All Products
Search

This Product

    Server Load Balancer:Resource control with resource groups

    Document Center

    Server Load Balancer:Resource control with resource groups

    Last Updated:Apr 23, 2026

    You can integrate resource groups with Resource Access Management (RAM) to isolate resources and apply fine-grained permissions within a single Alibaba Cloud account. This topic describes how Classic Load Balancer supports resource groups and how to grant permissions at the resource group level.

    Note

    How it works

    You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create separate resource groups for different projects and move resources into them for centralized management. For more information, see What is a resource group?.

    After organizing your resources, you can grant principals (such as RAM users, RAM user groups, or RAM roles) permissions scoped to a specific resource group. This ensures that the principal can manage only the resources within that group. For more information, see Resource grouping and authorization.

    This approach provides the following benefits:

    • Fine-grained permissions: Grant each identity only the necessary resource access to prevent resources from different projects from being managed together.

    • Enhanced scalability: When you add new resources to a resource group, principals automatically gain permissions for them without requiring further authorization.

    Grant resource group-level permissions to a RAM user

    This section uses a RAM user as an example to show you how to grant permissions on Classic Load Balancer resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to it. For more information, see Create a resource group, Automatically move a resource to a resource group, and Manually move a resource to a resource group.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions by using one of the following methods.

    Method 1: Resource Management console

    Grant permissions to a specific RAM user by using the permission management feature of a resource group. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Manage Permissions tab, click Add Authorization.

    • In the Add Authorization pane, configure the principal and policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy. To create a custom policy, see Create a custom policy.

    • Click Confirm.

    Method 2: RAM console

    Grant resource group-level permissions to a RAM user in the RAM console. For more information, see Manage permissions for a RAM user.

    • Log on to the RAM console with your Alibaba Cloud account or a RAM user that has administrative permissions.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permission in the Actions column.

    • In the Add Authorization pane, add permissions for the RAM user.

      • Resource Scope: Select Resource Group Level.

      • Principal: Select an existing RAM user or the RAM user that you created in the prerequisites.

      • Policy: Select a system policy or a custom policy. To create a custom policy, see Create a custom policy.

    • Click Confirm.

    Resource types that support resource groups

    The following table lists the Classic Load Balancer resource types that support resource groups.

    Cloud service

    Service code

    Resource type

    Classic Load Balancer

    slb

    acl: access control list

    Classic Load Balancer

    slb

    certificate: SSL certificate

    Classic Load Balancer

    slb

    loadbalancer: load balancer
    Note

    If a required resource type is not supported, you can submit feedback in the Resource Management console.

    image

    Unsupported resource group actions

    The following table lists the Classic Load Balancer actions that do not support resource group-level authorization.

    Actions

    Description

    slb:CancelOrder

    -

    slb:DescribeAvailableResource

    -

    slb:DescribeHighDefinationMonitor

    Queries the configuration of high-definition monitoring in a specific region.

    slb:DescribeIdleInstancesForGlobal

    -

    slb:DescribeLogsDownloadAttribute

    -

    slb:DescribeLogsDownloadStatus

    -

    slb:DescribeRegions

    -

    slb:DescribeZones

    -

    slb:DisableHighDefinationMonitor

    -

    slb:EnableHighDefinationMonitor

    Enables high-definition monitoring for the current region.

    slb:ListMonitorLogs

    -

    slb:ModifyHighDefinationMonitor

    Modifies the configuration of high-definition monitoring.

    slb:SetLogsDownloadAttribute

    -

    slb:SetLogsDownloadStatus

    -

    slb:UnTagResources

    -

    slb:describeLoadBalancerHTTPListenerAttribute

    -

    slb:describeservercertificates

    -

    For actions that do not support resource group-level authorization, setting the resource scope to resource group level has no effect. If a RAM user needs these permissions, you must create a custom policy and set the resource scope to account level.

    image.pngThe following examples show two custom policies. You can adjust the policy content based on your requirements.

    • Allows all read-only actions that do not support resource group-level authorization: these actions are listed in Action.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "slb:DescribeAvailableResource",
        "slb:DescribeHighDefinationMonitor",
        "slb:DescribeIdleInstancesForGlobal",
        "slb:DescribeLogsDownloadAttribute",
        "slb:DescribeLogsDownloadStatus",
        "slb:DescribeRegions",
        "slb:DescribeZones",
        "slb:ListMonitorLogs"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all actions that do not support resource group-level authorization: The Action element lists all such actions.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "slb:CancelOrder",
        "slb:DescribeAvailableResource",
        "slb:DescribeHighDefinationMonitor",
        "slb:DescribeIdleInstancesForGlobal",
        "slb:DescribeLogsDownloadAttribute",
        "slb:DescribeLogsDownloadStatus",
        "slb:DescribeRegions",
        "slb:DescribeZones",
        "slb:DisableHighDefinationMonitor",
        "slb:EnableHighDefinationMonitor",
        "slb:ListMonitorLogs",
        "slb:ModifyHighDefinationMonitor",
        "slb:SetLogsDownloadAttribute",
        "slb:SetLogsDownloadStatus",
        "slb:UnTagResources",
        "slb:describeLoadBalancerHTTPListenerAttribute",
        "slb:describeservercertificates"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all resources in the account. To follow the principle of least privilege, grant these permissions with caution to ensure that the granted permissions meet your expectations.

    FAQ

    How to view a resource's resource group?

    • Method 1: Click the resource name to go to its details page. The resource group is displayed on this page.

    • Method 2: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side pane, select the account to which the resource belongs (by default, Current Account is selected). Use the filter conditions to find the resource and view its resource group.

    How to view product resources in a group?

    • Method 1: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side pane, under the account to which the resource belongs (by default, Current Account is selected), click the target resource group name. In the right-side pane, select the product from the Select Resource Type drop-down list to view all of its resources in that resource group.

    • Method 2: Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all of its resources in that resource group.

    How to move resources to another group?

    Log on to the Resource Management console and navigate to Resource Groups > Resource Groups. In the row of the target resource group, click Manage Resources in the Actions column. On the Manage Resources page, use the filter conditions to find the resources you want to move. Then, select their checkboxes, click Transfer Resource Group at the bottom, and follow the on-screen instructions.