Browser Monitoring: Attach a custom policy to a RAM user - Application Real-Time Monitoring Service

This topic describes how to attach a custom policy to a RAM user.

Prerequisites

Important This feature is available for users who activate Application Real-Time Monitoring Service (ARMS) after 00:00 on August 26, 2022. If you activated ARMS before 00:00 on August 26, 2022, you must submit a ticket to enable this feature.

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.

Background information

The system policies provided by ARMS are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the permissions on a specific application to a RAM user, you must create a custom policy.

Step 1: Create a custom policy

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. Configure a permission policy in the editor.
For more information, see Policy elements.
Example: Create a custom policy that grants the read-only permissions on all applications in the China (Hangzhou) region.
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadRumApp"
      ],
      "Resource": "acs:arms:cn-hangzhou:*:armsweb/*",
      "Effect": "Allow",
      "Condition": {
      }
    }
  ]
}
```
Click Next: Edit Basic Information.
Configure the Name and Note parameters.
Click OK.

Step 2: Attach the custom policy to a RAM user

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect in a specific resource group.
    
    Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
3. Select policies.
  
  Note You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.

Policy elements

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action


Action	Permissions
arms:ReadRumApp	The read-only permissions on the specified application. To allow a RAM user to view information such as application overview, session traces, and JS errors, you can grant the permissions.
arms:SaveRumApp	The save permissions on the specified application. To allow a RAM user to create an application site in Browser Monitoring, you can grant the permissions.
arms:DeleteRumApp	The permissions to delete the specified application in Browser Monitoring.

Resource

Specifies the resources on which the policy takes effect.

Sample statement:

"Resource": [
     "acs:arms:<regionid>:*:armsweb/<appname>"
 ]

Replace <regionid> with the specified region ID. If you want to grant permissions to resources in all regions, replace <regionid> with *.
Replace <appname> with the specified application name. If you want to grant permissions on all applications, replace <appname> with *. If you want to specify applications that have the same name prefix, replace <appname> with Name prefix*, for example, test*.