By creating and authorizing Resource Access Management (RAM) users, you can grant RAM users the permissions to perform operations on Alibaba Cloud OpenSearch, such as creating instances and viewing instance details. OpenSearch LLM-Based Conversational Search Edition supports system and custom policies.
Create a RAM user
A RAM user is an entity that you create in RAM to represent an O&M engineer or application. After you create a RAM user and grant the relevant permissions to the RAM user, the RAM user can access the specified Alibaba Cloud resources.
For more information about how to create a RAM user, see Create a RAM user.
Authorize a RAM user
After you grant permissions to a RAM user, you can attach system policies or custom policies to the RAM user. For more information, see Grant permissions to RAM users and Create custom policies.
Effective time
After you grant permissions to a RAM user or update the permissions of a RAM user, the granted or updated permissions take effect in 5 minutes.
Common permission policies
1. A system policy that grants management permissions on OpenSearch:
AliyunOpenSearchFullAccess:
2. A system policy that grants read-only permissions on OpenSearch:
AliyunOpenSearchReadOnlyAccess:
Common minimum permission set
If you want to log on to the OpenSearch console as a RAM user, you must grant the RAM user the required permissions. A common minimum permission set contains the permissions that are required to search for data in an application, view applications, and view application details. The following sections describe these permissions for your reference.
Permissions to search for data in an application
If you want to use OpenSearch SDKs to initiate a search request or test the document retrieval feature for an application as a RAM user, the RAM user must have the permissions to search for data in the application. The following sample code provides an example on the policy that grants the permissions required to retrieve documents from the application named app_schema_demo:
{
"Statement": [
{
"Effect": "Allow",
"Action": "opensearch:SearchApp",
"Resource": "acs:opensearch:*:*:apps/app_schema_demo"
}
],
"Version": "1"
}Permissions to view the applications
If you want to view applications after you log on to the OpenSearch console as a RAM user, the RAM user must have the permissions to view the applications.
{
"Statement": [
{
"Action": [
"opensearch:ListAppGroup",
"opensearch:DescribeAppStatistics",
"opensearch:ListAppGroupErrors"
],
"Effect": "Allow",
"Resource": "acs:opensearch:*:*:app-groups/*"
}
],
"Version": "1"
}Permissions to view application details
If you want to view the details of an application in the OpenSearch console as a RAM user, the RAM user must have the permissions to view application details. The following sample code provides an example on the policy that grants the permissions required to view details of the application named app_schema_demo.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"opensearch:DescribeAppGroup",
"opensearch:ListApp",
"opensearch:DescribeApp"
],
"Resource": "acs:opensearch:*:*:app-groups/app_schema_demo"
},
{
"Action": "opensearch:ListUserAnalyzers",
"Effect": "Allow",
"Resource": "acs:opensearch:*:*:user-analyzers/*"
}
],
"Version": "1"
}Permissions to call the API operations of OpenSearch LLM-Based Conversational Search Edition
Description: If you want to integrate the API operations of OpenSearch LLM-Based Conversational Search Edition with other platforms such as DingTalk, Lark, and WeCom as a RAM user, the RAM user must have the permissions to call the API operations of OpenSearch LLM-Based Conversational Search Edition.
Click Agree to Authorization to grant the permissions.
To grant the preceding permissions to a RAM user in the Singapore region, go to the Cloud Resource Access Authorization page.