Grant permissions to a RAM user - Permission Management| Alibaba Cloud Documentation Center

You can authorize RAM users to access and use ActionTrail. For example, RAM users that are granted the required permissions can query events and manage trails and event alerts.

Prerequisites

A RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.
The service-linked role AliyunServiceRoleForActionTrail is created for ActionTrail. For more information, see Create the AliyunServiceRoleForActionTrail role.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account and select one or more policies.

System Policy: the system policies. To specify system policies, select the required policies in the Authorization Policy Name column.


Policy	Description
AliyunActionTrailReadOnlyAccess	Provides read-only permissions on ActionTrail.
AliyunActionTrailFullAccess	Provides full permissions on ActionTrail.
AliyunOSSReadOnlyAccess	Provides read-only permissions on Object Storage Service (OSS).
AliyunLogReadOnlyAccess	Provides read-only permissions on Log Service.

Custom Policy: the custom policies. To specify custom policies, select the required policies in the Authorization Policy Name column.

For information about how to create a custom policy, see Create a custom policy.

Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to view OSS buckets and Log Service projects. This way, the RAM user has the permissions to manage trails.

The following sample code shows the custom policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:*",
                "oss:GetService",
                "log:ListProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The following table describes the permissions included in the custom policy.


Action	Description
oss:GetService	Allows a RAM user to view OSS buckets.
log:ListProject	Allows a RAM user to view Log Service projects.
actiontrail:*	Provides full access to ActionTrail.

Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the permissions to manage Logstores, indexes, dashboards, charts, and projects in Log Service. This way, the RAM user has the permissions to manage event alerts.

The following sample code shows the custom policy:

{ 
    "Version": "1", 
    "Statement": [
      {
     "Effect": "Allow",
     "Action": [
       "actiontrail:DescribeTrails",
       "actiontrail:SetDefaultTrail",
       "actiontrail:GetDefaultTrail",
       "actiontrail:CreateTrail"
     ],
     "Resource": "*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateLogStore",
       "log:CreateIndex",
       "log:UpdateIndex"
     ],
     "Resource": [
       "acs:log:*:*:project/Project name/logstore/internal-alert-history",
       "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
     ]   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateDashboard",
       "log:CreateChart",
       "log:UpdateDashboard"
     ],
     "Resource": "acs:log:*:*:project/Project name/dashboard/*"
   },
   {
     "Effect": "Allow",
     "Action": [
       "log:*"
     ],
     "Resource": "acs:log:*:*:project/Project name/job/*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateProject"
     ],
     "Resource": [
       "acs:log:*:*:project/sls-alert-*"
     ]
   }
 ]
}

The following table describes the permissions included in the custom policy.


Action	Description
actiontrail:DescribeTrails	Allows a RAM user to query trails.
actiontrail:SetDefaultTrail	Allows a RAM user to set the default trail for event alerting.
actiontrail:GetDefaultTrail	Allows a RAM user to query the default trail for event alerting.
actiontrail:CreateTrail	Allows a RAM user to create a trail.
log:CreateLogstore	Allows a RAM user to create a Log Service Logstore.
log:CreateIndex	Allows a RAM user to create an index.
log:UpdateIndex	Allows a RAM user to update an index.
log:CreateDashboard	Allows a RAM user to create a dashboard.
log:CreateChart	Allows a RAM user to create a chart.
log:UpdateDashboard	Allows a RAM user to update a dashboard.
log:CreateProject	Allows a RAM user to create a Log Service project.

Click OK.
Click Complete.