This topic describes how to authorize RAM users to use ActionTrail resources by using system policies or custom policies.

Before you begin

  1. View the ActionTrail API actions and their descriptions. For more information, see RAM account authentication.
  2. View the RAM policy structure and syntax. For more information, see Policy structure and syntax.

Procedure

  1. Create a RAM user.

    For more information, see RAM users.

  2. Grant permission to the RAM user.
    • You can grant required permissions to the RAM user by attaching one or more system policies according to the subsequent ActionTrail-related system policies.

      For more information, see Permission granting in RAM.

    • You can grant fine-grained permissions to the RAM user by creating custom policies according to the subsequent authorization examples.

      For more information, see Policy management.

ActionTrail-related system policies

The following table lists the system policies that are commonly used in ActionTrail.

Table 1. System policies
System policy Description
AliyunActionTrailFullAccess Grants a RAM user full management permissions for ActionTrail resources.
AliyunActionTrailReadOnlyAccess Grants a RAM user read-only permission for ActionTrail resources.

Authorization examples

  • Example 1: As a RAM administrator, grant a user read-only permission.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*"
        }]
    }
  • Example 2: As a RAM administrator, grant a user read-only permission when they log on from a specified IP address.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": "42.120.XX.X/24"
                }
            }
        }]
    }