All Products
Search
Document Center

Elastic Desktop Service:Manage cloud computers with resource-level policies

Last Updated:Jun 16, 2026

When multiple users share resources, you can grant them different permissions based on their roles and responsibilities to improve management efficiency and reduce the risk of data leaks. Resource-level policies let you control which cloud computer resources each RAM user can access and operate on.

Prerequisites

You have created a RAM user. For more information, see Create a RAM user.

Background information

  • Alibaba Cloud manages user permissions with policies. You can configure Resource Access Management (RAM) policies for different roles, create custom policies at the resource level, and attach them to a RAM user or user group. For more information, see Policy overview.

  • RAM supports action-level authorization, but resource-level policies provide finer-grained control over your cloud computer resources. For more information about RAM, see What is RAM?.

Limits

This feature is available only in the following regions:

Region

Region ID

China (Hangzhou)

cn-hangzhou

China (Shanghai)

cn-shanghai

China (Shenzhen)

cn-shenzhen

China (Beijing)

cn-beijing

Singapore

ap-southeast-1

Japan (Tokyo)

ap-northeast-1

Philippines (Manila)

ap-southeast-6

Examples

The following scenarios demonstrate how to implement resource-level policies.

Scenario description

Permission description

Scenario 1: You first create cloud computers and then configure a resource-level policy. For example, you create two cloud computers:

  • Cloud Computer 1: named desktop1.

  • Cloud Computer 2: named desktop2.

Allows a user to perform all operations on Cloud Computer 1 (desktop1) but denies all operations on Cloud Computer 2 (desktop2).

Scenario 2: You first configure a resource-level policy and then create cloud computers.

Allows a user to create cloud computers only in a specific region, such as Shanghai, but denies the user from creating cloud computers in other regions, such as Hangzhou.

Scenario 1: Create cloud computers, then configure policy

  1. Create 2 cloud computers. For more information, see Create cloud computers.

    You can name the two cloud computers desktop1 and desktop2.

  2. Create a custom policy. For more information, see Create a custom policy.

    This custom policy allows a user to view, modify, and delete the cloud computer named desktop1 in the Elastic Desktop Service (EDS) console or by calling an API operation, but denies these operations on desktop2.

    The following code provides a sample policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "ecd:*",
          "Resource": "acs:ecd:cn-shanghai:128985087662****:ecddesktop/ecd-akk6qnr7cc9yq****"
        },
        {
          "Effect": "Deny",
          "Action": "ecd:*",
          "Resource": "acs:ecd:cn-shanghai:128985087662****:ecddesktop/ecd-3d3y5w4vd56a8****"
        },
        {
          "Action": "*",
          "Effect": "Allow",
          "Resource": [
            "acs:ecd:*:*:officesite/*",
            "acs:ecd:*:*:ecdpolicy/*",
            "acs:ecd:*:*:ecdimage/*",
            "acs:ecd:*:*:ecdbundle/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecd:DescribeRegions"
          ],
          "Resource": "*"
        }
      ]
    }
                            
  3. Grant the custom policy to the RAM user whose access you want to control.For more information, see Manage RAM user permissions.

  4. In the Elastic Desktop Service (EDS) console or by calling an API operation, view, modify, and delete desktop1 and desktop2.

    You can view, modify, and delete desktop1, but cannot perform these operations on desktop2. Attempting these operations on desktop2 returns the User not authorized to operate on the specified resource. error.

Scenario 2: Configure policy, then create cloud computers

  1. Log on to the RAM console.

  2. Create a custom policy. For more information, see Create a custom policy.

    This custom policy allows a user to manage cloud computers (create, view, and delete) in the China (Shanghai) region via the Elastic Desktop Service (EDS) console or API calls, but denies these operations in the China (Hangzhou) region.

    The following code provides a sample policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecd:*",
                "Resource": "acs:ecd:cn-shanghai:128985087662****:*"
            },
            {
                "Effect": "Deny",
                "Action": "ecd:*",
                "Resource": "acs:ecd:cn-hangzhou:128985087662****:*"
            },
            {
                "Action": "*",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecd:*:*:officesite/*",
                    "acs:ecd:*:*:ecdpolicy/*",
                    "acs:ecd:*:*:ecdimage/*",
                    "acs:ecd:*:*:ecdbundle/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecd:DescribeRegions"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Grant the custom policy to the RAM user whose access you want to control.For more information, see Manage permissions for RAM users.

  4. Create a cloud computer in the Elastic Desktop Service (EDS) console or by calling an API operation.

    You can create, view, or delete cloud computers in the China (Shanghai) region, but cannot perform these operations in the China (Hangzhou) region. Attempting these operations in the China (Hangzhou) region returns the User not authorized to operate on the specified resource. error.