupportParam",
        "kvstore:DescribeParameterGroupTemplateList",
        "kvstore:DescribeParameterGroups",
        "kvstore:DescribeRdsVSwitchs",
        "kvstore:DescribeRdsVpcs",
        "kvstore:DescribeRdsVswitchs",
        "kvstore:DescribeRecommendBuyUrlForRds",
        "kvstore:DescribeServiceLinkedRoleExists",
        "kvstore:DescribeTags",
        "kvstore:DescribeTairKVCacheCustomInstances",
        "kvstore:DescribeTairKVCacheInferSupportModule",
        "kvstore:DescribeTairKVCacheVNode",
        "kvstore:DescribeTairUserACKClusterInfo",
        "kvstore:DescribeUserClusterHost",
        "kvstore:DescribeUserClusterHostInstance",
        "kvstore:DescribeUserEventConfig",
        "kvstore:DescribeVSwitches",
        "kvstore:DescribeVswitches",
        "kvstore:DoLogicalDeleteResource",
        "kvstore:GetPrice",
        "kvstore:InitializeKvstorePermission",
        "kvstore:ModifyActiveOperationMaintainConfig",
        "kvstore:ModifyActiveOperationTask",
        "kvstore:ModifyActiveOperationTasks",
        "kvstore:ModifyEventInfo",
        "kvstore:ModifyGlobalSecurityIPGroupName",
        "kvstore:ModifyInstanceParameter",
        "kvstore:ModifyParameterGroup",
        "kvstore:ModifyTaskInfo",
        "kvstore:ModifyUserEventConfig",
        "kvstore:RenewAdditionalBandwidth",
        "kvstore:ResetAccount",
        "kvstore:describeBackupPolicy"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can manage all resources within that account. Always ensure that the granted permissions are necessary and follow the principle of least privilege when you assign permissions.

    FAQ

    How to find a resource's group?

    • Click the name of the resource to open its details page, where you can view its resource group.

    • Log on to the Resource Management console and go to Resource Center > Resource Search. In the left navigation pane, select the account that owns the resource (the default is current account). Use the filters to find the resource and view its resource group.

    View product resources in a resource group

    • Log on to the Resource Management console and go to Resource Center > Resource Search. On the left, under the account that owns the resources (the default is current account), click the name of the target resource group. On the right, select the product from the Resource Type dropdown list to view all its resources in that group.

    • Log on to the Resource Management console and go to Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product dropdown list to view all its resources in the resource group.

    Transfer multiple resources to a different group

    Log on to the Resource Management console and go to Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. Use the filters to find the resources to move, select their checkboxes in the first column, click Transfer Resource Group below the list, and follow the on-screen instructions.