Application Real-Time Monitoring Service:Attach a custom policy to a RAM user for Browser Monitoring

Policy elements reference

A Browser Monitoring custom policy uses three elements: Effect, Action, and Resource.

Effect

Specifies whether the statement allows or denies access. Valid values: Allow, Deny.

Action

Defines the operations a RAM user can perform on Browser Monitoring resources.

Resource

Specifies the applications and regions the policy covers. Format:

acs:arms:<region-id>:*:armsweb/<app-name>

Step 1: Create a custom policy

1. Log on to the RAM console as a RAM user who has administrative rights.

2. In the left-side navigation pane, choose Permissions > Policies.

3. On the Policies page, click Create Policy.

   

4. On the Create Policy page, click the JSON tab and enter your policy in the editor.

   The following example grants read-only access to all Browser Monitoring applications in the China (Hangzhou) region:

   {
     "Version": "1",
     "Statement": [
       {
         "Action": [
           "arms:ReadRumApp"
         ],
         "Resource": "acs:arms:cn-hangzhou:*:armsweb/*",
         "Effect": "Allow",
         "Condition": {}
       }
     ]
   }

   For additional examples, see Policy examples.

5. Click Optimize in the upper part. In the Optimize message, click Perform to optimize the policy.

   The system performs the following operations during the advanced optimization:

   • Split resources or conditions that are incompatible with actions.

   • Narrow down resources.

   • Deduplicate or merge policy statements.

6. On the Create Policy page, click OK.

7. In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.

Step 2: Attach the custom policy to a RAM user

1. Log on to the RAM console as a RAM administrator.

2. In the left-side navigation pane, choose Identities > Users.

3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

   

   You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

4. In the Grant Permission panel, grant permissions to the RAM user.

   1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • Resource Group: The authorization takes effect on a specific resource group.

        Important

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to restrict a RAM user to managing only specific ECS instances.

   2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

   3. Configure the Policy parameter.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

   4. Click OK.

5. Click Close.

Policy examples

Read-only access to all applications in a specific region

Grants read-only access to all Browser Monitoring applications in the China (Hangzhou) region:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadRumApp"
      ],
      "Resource": "acs:arms:cn-hangzhou:*:armsweb/*",
      "Effect": "Allow",
      "Condition": {}
    }
  ]
}

Full access to a specific application

Grants read, write, and delete access to a single application across all regions. Replace my-app with your actual application name.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadRumApp",
        "arms:SaveRumApp",
        "arms:DeleteRumApp"
      ],
      "Resource": "acs:arms:*:*:armsweb/my-app",
      "Effect": "Allow",
      "Condition": {}
    }
  ]
}

Read-only access to applications with a shared prefix

Grants read-only access to all applications whose names start with prod-, across all regions. Use this pattern to manage permissions for environment-based naming conventions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadRumApp"
      ],
      "Resource": "acs:arms:*:*:armsweb/prod-*",
      "Effect": "Allow",
      "Condition": {}
    }
  ]
}

Read-only access to a specific application in a specific region

Grants read-only access to a single application named my-app in the China (Hangzhou) region. Use this pattern for the most restrictive access.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadRumApp"
      ],
      "Resource": "acs:arms:cn-hangzhou:*:armsweb/my-app",
      "Effect": "Allow",
      "Condition": {}
    }
  ]
}

See also

• Policy elements: RAM policy syntax and structure reference.

• Services that work with RAM: Full list of Alibaba Cloud services that support RAM-based access control.