Authorize RAM users to use ActionTrail - Tutorials| Alibaba Cloud Documentation Center

This topic describes how to create custom policies to grant permissions to RAM users so that they can log on to the ActionTrail console and use the corresponding ActionTrail resources.

Prerequisites

An Alibaba Cloud account is created. If not, create an Alibaba Cloud account first.
View the supported ActionTrail API operations and RAM permission policies. For more information, see RAM account authentication.

Procedure

Create a RAM user.
Create a custom policy.

You can create custom policies to grant permissions to RAM users based on the following examples of permission policies.
Grant permissions to a RAM user.

Examples of permission policies

Example 1: Grant read-only permissions to a RAM user.

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "actiontrail:LookupEvents", 
            "actiontrail:Describe*", 
            "actiontrail:Get*"
        ],
        "Resource": "*"
    }]
}

Example 2: Grant read-only permissions to a RAM user when the RAM user logs on from a specified IP address.

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "actiontrail:LookupEvents", 
            "actiontrail:Describe*", 
            "actiontrail:Get*"
        ],
        "Resource": "*",
        "Condition":{
            "IpAddress": {
                "acs:SourceIp": "42.120.XX.X/24"
            }
        }
    }]
}