All Products
Search

This Product

    Smart Access Gateway:Grant a RAM user the permissions on QoS policies and flow logs

    Document Center

    Smart Access Gateway:Grant a RAM user the permissions on QoS policies and flow logs

    Last Updated:Nov 24, 2025

    This topic describes how to grant a Resource Access Management (RAM) user the permissions to use quality of service (QoS) policies and flow logs.

    Procedure

    1. View the RAM policies that are attached to a RAM user.

      1. Log on to the RAM console with your Alibaba Cloud account.

      2. In the left-side navigation pane, choose Permissions > Grants.

      3. On the Permission page, find the RAM user that you want to manage and view the permission policies attached to the RAM user.

        • If the AliyunSmartAccessGatewayFullAccess policy is attached to the RAM user, the RAM user can use QoS policies and flow logs without other permissions.

        • If the AliyunSmartAccessGatewayFullAccess and AliyunLogFullAccess policies are attached to the RAM user, the RAM user can use flow logs without other permissions. You can click AliyunSmartAccessGatewayFullAccess and AliyunLogFullAccess to view the details.

          Note

          We recommend that you attach the AliyunRAMReadOnlyAccess policy to RAM users to allow the RAM users to query the policies that are attached to them.

        The following code block shows the content of the AliyunSmartAccessGatewayFullAccess policy:

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "smartag:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

        The following code block shows the content of the AliyunLogFullAccess policy:

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "log:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "audit.log.aliyuncs.com",
                        "alert.log.aliyuncs.com",
                        "middlewarelens.log.aliyuncs.com",
                        "storagelens.log.aliyuncs.com",
                        "ai-lens.log.aliyuncs.com",
                        "securitylens.log.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}

        The following code block shows the content of the AliyunRAMReadOnlyAccess policy:

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:Get*",
                "ram:List*",
                "ram:GenerateCredentialReport"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    2. If the AliyunSmartAccessGatewayFullAccess RAM policy is not attached to the RAM user, create a custom policy and attach it to the RAM user. This grants the RAM user the required permissions.

      If the RAM user needs to use QoS policies and flow logs, perform the following steps to create and attach a custom policy to the RAM user.

      1. Log on to the RAM console.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the Policies page, click Create Policy.

      4. On the Create Policy page, click the JSON tab. Enter the policy content.

        QoS policy

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "smartag:AssociateQos",
                "smartag:CreateQos",
                "smartag:CreateQosCar",
                "smartag:CreateQosPolicy",
                "smartag:DeleteQosCar",
                "smartag:DeleteQosPolicy",
                "smartag:DescribeQosCars",
                "smartag:DescribeQosPolicies",
                "smartag:DisassociateQos",
                "smartag:GetQosAttribute",
                "smartag:ModifyQos",
                "smartag:ModifyQosCar",
                "smartag:ModifyQosPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      5. Click Optimize in the upper part. In the Optimize message, click Perform to optimize the policy.

        The system performs the following operations during the advanced optimization:

        • Split resources or conditions that are incompatible with actions.

        • Narrow down resources.

        • Deduplicate or merge policy statements.

      6. On the Create Policy page, click OK.

      7. In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.

        • Name: Enter a name for the custom policy.

        • Description: Enter a description for the custom policy.

      8. Perform the same steps to create a policy for flow log.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "smartag:ActiveFlowLog",
                "smartag:AssociateFlowLog",
                "smartag:CreateFlowLog",
                "smartag:DeactiveFlowLog",
                "smartag:DescribeFlowLogSags",
                "smartag:DisassociateFlowLog",
                "smartag:ModifyFlowLogAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    3. In the left-side navigation pane, choose Identities > Users.

      1. On the Users page, find the RAM user and click Add Permissions in the Actions column.

      2. In the Grant Permissions panel, confirm the Resource Scope and principal.

      3. In the Policy section, click Custom Policy, select the custom policy created in Step 2, and then click Grant permissions.

        After completing the preceding steps, you can perform Step 1 to view the policy that is attached to the RAM user.

    4. If the RAM user does not have the AliyunLogFullAccess or AliyunRAMReadOnlyAccess policy, grant relevant permissions to the RAM user. For more information, see Manage policy references.