Log Service provides a permission assistant. You can use the permission assistant to grant permissions on Log Service resources to a RAM user or RAM role. This topic describes how to use the permission assistant in the Log Service console.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of a project.
  3. In the left-side navigation pane, click Permission Assistant.
  4. On the Permission Assistant page, set the required parameters in the Configure Policy step, and then click Next.
    In the Select Mode section, you can select Project or APP.
    • Project

      If you select Project, you can grant permissions on all functional modules of Log Service.

      Parameter Description
      Select Scenario Different scenarios are associated with different functional modules. After you select a scenario, the functional modules that are associated with the scenario are automatically selected. You can also create a custom scenario by selecting the functional modules.

      The permissions on a functional module include the management permissions and read-only permissions.

      Note The functional modules have the following relationships:
      • You must grant the read-only or management permissions on the Project module before you can use other functional modules.
      • The Data Import module is based on the Logstore module. If you select a submodule of the Data Import module, the Logstore module is automatically selected.
      • The Visualization submodule is based on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules are based on the Visualization submodule. If you select Alerts and Subscribe submodules, you must grant the management permissions on the Visualization submodule.
      Resources After you grant permissions on functional modules, you can specify the resources on which the permissions are granted. You can use an asterisk (*) to match one or more projects or Logstores. Examples:
      • RAM users or roles that have been granted the following permissions can manage all resources of Log Service.
        "Action": "log:*",
        "Resource": "*",
      • RAM users or roles that have been granted the following permissions can manage only the resources in project01.
        • acs:log:*:*:project/project01
        • acs:log:*:*:project/project01/*
      • RAM users or roles that have been granted the following permissions can manage only the resources in logstore01 of project01.
        • acs:log:*:*:project/project01/logstore/logstore01
        • acs:log:*:*:project/project01/logstore/logstore01/*
      Conditions You can specify conditions for resources. For more information, see Policy elements.
    • APP

      If you select APP, you can grant the permissions on the Cost Manager, Log Audit Service, and K8s Event Center applications in Log Service.

      Parameter Description
      APPs Select the applications on which you want to grant permissions. You can grant the Allow or Deny permission on an application.
      Select Scenario If you grant the Allow permission on an application, the associated functional modules are automatically selected. You can also create a scenario by selecting the functional modules.

      The permissions on a functional module include the management permissions and read-only permissions.

      Note The functional modules have the following relationships:
      • You must grant the read-only or management permissions on the Project module before you can use other functional modules.
      • The Data Import module is based on the Logstore module. If you select a submodule of the Data Import module, the Logstore module is automatically selected.
      • The Visualization submodule is based on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules are based on the Visualization submodule. If you select Alerts and Subscribe submodules, you must grant the management permissions on the Visualization submodule.
      Resources After you select an application, the associated resources are automatically specified and cannot be modified.
      Conditions You can specify conditions for resources. For more information, see Policy elements.
  5. In the Preview Policy step, you can preview and edit the policy. The following table lists the operations that you can perform. After you confirm or edit the policy, click Next.
    Operation Description
    Format Format the manually edited JSON policy.
    Compress The number of lines in a permission policy cannot exceed the predefined limit. You can perform the Compress operation to delete blank spaces and line breaks.
    Reset Reset the manually edited policy to the automatically generated policy.
    Copy to Clipboard Copy the policy to the clipboard.
    Add to Custom Template Add the policy as a custom policy template.
    Note Custom policy templates are stored in the local storage of the current browser. The templates are inaccessible if you use another browser.
  6. In the Apply Setting to RAM step, follow the steps that are provided on the Permission Assistant page to attach the policy to a RAM user, RAM role, or user group.

What to do next

  • Apply common policy templates.

    On the Permission Assistant page, you can select a common policy template based on your business requirements.

  • Apply custom policy templates.
    On the Permission Assistant page, you can also add a custom policy as a custom policy template in the Preview Policy step.
    Note Custom policy templates are stored in the local storage of the current browser. The templates are inaccessible if you use another browser.