Grant various permissions to RAM users - ActionTrail - Alibaba Cloud Documentation Center

After you attach system or custom policies to a Resource Access Management (RAM) user, the RAM user can use the defined permissions in the policies to access Alibaba Cloud resources. You can grant permissions to RAM users to access and manage ActionTrail. For example, RAM users can query events and manage trails and alerts. This topic describes how to grant RAM users the permissions to manage ActionTrail.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
The AliyunServiceRoleForActionTrail service-linked role is created. For more information, see Manage the service-linked role.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.

In the Add Permissions panel, set Authorized Scope to Alibaba Cloud Account and select a policy.

System Policy: the system policies. To specify system policies, select the required policies in the Authorization Policy Name column.

Policy	Description
AliyunActionTrailReadOnlyAccess	Provides read-only permissions on ActionTrail.
AliyunActionTrailFullAccess	Provides full permissions on ActionTrail.
AliyunOSSReadOnlyAccess	Provides read-only permissions on Object Storage Service (OSS).
AliyunLogReadOnlyAccess	Provides read-only permissions on Simple Log Service.

Custom Policy: the custom policies. To specify custom policies, select the required policies in the Authorization Policy Name column.

For more information about how to create a custom policy, see Create custom policies.

Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to view OSS buckets and Simple Log Service projects. This way, the RAM user can manage trails.
Sample code:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:*",
                "oss:GetService",
                "log:ListProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
                        
```
Policy content:
Action
Description
oss:GetService
Allows a RAM user to view OSS buckets.
log:ListProject
Allows a RAM user to view Simple Log Service projects.
actiontrail:*
Provides full permissions on ActionTrail.

Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the permissions to manage Logstores, indexes, dashboards, charts, and projects in Simple Log Service. This way, the RAM user can manage alerts.

Sample code:

{ 
    "Version": "1", 
    "Statement": [
      {
     "Effect": "Allow",
     "Action": [
       "actiontrail:DescribeTrails",
       "actiontrail:SetDefaultTrail",
       "actiontrail:GetDefaultTrail",
       "actiontrail:CreateTrail"
     ],
     "Resource": "*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateLogStore",
       "log:CreateIndex",
       "log:UpdateIndex"
     ],
     "Resource": [
       "acs:log:*:*:project/Project name/logstore/internal-alert-history",
       "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
     ]   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateDashboard",
       "log:CreateChart",
       "log:UpdateDashboard"
     ],
     "Resource": "acs:log:*:*:project/Project name/dashboard/*"
   },
   {
     "Effect": "Allow",
     "Action": [
       "log:*"
     ],
     "Resource": "acs:log:*:*:project/Project name/job/*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateProject"
     ],
     "Resource": [
       "acs:log:*:*:project/sls-alert-*"
     ]
   }
 ]
}

Policy content:

Action	Description
actiontrail:DescribeTrails	Allows a RAM user to query trails.
actiontrail:SetDefaultTrail	Allows a RAM user to specify the default trail for alerting.
actiontrail:GetDefaultTrail	Allows a RAM user to query the default trail for alerting.
actiontrail:CreateTrail	Allows a RAM user to create a trail.
log:CreateLogstore	Allows a RAM user to create a Logstore.
log:CreateIndex	Allows a RAM user to create an index.
log:UpdateIndex	Allows a RAM user to update an index.
log:CreateDashboard	Allows a RAM user to create a dashboard.
log:CreateChart	Allows a RAM user to create a chart.
log:UpdateDashboard	Allows a RAM user to update a dashboard.
log:CreateProject	Allows a RAM user to create a Simple Log Service project.

Click OK.
Click Complete.

References

For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
You can also call operations to grant permissions to a RAM user. For more information, see AttachPolicyToUser.

Action	Description
oss:GetService	Allows a RAM user to view OSS buckets.
log:ListProject	Allows a RAM user to view Simple Log Service projects.
actiontrail:*	Provides full permissions on ActionTrail.