All Products
Search

This Product

    ApsaraDB for SelectDB:Use resource groups for fine-grained resource control

    Document Center

    ApsaraDB for SelectDB:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    You can use resource groups with Resource Access Management (RAM) to isolate resources and implement fine-grained permission management within a single Alibaba Cloud account. This topic describes how ApsaraDB for SelectDB supports resource groups and outlines the steps for resource group-level authorization.

    Note

    How it works

    For example, you can create separate resource groups for different projects and move resources into them for centralized management. For more information, see What is a resource group?.

    After you group resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, for a specific resource group. This restricts the RAM principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This authorization method offers the following benefits:

    • Fine-grained permissions: Ensures each identity receives only the permissions it needs, isolating resource management by project.

    • Scalability: When you add new resources, you only need to add them to the resource group. The RAM principal automatically gains permissions for these new resources, eliminating the need to re-grant permissions.

    Grant resource group-level permissions to a RAM user

    This section uses a RAM user to demonstrate how to grant permissions on ApsaraDB for SelectDB resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For instructions, see Create a RAM user.

    2. Create a resource group and transfer existing resources into it. For instructions, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer a resource to a resource group.

    2. Grant resource group-level authorization

    You can grant resource group-level authorization by using either of the following methods.

    Method 1: Resource Management console

    Grant permissions to a specific RAM user by using the permission management feature of resource groups. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy. For more information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    Method 2: RAM console

    Grant resource group-level authorization to a specific RAM user in the RAM console. For more information, see Manage RAM user permissions.

    • Log on to the RAM console with your Alibaba Cloud account or as a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Grant Permission in the Actions column.

    • In the Grant Permission panel, grant permissions to the RAM user.

      • Resource Scope: Select Resource Group.

      • Principal: Select an existing RAM user or the one created in the prerequisites.

      • Policy: Select a system policy or a custom policy. For more information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the ApsaraDB for SelectDB resource type that supports resource groups.

    Cloud service

    Service code

    Type

    ApsaraDB for SelectDB

    selectdb

    dbinstance: instance
    Note

    For resource types that are not yet supported, you can submit feedback in the Resource Management console.

    image

    Actions without resource group support

    The following table lists the ApsaraDB for SelectDB Actions that do not support resource group-level authorization.

    Actions

    Description

    selectdb:ApplyDBInstanceConfigPattern

    -

    selectdb:CancelActiveOperationTasks

    -

    selectdb:CheckCreateCluster

    -

    selectdb:CheckCreateDBInstance

    Performs a precheck before creating an ApsaraDB for SelectDB instance.

    selectdb:CheckModifyCluster

    -

    selectdb:CheckServiceLinkedRole

    Checks for a service-linked role.

    selectdb:CompareDBClusterConfig

    -

    selectdb:CopyDBClusterConfig

    -

    selectdb:CreateDBInstance

    Creates an ApsaraDB for SelectDB instance.

    selectdb:CreateOrUpdateBackupPolicy

    -

    selectdb:CreateOrder

    -

    selectdb:CreateServiceLinkedRoleForSelectDB

    Creates a service-linked role.

    selectdb:CreateVirtualCluster

    Creates a virtual cluster.

    selectdb:DeleteBackupPolicy

    -

    selectdb:DeleteUdfPackage

    -

    selectdb:DeleteUdfPackages

    -

    selectdb:DeleteVirtualCluster

    Deletes a virtual cluster.

    selectdb:DescribeActiveOperationMaintainConf

    -

    selectdb:DescribeActiveOperationTasks

    -

    selectdb:DescribeAllDBInstanceClass

    Retrieves the specifications of all instances.

    selectdb:DescribeBackupPolicy

    -

    selectdb:DescribeBackupSets

    -

    selectdb:DescribeBackupTasks

    -

    selectdb:DescribeDBInstanceMetadata

    -

    selectdb:DescribeHistoryEvents

    -

    selectdb:DescribeHistoryEventsStat

    -

    selectdb:DescribePlugins

    -

    selectdb:DescribeRegions

    Retrieves information about available regions and zones.

    selectdb:DescribeUdfPackages

    -

    selectdb:DescribeVSwitches

    -

    selectdb:DescribeZones

    -

    selectdb:GenerateUploadSignature

    -

    selectdb:InstallPlugin

    -

    selectdb:InstallPlugins

    -

    selectdb:ListBackupHistoryTasks

    -

    selectdb:ListRestoreHistoryTasks

    -

    selectdb:ModifyActiveOperationMaintainConf

    -

    selectdb:ModifyActiveOperationTasks

    -

    selectdb:ModifyDBInstancePayType

    -

    selectdb:ModifyVirtualCluster

    Modifies a virtual cluster.

    selectdb:RestoreFromBackupSet

    -

    selectdb:UninstallPlugin

    -

    For Actions that do not support resource group-level authorization, selecting Resource Group as the resource scope has no effect. If a RAM user still requires permissions for these Actions, you must create a custom policy and select Account as the resource scope.

    image.pngThe following examples show two custom policies, which you can modify as needed.

