All Products
Search

This Product

    Simple Log Service:Grant a RAM user the permissions to manage a data transformation job

    Document Center

    Simple Log Service:Grant a RAM user the permissions to manage a data transformation job

    Last Updated:Jun 12, 2025

    This topic describes how to grant a Resource Access Management (RAM) user the permissions to manage a data transformation job.

    Prerequisites

    A RAM user is created.

    Background information

    You can use your Alibaba Cloud account to grant a RAM user the permissions to manage a data transformation job.

    • You can create, delete, and modify a data transformation job.

    • You can read data from a source logstore to preview the results of a data transformation job.

    You can grant a RAM user the permissions to transform data in Simple Log Service by using one of the following methods:

    • Add system policies: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the system policies. You do not need to configure parameters.

    • Add custom policies: You can create custom policies and attach the policies to the RAM user. This method allows you to perform fine-grained access control, but requires complex configurations.

    Add system policies

    1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

    2. Add the system policies AliyunLogFullAccess and AliyunRAMFullAccess to the RAM user. For more information, see Grant permissions to a RAM user.

    Add custom policies

    1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

    2. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Create a custom policy on the JSON tab.

      Important

      Replace Project name and Logstore name in the policy document based on your business requirements. 

      {
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "log:CreateLogStore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:Get*"
            ],
            "Resource":"acs:log:*:*:project/Project name/logstore/internal-etl-log"
        },
        {
            "Action":[
                "log:List*"
            ],
            "Resource":"acs:log:*:*:project/Project name/logstore/*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:Get*",
                "log:List*"
            ],
            "Resource":[
                "acs:log:*:*:project/Project name/logstore/Logstore name"
            ],
            "Effect":"Allow"
        },
        {
            "Effect":"Allow",
            "Action":[
                "log:GetDashboard",
                "log:CreateDashboard",
                "log:UpdateDashboard"
            ],
            "Resource":"acs:log:*:*:project/Project name/dashboard/internal-etl-insight*"
        },
        {
            "Effect":"Allow",
            "Action":"log:CreateDashboard",
            "Resource":"acs:log:*:*:project/Project name/dashboard/*"
        },
        {
            "Effect":"Allow",
            "Action":[
                "log:*"
            ],
            "Resource":"acs:log:*:*:project/Project name/job/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:PassRole",
                "ram:GetRole",
                "ram:ListRoles"
            ],
            "Resource": "*"
         }
    ]
}

    3. Attach the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.