You can authorize RAM users to access and use ActionTrail. For example, RAM users that are granted the required permissions can query historical events and manage trails and event alerts.

Prerequisites

Procedure

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account and select one or more policies.
    • System Policy: the system policies. To specify system policies, select the required policies in the Authorization Policy Name column.
      Policy Description
      AliyunActionTrailReadOnlyAccess Provides read-only permissions on ActionTrail.
      AliyunActionTrailFullAccess Provides full permissions on ActionTrail.
      AliyunOSSReadOnlyAccess Provides read-only permissions on Object Storage Service (OSS).
      AliyunLogReadOnlyAccess Provides read-only permissions on Log Service.
    • Custom Policy: the custom policies. Before you can use custom policies, you must create them. To specify custom policies, select the required policies in the Authorization Policy Name column.

      For more information about how to create a custom policy, see Create a custom policy.

      • Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to view OSS buckets and Log Service projects. This way, the RAM user can be used to manage trails.

        The following sample code shows the custom policy:

        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "actiontrail:*",
                        "oss:GetService",
                        "log:ListProject"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
                                

        The following table describes the permissions included in the custom policy.

        Permission Description
        oss:GetService Allows a RAM user to view OSS buckets.
        log:ListProject Allows a RAM user to view Log Service projects.
        actiontrail:* Provides full access to ActionTrail.
      • Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the permissions to manage Logstores, indexes, dashboards, charts, and projects in Log Service. This way, the RAM user can be used to manage event alerts.

        The following sample code shows the custom policy:

        { 
            "Version": "1", 
            "Statement": [
              {
             "Effect": "Allow",
             "Action": [
               "actiontrail:DescribeTrails",
               "actiontrail:SetDefaultTrail",
               "actiontrail:GetDefaultTrail",
               "actiontrail:CreateTrail"
             ],
             "Resource": "*"   
             },
           {
             "Effect": "Allow",
             "Action": [
               "log:CreateLogStore",
               "log:CreateIndex",
               "log:UpdateIndex"
             ],
             "Resource": [
               "acs:log:*:*:project/Project name/logstore/internal-alert-history",
               "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
             ]   
             },
           {
             "Effect": "Allow",
             "Action": [
               "log:CreateDashboard",
               "log:CreateChart",
               "log:UpdateDashboard"
             ],
             "Resource": "acs:log:*:*:project/Project name/dashboard/*"
           },
           {
             "Effect": "Allow",
             "Action": [
               "log:*"
             ],
             "Resource": "acs:log:*:*:project/Project name/job/*"   
             },
           {
             "Effect": "Allow",
             "Action": [
               "log:CreateProject"
             ],
             "Resource": [
               "acs:log:*:*:project/sls-alert-*"
             ]
           }
         ]
        }

        The following table describes the permissions included in the custom policy.

        Permission Description
        actiontrail:DescribeTrails Allows a RAM user to query trails.
        actiontrail:SetDefaultTrail Allows a RAM user to set the default trail for event alerting.
        actiontrail:GetDefaultTrail Allows a RAM user to query the default trail for event alerting.
        actiontrail:CreateTrail Allows a RAM user to create a trail.
        log:CreateLogstore Allows a RAM user to create a Log Service Logstore.
        log:CreateIndex Allows a RAM user to create an index.
        log:UpdateIndex Allows a RAM user to update an index.
        log:CreateDashboard Allows a RAM user to create a dashboard.
        log:CreateChart Allows a RAM user to create a chart.
        log:UpdateDashboard Allows a RAM user to update a dashboard.
        log:CreateProject Allows a RAM user to create a Log Service project.
  5. Click OK.
  6. Click Complete.