Log Service provides the permission assistant feature. You can use the feature to grant permissions on the resources of Log Service to a RAM user or role. This topic describes how to configure permission assistant in the Log Service console.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, find the target project, and then click the project name.
  3. In the left-side navigation pane, click Permission Assistant to open the Permission Assistant page.
  4. In the Configure Policy step, set the required parameters, and then click Next.
    In the Select Mode section, you can select Project or APP.
    • Project

      If you select Project, you can configure permissions on all modules of Log Service.

      Parameter Description
      Select Scenario Different scenarios are associated with different modules. After you select a scenario, the modules associated with the scenario are automatically selected. You can also customize a scenario by selecting modules.

      Permissions on a module include the management permission and read-only permission.

      Note The dependency relationships between function modules are described as follows:
      • You must configure the read-only or management permission on the Project module. Otherwise, you cannot use other modules.
      • The Data Import module depends on the Logstore module. If you select a submodule under the Data Import module, the Logstore module is automatically selected.
      • The Visualization submodule depends on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules depend on the Visualization submodule. If you select Alerts and Subscribe submodules, you must configure the management permission on the Visualization submodule.
      Resources After you configure permissions on modules, you must configure the resources on which the permissions are granted under the modules. You can use an asterisk (*) to match one or more projects or Logstores. Examples:
      • acs:log:*:*:project/*: RAM users or roles that have been granted permissions can access all resources of Log Service.
      • acs:log:*:*:project/project01/*: RAM users or roles that have been granted permissions can access the resources in the logstore01 Logstore.
      • acs:log:*:*:project/project01/logstore01 RAM users or roles that have been granted permissions can access resources under the logstore01 Logstore.
      Conditions You can configure conditions for resources. For more information, see Policy elements.
    • APP

      If you select APP, you can configure the permissions on Cost Manager, Log Audit Service, and K8s Event Center applications in Log Service.

      Parameter Description
      APPs Select the applications on which you want configure permissions. You can grant the Allow or Deny permission on an application.
      Select Scenario When you configure the Allow permission on an application, the associated modules are automatically selected. You can also customize a scenario by selecting modules.

      Permissions on a module include the management permission and read-only permission.

      Note The dependency relationships between function modules are described as follows:
      • You must configure the read-only or management permission on the Project module. Otherwise, you cannot use other modules.
      • The Data Import module depends on the Logstore module. If you select a submodule under the Data Import module, the Logstore module is automatically selected.
      • The Visualization submodule depends on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules depend on the Visualization submodule. If you select Alerts and Subscribe submodules, you must configure the management permission on the Visualization submodule.
      Resources After you select an application, the associated resources are automatically specified. The resources cannot be modified.
      Conditions You can configure conditions for resources. For more information, see Policy elements.
  5. In the Preview Policy step, confirm the information that you configure in the previous step and click Next.
    You can also modify the generated permission policy in the Preview Policy step. The following table lists the actions that you can perform.
    Action Description
    Format Format the manually edited JSON object.
    Compress The number of lines of a permission policy configured for an application cannot exceed the predefined limit. You can use the Compress feature to delete unnecessary whitespaces and line breaks.
    Reset Reset the manually edited policy to the automatically generated policy.
    Copy to Clipboard Copy the policy to the clipboard.
    Add to Custom Template Add the policy to a custom policy template.
    Note This template is stored in the local storage of the current browser. The template is unavailable if you use another browser.
  6. In the Apply Settings to RAM step, follow the instructions on the page to apply the policy to the RAM user or role.

References

  • Apply common policy templates

    Common policy templates are available on the Permission Assistant page. You can select a template based on your needs.

  • Apply custom policy templates
    On the Permission Assistant page, you can apply a custom policy template to authorize a RAM user.
    Note Custom policy templates are stored in the local storage of the current browser. The templates are unavailable if you use another browser.