    • Allow all read-only Actions that do not support resource group-level authorization: The policy's Action element lists all such Actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "selectdb:CheckCreateCluster",
        "selectdb:CheckCreateDBInstance",
        "selectdb:CheckModifyCluster",
        "selectdb:CheckServiceLinkedRole",
        "selectdb:DescribeActiveOperationMaintainConf",
        "selectdb:DescribeActiveOperationTasks",
        "selectdb:DescribeAllDBInstanceClass",
        "selectdb:DescribeBackupPolicy",
        "selectdb:DescribeBackupSets",
        "selectdb:DescribeBackupTasks",
        "selectdb:DescribeDBInstanceMetadata",
        "selectdb:DescribeHistoryEvents",
        "selectdb:DescribeHistoryEventsStat",
        "selectdb:DescribePlugins",
        "selectdb:DescribeRegions",
        "selectdb:DescribeUdfPackages",
        "selectdb:DescribeVSwitches",
        "selectdb:DescribeZones",
        "selectdb:ListBackupHistoryTasks",
        "selectdb:ListRestoreHistoryTasks"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all Actions that do not support resource group-level authorization: The policy's Action element lists all such Actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "selectdb:ApplyDBInstanceConfigPattern",
        "selectdb:CancelActiveOperationTasks",
        "selectdb:CheckCreateCluster",
        "selectdb:CheckCreateDBInstance",
        "selectdb:CheckModifyCluster",
        "selectdb:CheckServiceLinkedRole",
        "selectdb:CompareDBClusterConfig",
        "selectdb:CopyDBClusterConfig",
        "selectdb:CreateDBInstance",
        "selectdb:CreateOrUpdateBackupPolicy",
        "selectdb:CreateOrder",
        "selectdb:CreateServiceLinkedRoleForSelectDB",
        "selectdb:CreateVirtualCluster",
        "selectdb:DeleteBackupPolicy",
        "selectdb:DeleteUdfPackage",
        "selectdb:DeleteUdfPackages",
        "selectdb:DeleteVirtualCluster",
        "selectdb:DescribeActiveOperationMaintainConf",
        "selectdb:DescribeActiveOperationTasks",
        "selectdb:DescribeAllDBInstanceClass",
        "selectdb:DescribeBackupPolicy",
        "selectdb:DescribeBackupSets",
        "selectdb:DescribeBackupTasks",
        "selectdb:DescribeDBInstanceMetadata",
        "selectdb:DescribeHistoryEvents",
        "selectdb:DescribeHistoryEventsStat",
        "selectdb:DescribePlugins",
        "selectdb:DescribeRegions",
        "selectdb:DescribeUdfPackages",
        "selectdb:DescribeVSwitches",
        "selectdb:DescribeZones",
        "selectdb:GenerateUploadSignature",
        "selectdb:InstallPlugin",
        "selectdb:InstallPlugins",
        "selectdb:ListBackupHistoryTasks",
        "selectdb:ListRestoreHistoryTasks",
        "selectdb:ModifyActiveOperationMaintainConf",
        "selectdb:ModifyActiveOperationTasks",
        "selectdb:ModifyDBInstancePayType",
        "selectdb:ModifyVirtualCluster",
        "selectdb:RestoreFromBackupSet",
        "selectdb:UninstallPlugin"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can manage all resources in the account. Grant these broad permissions with caution, and always follow the principle of least privilege.

    FAQ

    How to view a resource's group?

    • Method 1: Click the resource name to open its details page, which displays its resource group.

    • Method 2: Log on to the Resource Management console. Choose Resource Center > Resource Search. In the left-side navigation pane, select the account to which the resource belongs (the Current account is selected by default). Use the filter conditions to locate the resource and view its resource group.

    How to view a product's resources in a resource group?

    • Method 1: Log on to the Resource Management console. Navigate to Resource Center > Resource Search. In the left navigation pane, under the account to which the resources belong (the Current account is selected by default), click the target resource group. On the right, select the product from the Select Resource Type drop-down list to view all its resources in that group.

    • Method 2: Log on to the Resource Management console. Choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all its resources in that group.

    How to move multiple resources to another resource group?

    Log on to the Resource Management console. Choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, use the filters to locate the desired resources. Select their checkboxes, click Transfer Resources at the bottom, and follow the on-screen instructions.