All Products
Search

This Product

    Smart Access Gateway:Use resource groups for fine-grained resource control

    Document Center

    Smart Access Gateway:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    Combining resource groups with RAM enables resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic explains how Smart Access Gateway supports resource groups and outlines how to grant permissions at the resource group level.

    Note

    How resource group authorization works

    You can use resource groups to group and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into the group. This allows you to centrally manage the resources of each project. For more information, see What is Resource Group.

    After grouping your resources, you can grant permissions to different RAM identities, such as RAM users, RAM user groups, and RAM roles. By scoping these permissions to a specific resource group, you ensure that an identity can manage only the resources within that group. For more information, see Resource grouping and authorization.

    This authorization method provides the following benefits:

    • Fine-grained permissions: You can ensure that each identity is granted the precise permissions required to access resources. This helps you avoid managing resources from multiple projects within a single account.

    • Scalability: When you add new resources later, you only need to place them in the appropriate resource group. The associated RAM identity automatically gains the necessary permissions for the new resources, eliminating the need for separate authorization.

    Grant a RAM user resource group-level permissions

    This topic describes how to grant a RAM user permissions for Smart Access Gateway resources in a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move your resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.

    2. Grant resource group-level permissions

    Use one of the following methods to grant resource group-level permissions.

    Method 1: Resource Management Console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For details, see Grant resource group-scoped permissions to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, in the Actions column of the target resource group, click permission management.

    • On the permission management tab, click Add Authorization.

    • In the Add Authorization panel, configure the principal and policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy that you created. For more information, see Create a custom policy.

    • Click Confirm.

    Method 2: RAM Console

    Grant resource group-level permissions to a specific RAM user in the RAM console. For details, see Manage permissions for a RAM user.

    • Log on to the RAM console with your Alibaba Cloud account (main account) or as a RAM administrator.

    • In the left-side navigation pane, choose identity management > Users. On the Users page, in the Actions column of the target RAM user, click Add Permission.

    • In the Add Permission panel, configure permissions for the RAM user.

      • Resource Scope: Select Resource Group Level.

      • Principal: Select an existing RAM user or the RAM user that you created in the prerequisites.

      • Policy: Select a system policy or a custom policy that you created. For more information, see Create a custom policy.

    • Click Confirm.

    Supported resource types

    The following table lists the Smart Access Gateway resource types that support resource groups.

    Cloud service

    Cloud service code

    Type

    Smart Access Gateway

    smartag

    acl: access control

    Smart Access Gateway

    smartag

    ccn: Cloud Connect Network

    Smart Access Gateway

    smartag

    flowlog: flow log

    Smart Access Gateway

    smartag

    intelligentrouting: intelligent routing

    Smart Access Gateway

    smartag

    qos: quality of service

    Smart Access Gateway

    smartag

    smartag: instance

    Smart Access Gateway

    smartag

    smartag_s: Smart Access Gateway App
    Note

    You can submit feedback for resource types not yet supported by resource groups in the Resource Group Console.

    image

    Actions without resource group authorization

    The following Smart Access Gateway actions do not support resource group-level authorization:

    Actions

    Description

    smartag:ClearSagCipher

    Resets the device key for a Smart Access Gateway (VCPE).

    smartag:CreateApplicationBandwidthPackage

    -

    smartag:CreateEnterpriseCode

    Creates an enterprise code.

    smartag:CreateIntelligentRouting

    -

    smartag:CreateResellerInstance

    -

    smartag:CreateSagSoftwareAuditSubscription

    -

    smartag:CreateSmartAGForResellerInstance

    -

    smartag:DeleteEnterpriseCode

    Deletes an enterprise code.

    smartag:DeleteProbeTask

    -

    smartag:DeleteResellerInstance

    -

    smartag:DescribeGatewayIntelligentRoutings

    -

    smartag:DescribeGatewayQoses

    -

    smartag:DescribeGatewayValidIROutboundPorts

    -

    smartag:DescribeSAGDeviceARPInfo

    -

    smartag:DescribeSagDropTopN

    Queries the top 10 Smart Access Gateway instances with the highest packet loss rate in a specified region.

