This topic describes how to manage ActionTrail permissions of Resource Access Management (RAM) users. You can create custom policies and attach them to the RAM users. Then, the RAM users can log on to the ActionTrail console and perform related operations.

Background information

  • Before you manage ActionTrail permissions of RAM users, take note of the following system policies:
    • AliyunActionTrailFullAccess: grants a RAM user the permissions to manage ActionTrail resources.
    • AliyunActionTrailReadOnlyAccess: grants read-only permissions on ActionTrail resources.

    If the system policies cannot meet your business requirements, you can create custom policies.

  • Before you manage ActionTrail permissions of RAM users, take note of the ActionTrail permissions. For more information, see RAM account authentication.

Procedure

  1. Create a RAM user.
    For more information, see Create a RAM user.
  2. Create a custom policy.
    For more information, see Create a custom policy and Policy example.
  3. Attach the policy to a RAM user.
    For more information, see Grant permissions to a RAM user.

Policy example

Grant read-only permissions on ActionTrail resources to a RAM user and allow the RAM user to access ActionTrail only from the IP address 42.120.XX.X/24.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "actiontrail:Lookup*",
                "actiontrail:Describe*",
                "actiontrail:Get*",
                "actiontrail:Check*",
                "actiontrail:List*"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": "42.120.XX.X/24"
                }
            }
        }
    ]
}