Application Real-Time Monitoring Service (ARMS) integrates with Resource Access Management (RAM) for access control. RAM lets you create separate user identities, assign fine-grained permissions, and manage cross-account resource access without sharing your Alibaba Cloud account credentials.
ARMS supports two system policies:
| Policy | Type | Scope |
|---|---|---|
| AliyunARMSFullAccess | System | Read and write access to all ARMS features |
| AliyunARMSReadOnlyAccess | System | Read-only access to all ARMS features |
For custom permissions or cross-account access, use RAM users and RAM roles as described in the following sections.
Use cases
Manage permissions with RAM users
A typical setup involves one Alibaba Cloud account and multiple team members who each need different levels of access to cloud resources such as ECS instances, RDS instances, SLB instances, and OSS buckets.
With RAM users, you can:
Create independent accounts for each team member without sharing your Alibaba Cloud account credentials.
Grant each RAM user only the permissions required for their role.
Revoke permissions or delete a RAM user at any time.
Consolidate billing under a single Alibaba Cloud account. RAM users do not incur separate metering or billing.
For setup instructions, see Use RAM users to manage permissions.
Access resources across accounts with RAM roles
When one organization (Alibaba Cloud Account A) needs to delegate cloud resource O&M, monitoring, or management to another organization (Alibaba Cloud Account B), RAM roles enable secure cross-account access.
With RAM roles, you can:
Authorize Account B to operate on Account A's resources such as ECS instances, RDS instances, SLB instances, and OSS buckets.
Let Account B assign fine-grained permissions to its own employees for Account A's resources.
Revoke the cross-account authorization at any time.
For setup instructions, see Use a RAM role to access resources across Alibaba Cloud accounts.
System policies
ARMS provides two built-in system policies. Attach them to RAM users or RAM roles to control access.
| Policy | Type | Description |
|---|---|---|
| AliyunARMSFullAccess | System | Grants full access to all ARMS features, including read and write operations. |
| AliyunARMSReadOnlyAccess | System | Grants read-only access to all ARMS features. |
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.