    smartag:DescribeSagOnlineClientStatistics

    Queries the online connection statistics for the current user's Smart Access Gateway app instances.

    smartag:DescribeSagRouteableAddress

    -

    smartag:DescribeSagTrafficTopN

    Queries the top 10 Smart Access Gateway instances with the highest traffic rate in a specified region.

    smartag:DescribeSmartAccessGatewayRoutes

    -

    smartag:DownloadSagAuditRecord

    -

    smartag:ExportSagAuditRecord

    -

    smartag:GetApPortalAttribute

    -

    smartag:GetApRadioAttribute

    -

    smartag:GetApplicationBandwidthPackageAttribute

    -

    smartag:GetBranchAttribute

    -

    smartag:GetBranchBasicNetworkAttribute

    -

    smartag:GetBranchDeviceCount

    -

    smartag:GetCloudConnectNetworkUseLimit

    Queries the maximum number of Cloud Connect Network instances that the current account can create in a specified region.

    smartag:GetDeviceAttribute

    -

    smartag:GetQosAttribute

    Queries the details of a QoS policy.

    smartag:GetSagAuditRecordDownLoadUrl

    -

    smartag:GetSmartAccessGatewayUseLimit

    Queries the number of Smart Access Gateway instances that you can purchase.

    smartag:GetTopology

    -

    smartag:ListAlarmRecordCounts

    -

    smartag:ListApMonitorDataTopN

    -

    smartag:ListApSsids

    -

    smartag:ListApplicationAccelerateRules

    -

    smartag:ListAuthenticationTemplate

    -

    smartag:ListAuthorizedBranch

    -

    smartag:ListBranchAlarmDataTopN

    -

    smartag:ListBranches

    -

    smartag:ListDevices

    -

    smartag:ListEnterpriseCode

    Queries information about enterprise codes.

    smartag:ListEventAlarmRecords

    -

    smartag:ListGatewayACLs

    -

    smartag:ListGatewayMonitorDataTopN

    -

    smartag:ListGatewayPorts

    -

    smartag:ListGatewayRouters

    -

    smartag:ListGatewayWifiRadio

    -

    smartag:ListGatewayWifiSsids

    -

    smartag:ListMonitorAlarmRecords

    -

    smartag:ListMonitorDataTopN

    -

    smartag:ListPPPOEProvidersAlarmData

    -

    smartag:ListProbeAlarmRecords

    -

    smartag:ListProbeTask

    Queries probe tasks.

    smartag:ListResellerInstances

    -

    smartag:ListSagAuditRecord

    -

    smartag:ListSagAuditRecordParam

    -

    smartag:ListSagAuditSubscription

    -

    smartag:ListSagSoftwareAuditRecord

    -

    smartag:ListSagSoftwareAuditRecordParam

    -

    smartag:ListSagSoftwareAuditSubscription

    -

    smartag:ListSmartAGByAccessPoint

    Queries information about Smart Access Gateway instances for a specified access point in a specified region.

    smartag:ListStationMonitorDataTopN

    -

    smartag:ListTerminalProbeAlarmRecords

    -

    smartag:ListUnsupportedFeatures

    -

    smartag:ModifyFlowLogAttribute

    Modifies the name and description of a flow log.

    smartag:ModifyQosCar

    Modifies a QoS rate-limiting rule.

    smartag:ModifyQosPolicy

    Modifies a QoS policy traffic classification rule.

    smartag:ModifySagGlobalRouteProtocol

    Modifies the global routing protocol.

    smartag:ModifySagPortRouteProtocol

    Modifies the port routing protocol.

    smartag:RemoveApSsid

    -

    smartag:ReserveSmartAG

    -

    smartag:UpdateEnterpriseCode

    Updates the properties of the specified enterprise code.

    smartag:UpdateResellerInstanceAttribute

    -

    smartag:ViewSmartAccessGatewayDeviceAttributes

    -

    For actions that do not support resource group-level authorization, granting permissions with the resource scope set to Resource Group Level has no effect. To grant a RAM user permissions for these actions, create a custom policy and set the resource scope to Account Level.

    image.pngThe following are two sample custom policies that you can modify to meet your needs.

