This topic describes how to authorize RAM users to use ActionTrail resources by using system policies or custom policies.

Prerequisites

Before getting started, you must create a RAM user. For more information, see Create a RAM user.

Attach ActionTrail system policies to a RAM user

The available system policies are as follows:

Table 1. System policies
System policy Description
AliyunActionTrailFullAccess Grants a RAM user full management permissions for ActionTrail resources.
AliyunActionTrailReadOnlyAccess Grants a RAM user read-only permission for ActionTrail resources.

For more information about how to attach a policy, see Grant permission to a RAM user.

Attach ActionTrail custom policies to a RAM user

If the system policies cannot meet your requirements, you can create a custom policy. For more information, see Create a custom policy. The following is a policy example of allowing requests from a specified IP range for performing ActionTrail read-only operations on all resources. The policy is as follows:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "actiontrail:LookupEvents", 
            "actiontrail:Describe*", 
            "actiontrail:Get*"
        ],
        "Resource": "*",
        "Condition":{
            "IpAddress": {
                "acs:SourceIp": "42.120.XX.X/24"
            }
        }
    }]
}