Create a custom policy for Alert Management - Application Real-Time Monitoring Service

This topic describes how to grant a RAM user the permissions on the Alert Management sub-service by attaching a custom policy to the RAM user.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.
The ReadOnlyAccess or AliyunARMSReadOnlyAccess system policy is attached to the RAM user. This ensures that the RAM user can log on to the Application Real-Time Monitoring Service (ARMS) console.
Important
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.
The AliyunARMSFullAccess system policy is not attached to the RAM user.

Background information

The system policies provided by ARMS are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the permissions on a specific Alert Management feature to a RAM user, you must create a custom policy.

Step 1: Create a custom policy

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab. Configure a permission policy in the editor.

For more information, see Policy elements.

The following sample policy is created to grant the read and write permissions on all features of Alert Management:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "arms:Describe*",
                "arms:List*",
                "arms:Get*",
                "arms:Search*",
                "arms:Check*",
                "arms:Query*",
                "arms:*Alert*",
                "arms:*Contact*",
                "arms:*Webhook*",
                "arms:*PrometheusRule*",
                "arms:*Alarm*",
                "arms:*Incident*",
                "arms:*DispatchRule*",
                "arms:*NotificationPolicy*",
                "arms:*EventBridgeIntegration*",
                "arms:*PrometheusAlertTemplate*",
                "arms:*IncidentWorkFlow*",
                "arms:*EscalationPolicy*",
                "arms:UpdateAlertCommercialConfig",
                "arms:*OnCallSchedule",
                "arms:UpdateIntegration",
                "arms:ListIntegration"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.
The system performs the following operations during the advanced optimization:
- Split resources or conditions that are incompatible with actions.
- Narrow down resources.
- Deduplicate or merge policy statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, configure the Name and Description parameters and click OK.

Step 2: Attach the custom policy to the RAM user

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

Policy elements

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action

Action	Description
arms:Alert	The read and write permissions on alerts.
arms:UpdateIntegration	The permissions to update integrations.
arms:EventBridgeIntegration	The read and write permissions on the EventBridge integration.
arms:PrometheusRule	The read and write permissions on the alert rules of Managed Service for Prometheus.
arms:PrometheusAlertTemplate	The read and write permissions on the alert rule templates of Managed Service for Prometheus.
arms:Incident	The read and write permissions on alert events.
arms:Contact	The read and write permissions on contacts and contact groups.
arms:Webhook	The read and write permissions on webhooks.
arms:IncidentWorkFlow	The read and write permissions on event processing flows.
arms:NotificationPolicy	The read and write permissions on notification policies.
arms:EscalationPolicy	The read and write permissions on escalation policies.
arms:*OnCallSchedule	The read and write permissions on schedule management.
arms:UpdateAlertCommercialConfig	The permissions to update alert internationalization configurations.
arms:Alarm	The read and write permissions on the alerts that are created in the old Alert Management sub-service.
arms:DispatchRule	The read and write permissions on the alert rules that are created in the old Alert Management sub-service.