All Products
Search

This Product

    Tablestore:Use resource groups for fine-grained resource control

    Document Center

    Tablestore:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    You can use resource groups with Resource Access Management (RAM) to implement resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes Tablestore's support for resource groups and explains how to grant permissions at the resource group level.

    Note

    How resource group authorization works

    You can use a resource group to manage resources within your Alibaba Cloud account. For example, you can create separate resource groups for different projects and move project-specific resources into their corresponding groups for centralized management. For more information, see What is a resource group?

    After grouping your resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, scoped to a specific resource group. This ensures that the principal can only manage resources within that group. For more information, see Resource grouping and authorization.

    This approach offers the following benefits:

    • Fine-grained permissions: You can ensure that each identity has only the necessary permissions to access specific resources. This practice prevents resources from different projects from being managed together within the same account.

    • Scalability: When you add new resources, you only need to add them to the resource group. The RAM identity automatically gains the corresponding permissions for the new resources without requiring you to grant permissions again.

    Grant resource group permissions to a RAM user

    This section shows how to grant permissions on Tablestore resources within a specific resource group, using a RAM user as an example.

    Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    Step 2: Grant resource group-level permissions

    You can grant permissions at the resource group level by using one of the following methods.

    Resource groups console

    Grant permissions to a RAM user by using the permission management feature for the resource group. For detailed instructions, see Grant permissions on a resource group to a RAM identity.

    • Sign in to the Resource Groups console.

    • On the Resource Groups page, click Manage permissions in the Actions column for the target resource group.

    • On the Manage permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the Principal and permission policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy. For information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    RAM console

    Grant permissions at the resource group level to a RAM user in the RAM console. For detailed instructions, see Manage RAM user permissions.

    • Sign in to the RAM console by using your Alibaba Cloud account (root account) or as a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Grant Permission in the Actions column.

    • In the Grant Permission panel, grant permissions to the RAM user.

      • Resource scope: Select Resource group.

      • Principal: Select an existing RAM user or the RAM user that you created.

      • Policy: Select a system policy or a custom policy. For information about how to create a custom policy, see Create a custom permission policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the resource types in Tablestore that support resource groups.

    Cloud service

    Cloud service code

    Resource type

    Tablestore

    ots

    instance
    Note

    If you need support for resource types that are currently unsupported by resource groups, you can submit feedback in the Resource Groups console.

    image

    Operations without resource group-level authorization

    The following Tablestore actions do not support resource group-level authorization.

    Actions

    Description

    ots:CheckSLR

    -

    ots:CreateTimeseriesAnalyticalStore

    -

    ots:CreateTrigger

    -

    ots:DeleteIndex

    -

    ots:DeleteTags

    -

    ots:DeleteTrigger

    -

    ots:DescribeIndex

    -

    ots:GetOtsServiceStatus

    -

    ots:GetTrigger

    -

    ots:InsertTags

    -

    ots:ListClusterType

    -

    ots:ListInstances

    -

    ots:ListTags

    -

    ots:ListTrigger

    -

    ots:ListVpcInfoByVpc

    -

    ots:OpenOtsService

    -

    ots:TagResources

    -

    ots:UntagResources

    -

    For operations that do not support resource group-level authorization, granting permissions with the Resource group scope has no effect. If you need a RAM user to have these permissions, you must create a custom permission policy and select Account as the resource scope when you grant the permissions.

    image.pngThe following examples show two custom permission policies. You can modify the policies based on your requirements.

    • Allow all read-only operations that do not support resource group-level authorization: The Action element lists all read-only operations that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ots:DescribeIndex",
        "ots:GetOtsServiceStatus",
        "ots:GetTrigger",
        "ots:ListClusterType",
        "ots:ListInstances",
        "ots:ListTags",
        "ots:ListTrigger",
        "ots:ListVpcInfoByVpc"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all operations that do not support resource group-level authorization: The Action element lists all operations that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ots:CheckSLR",
        "ots:CreateTimeseriesAnalyticalStore",
        "ots:CreateTrigger",
        "ots:DeleteIndex",
        "ots:DeleteTags",
        "ots:DeleteTrigger",
        "ots:DescribeIndex",
        "ots:GetOtsServiceStatus",
        "ots:GetTrigger",
        "ots:InsertTags",
        "ots:ListClusterType",
        "ots:ListInstances",
        "ots:ListTags",
        "ots:ListTrigger",
        "ots:ListVpcInfoByVpc",
        "ots:OpenOtsService",
        "ots:TagResources",
        "ots:UntagResources"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all resources within the account. Always follow the principle of least privilege and carefully verify that the granted permissions are as expected.

    FAQ

    How to view a resource's resource group?

    • Method 1: Click the resource name to open its details page, where you can find its resource group.

    • Method 2: Sign in to the Resource Management console and click Resource Center > Resource Search. In the left-side pane, select the account to which the resource belongs. By default, Current Account is selected. Use the filter conditions to find the target resource and view its resource group.

    How to find a product's resources in a resource group?

    • Method 1: Sign in to the Resource Management console and click Resource Center > Resource Search. In the left-side pane, under the account that owns the resources (by default, Current Account), click the name of the target resource group. On the right, select the product from the Select resource type list to view all of its resources in that resource group.

    • Method 2: Sign in to the Resource Management console and click Resource groups > Resource groups. Find the target resource group and click Manage resources in the Actions column. On the Manage resources page, select the product from the Product drop-down list to view all of its resources in that resource group.

    How to batch-transfer resources to a different group?

    Sign in to the Resource Management console and click Resource groups > Resource groups. In the row of the target resource group, click Manage resources in the Actions column to open the resource management page. Use the filter conditions to find the target resources, select the checkboxes in the first column for the resources, and then click Transfer Resource Group. Follow the on-screen instructions to complete the transfer.