If you want to manage resource groups by using a RAM identity (RAM user or RAM role), you must attach the required permission policies to the RAM identity. This topic describes how to manage resource groups by using a RAM user.
Overview
The required permission policies are classified into the following types. If you want a RAM user to have the permissions to manage resource groups, view resources in resource groups, and manage resource group-based authorization, you must attach all the types of policies to the RAM user. Otherwise, you need to grant only the required permissions to the RAM user based on the principle of least privilege to ensure access security.
Policy for managing resource groups: allows a RAM user to perform operations on resource groups, such as creating, deleting, modifying, and viewing resource groups.
Policy for viewing resources in resource groups: allows a RAM user to view the resources in a resource group on the Resources tab of the details page of the resource group.
Policy for managing resource group-based authorization: allows a RAM user to manage permissions granted based on a resource group on the Permissions tab of the details page of the resource group. For example, the RAM user can be used to view, add, and revoke permissions based on the resource group.
Policies for managing resource groups
Policy used to grant management permissions on resource groups
If you want a RAM user to have the permissions to manage resource groups, you can attach the following policy to the RAM user. This policy allows the RAM user to perform all read and write operations on resource groups, such as creating, deleting, modifying, and viewing resource groups. The policy is applicable to resource group administrators.
In the following policy, ram:TagResources, ram:UntagResources, and ram:ListTagResources are specified in the Action element. This indicates that the RAM identity to which the policy is attached can be used to add tags to, remove tags from, and view tags of resources such as resource groups, RAM users, and RAM roles. Proceed with caution.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:*ResourceGroup*",
"ram:*AssociatedTransfer*",
"ram:LookupResourceGroupEvents",
"resourcemanager:*ResourceGroup*",
"resourcemanager:*AutoGrouping*",
"ram:TagResources",
"ram:UntagResources",
"ram:ListTagResources"
],
"Resource": "*"
}
]
}Policy used to grant read-only permissions on resource groups
If you want a RAM user to have only read-only permissions on resource groups, you can attach the following policy to the RAM user.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:GetResourceGroup*",
"ram:ListResourceGroup*",
"ram:ListAssociatedTransferSetting",
"ram:LookupResourceGroupEvents",
"resourcemanager:GetResourceGroup*",
"resourcemanager:ListResourceGroup*",
"resourcemanager:GetAutoGrouping*",
"resourcemanager:ListAutoGrouping*",
"ram:ListTagResources"
],
"Resource": "*"
}
]
}Policies for viewing resources in resource groups
If you want a RAM user to view the resources in a resource group on the Resources tab of the details page of the resource group, you must grant the RAM user the read-only permissions on the resources.
Example 1: If you want a RAM user to view only virtual private clouds (VPCs) in the ProjectA resource group, you can attach the AliyunVPCReadOnlyAccess policy to the RAM user at the ProjectA resource group level.
Example 2: If you want a RAM user to view all resources in all resource groups within the current account, you can attach the system policy ReadOnlyAccess to the RAM user at the account level.
Policies for managing resource group-based authorization
If you want a RAM user to manage permissions granted based on a resource group (such as viewing, granting, and revoking permissions based on the resource group) on the Permissions tab of the details page of the resource group, you can attach the following policy to the RAM user. This policy is applicable to RAM permission administrators.
In the following policy, ram:AttachPolicy, ram:DetachPolicy, and ram:ListPolicyAttachments are specified in the Action element, and * is specified in the Resource element. This indicates that the RAM identity to which the policy is attached can be used to view, revoke, and grant permissions to any RAM identity within any resource group scope or account scope. These operations are high-risk operations. Proceed with caution when you attach the policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:AttachPolicy",
"ram:DetachPolicy",
"ram:ListPolicyAttachments",
"ram:ListPolicies",
"ram:ListUsers",
"ram:ListGroups",
"ram:ListRoles"
],
"Resource": "*"
}
]
}