This topic describes how to attach a custom policy to a RAM user.
Prerequisites
Background information
The system policies provided by Application Real-Time Monitoring Service (ARMS) are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the operation permissions on a specific application to a RAM user, you must create a custom policy to meet this requirement.
Step 1: Create a custom policy
Step 2: Attach the custom policy to a RAM user
- In the left-side navigation pane of the RAM console, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
Policy elements
Effect
Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action
Action | Permission |
---|---|
arms:ReadTraceApp | The read-only permissions on the specified application, including the permissions to view information such as application overview, interface calls, and application diagnostics. |
arms:EditTraceApp | The edit permissions on the specified application, including the permissions to apply custom configurations and set custom parameters. |
arms:DeleteTraceApp | The permissions to delete the specified application. |
Resource
Specifies the resources on which the policy takes effect.
Format:
"Resource": [
"acs:arms:<regionid>:*:armsapp/<appname>"
]
- Replace
<regionid>
with the specified region ID. If you want to grant permissions to resources in all regions, replace <regionid> with*
. - Replace
<appname>
with the specified application name. If you want to grant permissions on all applications, replace <appname> with*
. If you want to specify applications that have the same name prefix, replace <appname> withName prefix*
, for example,k8s*
.
Condition

Description
- You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
- A condition can have multiple keys that are attached to a single conditional operator. The condition of this type is met only if all requirements for the keys are met.
- A condition block is met only if all of its conditions are met.
You can specify resources by using key-value pairs. For more information about how to attach tags to an application, see Manage tags.
- Key-value pairs support the following operators:
- StringEquals
- StringNotEquals
- StringEqualsIgnoreCase
- StringNotEqualsIgnoreCase
- StringLike
- StringNotLike
- Condition key: arms:tag.
- Condition key value: key-value pairs.
key0: value01
or key0: value02
tag. "Condition": {
"StringEquals": { // The operator.
"arms:tag/key0":[ // The condition key.
"value01", // The value of the condition key.
"value02"
]
}
}