You can use resource groups to manage resources and integrate with Resource Access Management (RAM) to enforce resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic identifies which Network Load Balancer resources support resource groups and explains how to grant permissions at the resource group level.
-
Permissions granted at the resource group level apply only to resource types that support resource groups and for actions that support resource-group-level authorization.
-
For resource types that do not support resource groups, scoping permissions to a resource group has no effect. You must instead grant permissions at the account level by selecting Account Level as the resource scope. For more information, see Actions that do not support resource-group-level authorization.
How resource group-based authorization works
You can use resource groups to organize and manage resources within your Alibaba Cloud account. For example, you can create a dedicated resource group for each project and move all related resources into it to centralize management. For more information, see What is a resource group?
After organizing your resources, you can grant permissions to principals, such as RAM users, RAM user groups, or RAM roles, scoped to a specific resource group. This ensures that a principal can manage only the resources within that group. For more information, see Resource grouping and authorization.
This authorization method offers the following benefits:
-
Fine-grained permissions: You can grant each identity precise access to the resources it needs, preventing resources from different projects from being managed together under a single account.
-
Scalability: When you add new resources, simply move them to the designated resource group. Principals with access to that group automatically gain the corresponding permissions for the new resources without requiring further authorization.
Grant resource group-level permissions
This section provides an example of how to grant a RAM user permissions for Network Load Balancer resources within a specific resource group.
1. Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and transfer existing resources into it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.
2. Grant permissions at the resource group level
Grant resource-group-level permissions by using one of the following methods.
Method 1: Resource Management console
Grant permissions to a RAM user from the permission management page of a resource group. For more information, see Grant permissions on a resource group to a RAM identity.
-
Log in to the Resource Management console.
-
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Add Permission.
-
In the Add Permission panel, configure the principal and permission policy.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a System Policy or a Custom Policy that you have created. For more information, see Create a custom permission policy.
-
-
Click Confirm.
Method 2: RAM console
In the RAM console, grant permissions at the resource group level to a RAM user. For more information, see Manage RAM user permissions.
-
Log in to the RAM console with your Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, grant permissions to the RAM user.
-
Resource Scope: Select Resource Group Level.
-
Principal: Select an existing RAM user or the one created in the prerequisites.
-
Permission Policy: Select a System Policy or a Custom Policy that you have created. For more information, see Create a custom permission policy.
-
-
Click Confirm.
Resource types that support resource groups
The following table lists the Network Load Balancer resource types that support resource groups.
|
Cloud service |
Service code |
Resource type |
|
Network Load Balancer |
nlb |
loadbalancer: instance |
|
Network Load Balancer |
nlb |
securitypolicy: security policy |
|
Network Load Balancer |
nlb |
servergroup: server group |
For resource types that do not yet support resource groups, you can submit feedback in the Resource Management console.
Actions that do not support resource group authorization
The following Network Load Balancer actions do not support resource-group-level authorization:
|
Action |
Description |
|
nlb:AssociateResources |
- |
|
nlb:DeleteHdMonitorRegionConfig |
- |
|
nlb:DescribeHdMonitorRegionConfig |
Queries configurations for storing second-level monitoring data. |
|
nlb:DescribeLoadBalancers |
- |
|
nlb:DescribeZones |
- |
|
nlb:GetJobStatus |
Queries the execution results of an asynchronous Network Load Balancer task. |
|
nlb:ListAsynJobs |
Queries asynchronous task results in batches. |
|
nlb:SetHdMonitorRegionConfig |
Configures storage for second-level monitoring data. |
|
nlb:UnTagResources |
- |
For actions that do not support resource-group-level authorization, setting the resource scope to Resource Group Level has no effect. If a RAM user needs these permissions, you must create a custom policy and set the resource scope to Account Level.
The following examples show two custom policies. You can modify the policy content as needed.
-
Allows all read-only actions that do not support resource-group-level authorization. The
Actionelement lists all such actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "nlb:DescribeHdMonitorRegionConfig", "nlb:DescribeLoadBalancers", "nlb:DescribeZones", "nlb:GetJobStatus", "nlb:ListAsynJobs" ], "Resource": "*" } ] } -
Allows all actions that do not support resource-group-level authorization. The
Actionelement lists all such actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "nlb:AssociateResources", "nlb:DeleteHdMonitorRegionConfig", "nlb:DescribeHdMonitorRegionConfig", "nlb:DescribeLoadBalancers", "nlb:DescribeZones", "nlb:GetJobStatus", "nlb:ListAsynJobs", "nlb:SetHdMonitorRegionConfig", "nlb:UnTagResources" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all resources in the account. To adhere to the principle of least privilege, grant these permissions cautiously and ensure they align with your intended access controls.
FAQ
How to find a resource's group?
-
Method 1: Click the resource name to open its details page, where the resource group is displayed.
-
Method 2: Log in to the Resource Management console and go to . In the left-side navigation pane, select the resource's account (defaults to Current Account). Use the filters to find the target resource and view its resource group.
View resources by product and group
-
Method 1: Log in to the Resource Management console and go to . In the left-side navigation pane, under the resource's account (defaults to Current Account), click the target resource group. In the right-side pane, select the product from the Select Resource Type list to view all its resources in that group.
-
Method 2: Log in to the Resource Management console and go to . Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product dropdown list to view all its resources in that group.
Batch-move resources to another group
Log in to the Resource Management console and go to . Find the target resource group and click Manage Resources in the Actions column. On the next page, use the filters to locate the desired resources. Select their checkboxes, click Transfer Resource Group at the bottom, and follow the on-screen instructions.