AgentRun resource group workspace authorization for RAM users-Function Compute(FC)-阿里云帮助中心

Learn how resource groups and workspaces control access in AgentRun and configure RAM user permissions based on your business requirements.

Module authorization support

AgentRun supports fine-grained, resource-group-level authorization for the following modules: runtime, sandbox template, model, memory, knowledge base, credential, and workspace. Other modules, such as Agent templates, Super Agents, and Permissions and Services, support only account-level authorization.

The authorization level of the ListWorkspaces operation determines the display state of the resource group selector at the top of the page.

Module	Resource group support	Description
Runtime	Yes	Supports account-level or resource-group-level authorization
Sandbox template	Yes	Supports account-level or resource-group-level authorization
Model	Yes	Supports account-level or resource-group-level authorization
Memory	Yes	Supports account-level or resource-group-level authorization
Knowledge base	Yes	Supports account-level or resource-group-level authorization
Credential	Yes	Supports account-level or resource-group-level authorization
Workspace	Yes	Supports account-level or resource-group-level authorization
Agent template	No	Supports only account-level authorization
Super Agent	No	Supports only account-level authorization
Permissions and Services	No	Supports only account-level authorization

Resource group selector states

The ListWorkspaces authorization level controls the resource group selector display. Three states are possible.

State 1: ListWorkspaces is not authorized

Display:

The resource group selector shows "all account resources" (grayed out) and "No resource groups" (grayed out). Neither is clickable.
The workspace authorization status shows "Unauthorized."

Behavior:

For backward compatibility with legacy RAM users, all features remain functional:

All resources (runtimes, sandbox templates, etc.) can be viewed and edited regardless of workspace.
New resources created without a specified workspace go to the default workspace.

State 2: ListWorkspaces authorized at account level

Display:

The resource group selector displays all resource groups.
The "all account resources" option is displayed and clickable.

Behavior:

You can view data across all resource groups.
You can create and manage resources in any resource group.

State 3: ListWorkspaces authorized at resource group level

Display:

The resource group selector displays only authorized resource groups.
"All account resources" is grayed out.

Behavior:

Clicking "all account resources" shows "Unauthorized" status and a permission error on each page.
You can view and manage data only within authorized resource groups.

Common authorization scenarios

**Scenario 1: Full permissions (policy: *)**

Use cases: Both situations produce identical behavior:

A legacy RAM user (formerly atomic account) with full permissions (policy: *) at account level.
A new RAM user with account-level authorization for all operations (policy: *).

Expected behavior:

You have access to all pages without any errors.
The resource group selector displays "all account resources" and all resource groups, all clickable.
You can view and manage resources in all workspaces under the Alibaba Cloud account.
You can assign new resources to any workspace.

Scenario 2: Legacy custom permissions (without ListWorkspaces)

Use case: A legacy RAM user (formerly atomic account) has custom permissions that do not include the ListWorkspaces operation.

Expected behavior:

You have access to all pages without any errors.
The resource group selector shows "all account resources" (grayed out) and "No resource groups" (grayed out).
The workspace authorization status is "Unauthorized."
You can access all resources, including those in custom workspaces.
New resources are assigned to the default workspace.

Scenario 3: No permissions

Use case: A new RAM user with no permissions.

Expected behavior:

You can access the Agent template, Super Agent, and Permissions and Services pages.
Other pages display a "No Permission" error.
The resource group selector shows "all account resources" (grayed out) and "No resource groups" (grayed out).
The workspace authorization status is "Unauthorized."

Scenario 4: Fine-grained authorization

Use case: A new RAM user requires fine-grained permissions based on the principle of least privilege.

Recommended permission configuration:

Permission category	Authorization level	Description
Operations that do not support resource groups (such as operations related to Agent templates and Super Agents)	Account level
Other operations for runtimes, sandbox templates, models, memory, knowledge bases, credentials, and workspaces	Resource group level	Grant permissions only for specific resource groups.
ListWorkspaces	Resource group level	Grant permissions only for specific resource groups.

Expected behavior:

The resource group selector displays only authorized resource groups. "All account resources" is grayed out, and clicking it shows a permission error.
Within an authorized resource group, you can view and manage resources in all workspaces that belong to that resource group.

Variation: Granting account-level permissions for resource operations (runtimes, sandbox templates, models, memory, knowledge bases, credentials, workspaces) while keeping ListWorkspaces at resource-group level preserves the same page display. However, visible resources expand: within an authorized resource group, you see all account-wide resources, not just those belonging to it.

Scenario 5: Account-level visibility with resource-group management

Use case: A RAM user needs to see all resource groups but can only manage data in specific ones.

Permission configuration:

Permission category	Authorization level
Operations that do not support resource groups	Account level
Other operations for runtimes, sandbox templates, models, memory, knowledge bases, credentials, and workspaces	Resource group level (specific resource groups)
ListWorkspaces	Account level

Expected behavior:

The resource group selector displays all resource groups, all clickable.
Switching to an unauthorized resource group displays a permission error on pages like the runtime page.
Resources within authorized resource groups can be viewed and managed normally.

Scenario 6: Workspace-specific authorization

Use case: You need to control permissions at the specific workspace level.

Configuration: Based on Scenario 4, narrow the policy scope to a specific workspace by specifying its ARN.

Expected behavior:

The resource group selector displays only authorized resource groups.
In an authorized resource group, switching to an unauthorized workspace causes view, create, and update operations to fail.
All operations function as expected within an authorized workspace.

Notes

Legacy account compatibility: RAM users without the ListWorkspaces permission retain full feature access. Existing business operations are unaffected.
ListWorkspaces is critical: The ListWorkspaces authorization level (account or resource group) directly controls the resource group selector scope. This permission is central to resource group authorization.
Default assignment of new resources: Creating a resource in the combined "all account resources" and "all workspaces" view assigns it to the default workspace.
Workspace-level authorization: Specify the target workspace ARN in the RAM policy for workspace-level control.