    • Allows all read-only actions that do not support resource group-level authorization. The Action element lists all of these read-only actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "smartag:DescribeGatewayIntelligentRoutings",
        "smartag:DescribeGatewayQoses",
        "smartag:DescribeGatewayValidIROutboundPorts",
        "smartag:DescribeSAGDeviceARPInfo",
        "smartag:DescribeSagDropTopN",
        "smartag:DescribeSagOnlineClientStatistics",
        "smartag:DescribeSagRouteableAddress",
        "smartag:DescribeSagTrafficTopN",
        "smartag:DescribeSmartAccessGatewayRoutes",
        "smartag:GetApPortalAttribute",
        "smartag:GetApRadioAttribute",
        "smartag:GetApplicationBandwidthPackageAttribute",
        "smartag:GetBranchAttribute",
        "smartag:GetBranchBasicNetworkAttribute",
        "smartag:GetBranchDeviceCount",
        "smartag:GetCloudConnectNetworkUseLimit",
        "smartag:GetDeviceAttribute",
        "smartag:GetQosAttribute",
        "smartag:GetSagAuditRecordDownLoadUrl",
        "smartag:GetSmartAccessGatewayUseLimit",
        "smartag:GetTopology",
        "smartag:ListAlarmRecordCounts",
        "smartag:ListApMonitorDataTopN",
        "smartag:ListApSsids",
        "smartag:ListApplicationAccelerateRules",
        "smartag:ListAuthenticationTemplate",
        "smartag:ListAuthorizedBranch",
        "smartag:ListBranchAlarmDataTopN",
        "smartag:ListBranches",
        "smartag:ListDevices",
        "smartag:ListEnterpriseCode",
        "smartag:ListEventAlarmRecords",
        "smartag:ListGatewayACLs",
        "smartag:ListGatewayMonitorDataTopN",
        "smartag:ListGatewayPorts",
        "smartag:ListGatewayRouters",
        "smartag:ListGatewayWifiRadio",
        "smartag:ListGatewayWifiSsids",
        "smartag:ListMonitorAlarmRecords",
        "smartag:ListMonitorDataTopN",
        "smartag:ListPPPOEProvidersAlarmData",
        "smartag:ListProbeAlarmRecords",
        "smartag:ListProbeTask",
        "smartag:ListResellerInstances",
        "smartag:ListSagAuditRecord",
        "smartag:ListSagAuditRecordParam",
        "smartag:ListSagAuditSubscription",
        "smartag:ListSagSoftwareAuditRecord",
        "smartag:ListSagSoftwareAuditRecordParam",
        "smartag:ListSagSoftwareAuditSubscription",
        "smartag:ListSmartAGByAccessPoint",
        "smartag:ListStationMonitorDataTopN",
        "smartag:ListTerminalProbeAlarmRecords",
        "smartag:ListUnsupportedFeatures"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all actions that do not support resource group-level authorization. The Action element lists all of these actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "smartag:ClearSagCipher",
        "smartag:CreateApplicationBandwidthPackage",
        "smartag:CreateEnterpriseCode",
        "smartag:CreateIntelligentRouting",
        "smartag:CreateResellerInstance",
        "smartag:CreateSagSoftwareAuditSubscription",
        "smartag:CreateSmartAGForResellerInstance",
        "smartag:DeleteEnterpriseCode",
        "smartag:DeleteProbeTask",
        "smartag:DeleteResellerInstance",
        "smartag:DescribeGatewayIntelligentRoutings",
        "smartag:DescribeGatewayQoses",
        "smartag:DescribeGatewayValidIROutboundPorts",
        "smartag:DescribeSAGDeviceARPInfo",
        "smartag:DescribeSagDropTopN",
        "smartag:DescribeSagOnlineClientStatistics",
        "smartag:DescribeSagRouteableAddress",
        "smartag:DescribeSagTrafficTopN",
        "smartag:DescribeSmartAccessGatewayRoutes",
        "smartag:DownloadSagAuditRecord",
        "smartag:ExportSagAuditRecord",
        "smartag:GetApPortalAttribute",
        "smartag:GetApRadioAttribute",
        "smartag:GetApplicationBandwidthPackageAttribute",
        "smartag:GetBranchAttribute",
        "smartag:GetBranchBasicNetworkAttribute",
        "smartag:GetBranchDeviceCount",
        "smartag:GetCloudConnectNetworkUseLimit",
        "smartag:GetDeviceAttribute",
        "smartag:GetQosAttribute",
        "smartag:GetSagAuditRecordDownLoadUrl",
        "smartag:GetSmartAccessGatewayUseLimit",
        "smartag:GetTopology",
        "smartag:ListAlarmRecordCounts",
        "smartag:ListApMonitorDataTopN",
        "smartag:ListApSsids",
        "smartag:ListApplicationAccelerateRules",
        "smartag:ListAuthenticationTemplate",
        "smartag:ListAuthorizedBranch",
        "smartag:ListBranchAlarmDataTopN",
        "smartag:ListBranches",
        "smartag:ListDevices",
        "smartag:ListEnterpriseCode",
        "smartag:ListEventAlarmRecords",
        "smartag:ListGatewayACLs",
        "smartag:ListGatewayMonitorDataTopN",
        "smartag:ListGatewayPorts",
        "smartag:ListGatewayRouters",
        "smartag:ListGatewayWifiRadio",
        "smartag:ListGatewayWifiSsids",
        "smartag:ListMonitorAlarmRecords",
        "smartag:ListMonitorDataTopN",
        "smartag:ListPPPOEProvidersAlarmData",
        "smartag:ListProbeAlarmRecords",
        "smartag:ListProbeTask",
        "smartag:ListResellerInstances",
        "smartag:ListSagAuditRecord",
        "smartag:ListSagAuditRecordParam",
        "smartag:ListSagAuditSubscription",
        "smartag:ListSagSoftwareAuditRecord",
        "smartag:ListSagSoftwareAuditRecordParam",
        "smartag:ListSagSoftwareAuditSubscription",
        "smartag:ListSmartAGByAccessPoint",
        "smartag:ListStationMonitorDataTopN",
        "smartag:ListTerminalProbeAlarmRecords",
        "smartag:ListUnsupportedFeatures",
        "smartag:ModifyFlowLogAttribute",
        "smartag:ModifyQosCar",
        "smartag:ModifyQosPolicy",
        "smartag:ModifySagGlobalRouteProtocol",
        "smartag:ModifySagPortRouteProtocol",
        "smartag:RemoveApSsid",
        "smartag:ReserveSmartAG",
        "smartag:UpdateEnterpriseCode",
        "smartag:UpdateResellerInstanceAttribute",
        "smartag:ViewSmartAccessGatewayDeviceAttributes"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can manage all relevant resources in the account. Always verify that the permissions you grant meet your requirements. We recommend granting permissions according to the principle of least privilege.

    FAQ

    Check a resource's resource group

    • Method 1: Click the resource name to open its details page. The page displays the resource group.

    • Method 2: Log on to the Resource Management console and navigate to resource center > resource search. On the left, select the account that owns the resource (which defaults to current account). Use the filters to find the target resource, and the search results show its resource group.

    View product resources in a resource group

    • Method 1: Log on to the Resource Management console and navigate to resource center > resource search. On the left, under the account section (which defaults to current account), click the name of the target resource group. On the right, select the desired product from the select resource type drop-down list to view all of its resources in the resource group.

    • Method 2: Log on to the Resource Management console, select Resource Group > Resource Group, find the target resource group and click Resource Management in its Actions column, and then on the Resource Management page, select the current product from the Product drop-down list to view all resources of that product in the resource group.

    Move multiple resources to another resource group

    Log on to the Resource Management console and navigate to resource group > resource group. Find the target resource group and click resource management in the Operations column. Use the filters to locate the target resources. Select the checkboxes in the first column for the resources to be moved, click Move Resource Group at the bottom, and then follow the on-screen instructions to complete the move.