What Is Resource Scoping in IAM?

Resource scoping is the ability to restrict a permission policy to specific resources rather than applying it broadly across an entire service. Without resource scoping, a policy that grants access to Object Storage applies to all subscriptions in your organization. With resource scoping, the same policy can be restricted to only specific subscriptions, giving you precise control over exactly which resources a user, group, or role can interact with.

How Does Resource Scoping Work?

Every permission policy in Vultr IAM has a resource field in its definition that determines the scope of the policy. This field accepts either:

• A wildcard (*) — the policy applies to all resources of the targeted service and action. This is the default scope for Vultr-managed policies.
• One or more resource UUIDs — the policy applies only to the specific resources identified by those UUIDs, restricting access to exactly those resources and nothing else.

For example, a policy granting read and list access to Object Storage scoped to a specific UUID will allow the user to read and list that subscription only. All other subscriptions in the organization remain inaccessible to that user unless another policy explicitly grants access to them.

Three Layers of Control

A permission policy in Vultr IAM operates across three layers simultaneously:

• Service — which Vultr service is targeted (for example object-storage, compute, vke)
• Action — which operations are permitted or denied (for example create, read, update, delete, list)
• Resource — which specific instances of that service the policy applies to, either all (*) or specific resources by UUID

When creating or editing a custom permission policy in the Vultr Console, resource scoping is available directly in the visual policy builder. After selecting a service and defining actions, you can optionally specify resource UUIDs to scope the policy. If no UUID is provided, the policy applies broadly using the * wildcard.