This topic describes how to grant permissions to a RAM user to enable the alerting feature.

Background information

You can grant a RAM user permissions based on actual requirements as follows:
  • If you want to grant a RAM user the permissions to perform all required operations in Log Service, select the AliyunLogFullAccess policy for this RAM user. For more information, see Grant RAM sub-accounts permissions to access Log Service.
  • If you want to grant a RAM user only the permissions to create and modify alerts, you need to create a custom policy and grant the custom permissions to this RAM user. For more information, see Procedure in this topic.

Procedure

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Set Policy Name and Note.
  5. Select Script as the configuration mode.
  6. Replace parameters as required and copy the following content under Policy Document.
    Note Replace <Project name> with your project name in Log Service. 
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:CreateIndex",
        "log:UpdateIndex"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/internal-alert-history"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateDashboard",
        "log:CreateChart",
        "log:UpdateDashboard"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/dashboard/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/job/*"
    }
  ]
}
  7. Click OK.
  8. In the left-side navigation pane, choose Identities > Users.
  9. Select the target RAM user and click Add Permissions.
  10. Select the custom policy created in the previous step and click OK.