Authorize a RAM user to use ActionTrail - Permission Management| Alibaba Cloud Documentation Center

You can authorize Resource Access Management (RAM) users to access and use ActionTrail. For example, RAM users that are granted the required permissions can query historical events and manage trails.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
The service linked role AliyunServiceRoleForActionTrail is created for ActionTrail. For more information, see Create the AliyunServiceRoleForActionTrail role.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
In the User Logon Name/Display Name column, find the target RAM user.
Click Add Permissions in the Actions column. In the Add Permissions right-side pane, the Principal field is automatically filled in.

In the Select Policy section, specify permission policies as required.

System Policy: the system policies. To specify system policies, select the target policies in the Authorization Policy Name section. The following table describes the supported system policies.


Policy	Description
AliyunActionTrailReadOnlyAccess	Provides read-only access to ActionTrail.
AliyunActionTrailFullAccess	Provides full access to ActionTrail.
AliyunOSSReadOnlyAccess	Provides read-only access to Object Storage Service (OSS).
AliyunLogReadOnlyAccess	Provides read-only access to Log Service.

Custom Policy: the custom policies. To specify custom policies, create policies first, and then select the target policies in the Authorization Policy Name section.

For more information about how to create a custom policy, see Create a custom policy.

The following sample code shows a custom policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:*",
                "oss:GetService",
                "log:ListProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The following table describes the permissions included in this custom policy.


Permission	Description
oss:GetService	Allows viewing OSS buckets.
log:ListProject	Allows viewing Log Service projects.
actiontrail:*	Provides full access to ActionTrail.

Click OK.
Click Complete.