All Products
Search
Document Center

Simple Log Service:Authorize a RAM user to operate CloudLens for SLS

Last Updated:Jun 10, 2026

Grant a RAM user permissions to operate CloudLens for SLS.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Overview

Grant CloudLens for SLS permissions to a RAM user using either of the following methods:

  • Add system policies: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the system policies. You do not need to configure parameters.

  • Add custom policies: You can create custom policies and attach the policies to the RAM user. This method allows you to perform fine-grained access control, but requires complex configurations.

System policy

  1. Log on to the RAM console by using your Alibaba Cloud account or as a RAM administrator.

  2. Grant the RAM user read-only permissions AliyunLogReadOnlyAccess or management permissions AliyunLogFullAccess on Simple Log Service. For more information, see Manage RAM user permissions.

Custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a custom policy.

    Grant read-only or read and write permissions on CloudLens for SLS to a RAM user.

    Read-only permissions

    The RAM user can only view CloudLens for SLS pages.

    On the Create Policy page, click the JSON tab and replace the content with the following policy. For more information, see Using the script editor.

    {
        "Statement": [
            {
                "Action": [
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:GetIndex",
                    "log:GetLogStoreHistogram",
                    "log:GetLogStoreLogs",
                    "log:GetDashboard",
                    "log:ListDashboard",
                    "log:ListSavedSearch",
                    "log:GetProjectLogs"
                ],
                "Resource": [
                    "acs:log:*:*:project/*/logstore/*",
                    "acs:log:*:*:project/*/dashboard/*",
                    "acs:log:*:*:project/*/savedsearch/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "log:GetProductDataCollection",
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:ListCollectionPolicies"
                ],
                "Resource": "acs:log::*:collectionpolicy/*",
                "Effect": "Allow"
            },
            {
                "Action": "log:ListProject",
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            }
          
        ],
        "Version": "1"
    }

    Read and write permissions

    The RAM user can perform all CloudLens for SLS operations.

    On the Create Policy page, click the JSON tab and replace the content with the following policy. For more information, see Using the script editor.

    {
        "Statement": [
            {
                "Action": [
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:GetIndex",
                    "log:GetLogStoreHistogram",
                    "log:GetLogStoreLogs",
                    "log:GetDashboard",
                    "log:ListDashboard",
                    "log:ListSavedSearch",
                    "log:CreateProject",
                    "log:CreateLogStore",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:ListLogStores",
                    "log:GetLogStore",
                    "log:GetLogStoreLogs",
                    "log:CreateDashboard",
                    "log:CreateChart",
                    "log:UpdateDashboard",
                    "log:UpdateLogStore",
                    "log:GetProjectLogs"
                ],
                "Resource": [
                    "acs:log:*:*:project/*/logstore/*",
                    "acs:log:*:*:project/*/dashboard/*",
                    "acs:log:*:*:project/*/savedsearch/*"
                ],
                "Effect": "Allow"
            },        
            {
                "Action": [
                    "log:GetProductDataCollection",
                    "log:OpenProductDataCollection",
                    "log:CloseProductDataCollection"
                ],
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            },
            {
                "Action": "log:SetGeneralDataAccessConfig",
                "Resource": "acs:log:*:*:resource/sls.general_data_access.sls.global_conf.standard_channel/record",
                "Effect": "Allow"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "audit.log.aliyuncs.com"              }
                }
            },
            {
                "Action": [
                    "log:ListCollectionPolicies",
                    "log:UpsertCollectionPolicy",
                    "log:DeleteCollectionPolicy"
                ],
                "Resource": "acs:log::*:collectionpolicy/*",
                "Effect": "Allow"
            },
            {
                "Action": "log:ListProject",
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            }
        ],
        "Version": "1"
    }
  3. Attach the custom policy to the RAM user. For more information, see Manage RAM user permissions.