How to configure the permission assistant in the console - Simple Log Service

Simple Log Service provides the permission assistant to simplify the configuration of Resource Access Management (RAM) access policies. This topic describes how to configure the permission assistant in the Simple Log Service console.

Procedure

Log on to the Simple Log Service console.
In the Projects section, click the one you want.
In the navigation pane on the left, choose Other > Permission Assistant.

On the Permission Assistant page, configure the following parameters and click Next.

The available modes are Project and APP.

Project

In this mode, you can configure permissions for all features of Simple Log Service.

Parameter	Description
Select preset role	Different roles are preconfigured with different functional modules. You can select a preset role or select functional modules to create a custom role. The permissions for a functional module include management permissions and read-only permissions. Select permissions as needed. Important The functional modules have the following dependencies: Read-only or management permissions for the project are required to use other features. The Data Ingestion module depends on the Logstore module. If you select any item in Data Ingestion, the Logstore module is selected by default. The Visualization module depends on the Data Query module. Modules such as Alerting, Subscription, and Data Ingestion (Cloud Native Mode) depend on the Visualization module. When you use the Alerting and Subscription modules, management permissions for the Visualization module are configured by default.
Resource	After you configure permissions for the functional modules, specify the resources on which the permissions can be used. You can use an asterisk (``) to match one or more projects or Logstores. Examples: RAM users or RAM roles that are granted the following permissions can manage all resources of Simple Log Service. `"Action": "log:", "Resource": "",` RAM users or RAM roles that are granted the following permissions can manage only the resources in project01. `acs:log:::project/project01` `acs:log:::project/project01/` RAM users or RAM roles that are granted the following permissions can manage only the resources in logstore01 of project01. `acs:log:::project/project01/logstore/logstore01` `acs:log:::project/project01/logstore/logstore01/*`
Condition	Configure conditions as needed. For more information, see Policy elements.

APP

In this mode, you can configure permissions for applications such as Cost Manager, Log Audit Service, and K8s Event Center.

Parameter	Description
APP list	Select the APPs and their permissions as needed. Permissions include Allow and Deny.
Select preset role	If you set the permission for an APP to Allow, the related functional modules are automatically selected. You can also select modules to create a custom role. The permissions for a functional module include management permissions and read-only permissions. Select permissions as needed. Important The functional modules have the following dependencies: Read-only or management permissions for the project are required to use other features. The Data Ingestion module depends on the Logstore module. If you select any item in Data Ingestion, the Logstore module is selected by default. The Visualization module depends on the Data Query module. Modules such as Alerting, Subscription, and Data Ingestion (Cloud Native Mode) depend on the Visualization module. When you use the Alerting and Subscription modules, management permissions for the Visualization module are configured by default.
Resource	The system specifies the resources based on the selected APP. You cannot modify the resources.
Condition	Configure conditions as needed. For more information, see Policy elements.

Preview the access policy to verify its rules. You can also edit the generated policy. When you are finished, click Next.

Operation	Description
Format	Format the JSON code that you manually edited.
Compress	An access policy has a size limit. The compress feature removes extra spaces and line breaks.
Reset	Revert the manual edits.
Copy to clipboard	Copy the content in the editor to the clipboard for future use.
Add to custom template	Add the current access policy to a custom policy template for future use. Note The template is stored only in the local storage of your browser. If you switch to a different browser, the template is not available.

Create a custom policy.
1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.
2. In the left-side navigation pane, choose Permissions > Policies.
3. On the Policies page, click Create Policy.
4. On the Create Policy page, click the Script Editor tab. Replace the script in the editor with the access policy that you obtained in Step 5, and then click OK.
5. In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.
Grant the access policy that you created in Step 6 to a principal, such as a RAM user or a RAM role. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM role.
After the authorization is complete, you can use the principal.

Related operations

Apply a common policy template
On the Permission Assistant tab, common policy templates are provided. You can select a template based on your requirements.
Apply a custom policy template
On the Permission Assistant tab, you can also save a custom access policy as a template for future use.
Note
Custom policy templates are saved to the local storage of your browser. If you use a different browser, the templates are not available.