You can authorize Resource Access Management (RAM) users to access and use ActionTrail. For example, RAM users that are granted the required permissions can query historical events and manage trails.
Prerequisites
- A RAM user is created. For more information, see Create a RAM user.
- The service linked role AliyunServiceRoleForActionTrail is created for ActionTrail. For more information, see Create the AliyunServiceRoleForActionTrail role.
Procedure
- Log on to the RAM console.
- In the left-side navigation pane, choose .
- In the User Logon Name/Display Name column, find the target RAM user.
- Click Add Permissions in the Actions column. In the Add Permissions right-side pane, the Principal field is automatically filled in.
- In the Select Policy section, specify permission policies as required.
- System Policy: the system policies. To specify system policies, select the target policies in the
Authorization Policy Name section. The following table describes the supported system policies.
Policy Description AliyunActionTrailReadOnlyAccess Provides read-only access to ActionTrail. AliyunActionTrailFullAccess Provides full access to ActionTrail. AliyunOSSReadOnlyAccess Provides read-only access to Object Storage Service (OSS). AliyunLogReadOnlyAccess Provides read-only access to Log Service. - Custom Policy: the custom policies. To specify custom policies, create policies first, and then
select the target policies in the Authorization Policy Name section.
For more information about how to create a custom policy, see Create a custom policy.
The following sample code shows a custom policy:
The following table describes the permissions included in this custom policy.{ "Version": "1", "Statement": [ { "Action": [ "actiontrail:*", "oss:GetService", "log:ListProject" ], "Resource": "*", "Effect": "Allow" } ] }
Permission Description oss:GetService Allows viewing OSS buckets. log:ListProject Allows viewing Log Service projects. actiontrail:* Provides full access to ActionTrail.
- System Policy: the system policies. To specify system policies, select the target policies in the
Authorization Policy Name section. The following table describes the supported system policies.
- Click OK.
- Click Complete.