Home PageSimple Log ServiceSecurity and ComplianceUse RAM for access controlSet resource groups to restrict RAM users from viewing specific projects
Search for Help Content

Set resource groups to restrict RAM users from viewing specific projects

Updated at: 2025-01-25 04:50
Product
Community

This topic explains how to configure resource groups to limit RAM user access to certain projects.

Background information

Within the Simple Log Service console, the ListProject API is used to display the project list. By default, if a user has the ListProject permission, all projects in the account are shown. To restrict RAM users to specific projects and prevent unauthorized projects from appearing in the list, you can configure permissions using resource groups.

The RAM permission policy model is categorized into account and resource group authorizations.

  • Account authorization: Assigning specific policies to RAM users grants them permissions for resources that meet certain conditions. However, this method of authorization is inadequate when you need to restrict RAM users to viewing only certain projects within the Simple Log Service console. For more information, see Custom policies for Simple Log Service.

  • Resource group authorization: An Alibaba Cloud account includes a default resource group, and you can also create custom resource groups. By moving resources that support resource groups, such as Simple Log Service projects, to a specific resource group and selecting it as the authorization scope when assigning permissions to RAM users, you can restrict these users to viewing and managing only resources within that group. This effectively limits their access to specific projects in the Simple Log Service console.

Prerequisite

RAM users are created. For more information, see Create a RAM user.

Step 1: Create a resource group

Use an Alibaba Cloud account or a RAM identity (either RAM user or RAM role) with the permission to create a resource group.

For more information, see Create a resource group.

Step 2: Add the target project to the resource group

You can add to or modify the resource group associated with the target project.

For more information, see Configure a resource group.

Step 3: Create a permission policy to view the project list

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Create a custom policy on the JSON tab. 

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": "acs:log:*:*:project/*"
    }
  ]
}

Step 4: Grant permissions to RAM users

For information about how to grant permissions to RAM users, see Grant permissions to RAM users.

Note

  1. In the Grant Permission panel, set Resource Scope to ResourceGroup, and select the resource group you created in Step 1.

    image

  2. For Policy, select the custom policy you created in Step 3.

Step 5: View the specified project

  1. Log on to the Simple Log Service console as a RAM user.

  2. At the top of the page, select the resource group assigned to the RAM user in Step 4 to view the projects within that group.

    image

Previous: Create a RAM user and authorize the RAM user to access Simple Log ServiceNext: Use project policies to manage access permissions on Simple Log Service resources
  • On this page (1)
  • Background information
  • Prerequisite
  • Step 1: Create a resource group
  • Step 2: Add the target project to the resource group
  • Step 3: Create a permission policy to view the project list
  • Step 4: Grant permissions to RAM users
  • Step 5: View the specified project
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare