This topic describes how to attach a custom policy to a RAM user.
Prerequisites
Important This feature is available for users who activate Application Real-Time Monitoring
Service (ARMS) after 00:00 on August 26, 2022. If you activated ARMS before 00:00
on August 26, 2022, you must submit a ticket to enable this feature.
Background information
The system policies provided by ARMS are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the permissions on a specific application to a RAM user, you must create a custom policy.
Step 1: Create a custom policy
Step 2: Attach the custom policy to a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
Policy elements
Effect
Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action
Action | Permissions |
---|---|
arms:ReadRumApp | The read-only permissions on the specified application. To allow a RAM user to view information such as application overview, session traces, and JS errors, you can grant the permissions. |
arms:SaveRumApp | The save permissions on the specified application. To allow a RAM user to create an application site in Browser Monitoring, you can grant the permissions. |
arms:DeleteRumApp | The permissions to delete the specified application in Browser Monitoring. |
Resource
Specifies the resources on which the policy takes effect.
Sample statement:
"Resource": [
"acs:arms:<regionid>:*:armsweb/<appname>"
]
- Replace
<regionid>
with the specified region ID. If you want to grant permissions to resources in all regions, replace <regionid> with*
. - Replace
<appname>
with the specified application name. If you want to grant permissions on all applications, replace <appname> with*
. If you want to specify applications that have the same name prefix, replace <appname> withName prefix*
, for example,test*
.