Use resource groups for fine-grained access control - Server Load Balancer

When you use resource groups to manage resources, you can integrate with RAM to achieve resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how Gateway Load Balancer supports resource groups and how to grant resource group-level permissions.

Note

Resource group-level authorization applies only to resource types that support resource groups and actions that support resource group-level authorization.
For resource types that do not support resource groups, permissions granted at the resource group level are invalid. When you select the resource scope, you must select account-level to grant account-level permissions. For more information, see Actions that do not support resource group-level authorization.

How resource group authorization works

You can use a resource group to organize and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into the corresponding group for centralized management. For more information, see What is a resource group?

After you group your resources, you can grant permissions to different principals, such as RAM users, RAM user groups, or RAM roles, within the scope of a specific resource group. This restricts the principal to managing only the resources in that group. For more information, see Resource grouping and authorization.

This authorization method offers the following benefits:

Fine-grained permissions: Ensures each principal gets the precise permissions it needs, preventing resources from different projects from being managed together within one account.
Scalability: The RAM principal automatically gains the necessary permissions for new resources added to the group, eliminating the need to grant them again.

Grant resource group-level permissions

This section uses a RAM user as an example to demonstrate how to grant permissions on Gateway Load Balancer resources within a specific resource group.

1. Prerequisites

Create the RAM user that you want to use. For more information, see Create a RAM user.
Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

2. Grant resource group-level permissions

You can grant resource group-level permissions using either of the following methods.

Method 1: Resource Management console

Use the permission management feature of a resource group to grant permissions to a RAM user. For detailed instructions, see Grant permissions on resources in a resource group to a RAM identity.

Log on to the Resource Management console.
On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.
On the Manage Permissions tab, click Add Permission.
In the Add Permission panel, configure the principal and policy.
- Principal: Select an existing RAM user.
- Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.
Click OK.

Method 2: RAM console

Use the RAM console to grant resource group-level permissions to a RAM user. For detailed instructions, see Manage permissions for a RAM user.

Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
- Resource Scope: Select Resource Group Level.
- Principal: Select the RAM user that you just created or another existing RAM user.
- Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.
Click OK.

Resource types that support resource groups

Gateway Load Balancer supports resource groups for the following resource types.

Cloud service	Cloud service code	Resource type
Gateway Load Balancer	gwlb	loadbalancer: load balancer
Gateway Load Balancer	gwlb	servergroup: server group

Note

For resource types that do not yet support resource groups, you can submit feedback in the Resource Management console.

Unsupported actions

In Gateway Load Balancer, the following actions do not support resource group-level authorization:

Actions

Description

For actions that do not support resource group-level authorization, selecting Resource Group Level as the resource scope has no effect. If a RAM user still needs permissions for these actions, you must create a custom policy and select Account Level as the resource scope when you grant permissions.

The following are two examples of custom policies. You can modify them based on your business requirements.

Allow all read-only actions that do not support resource group-level authorization: List these actions in the Action element.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}

Allow all actions that do not support resource group-level authorization: List these actions in the Action element.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}

Important

A RAM user or RAM role with account-level permissions can operate on all resources in the account. Always follow the principle of least privilege and carefully review the permissions you grant to ensure they meet your expectations.

FAQ

View a resource's group

Method 1: Click the name of a resource to go to its details page. The resource group to which the resource belongs is displayed on the page.
Method 2: Log on to the Resource Management console. Click Resource Center > Resource Search. In the left-side navigation pane, select the account to which the target resource belongs (Current Account by default). Use the filter conditions to find the target resource and view the resource group to which it belongs.

View resources in a resource group

Method 1: Log on to the Resource Management console. Click Resource Center > Resource Search. In the left-side navigation pane, under the account to which the resource belongs (Current Account by default), click the name of the target resource group. Then, in the Select Resource Type drop-down list on the right, select the current product to view all its resources in the resource group.
Method 2: Log on to the Resource Management console. Click Resource Group > Resource Group. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the current product from the Product drop-down list at the top to view all its resources in the resource group.

Move multiple resources to another group

Log on to the Resource Management console. Click Resource Group > Resource Group. In the row of the target resource group, click Manage Resources in the Actions column to go to the resource management page. Use the filter conditions to find the target resources. Select the checkboxes for the resources that you want to move, click Transfer Resource Group, and then follow the on-screen instructions.