All Products
Search

This Product

    Simple Log Service:RAM overview

    Document Center

    Simple Log Service:RAM overview

    Last Updated:Jun 02, 2026

    Resource Access Management (RAM) provides identity management and access control for Simple Log Service (SLS). Use RAM to create user accounts, control permissions, and authorize service roles and user roles to access SLS resources.

    What is RAM

    Resource Access Management (RAM) is an Alibaba Cloud service for identity management and access control. RAM lets you create and manage user accounts for employees, systems, or applications, and control their resource permissions. When multiple users collaborate on resources, RAM eliminates the need to share Alibaba Cloud account keys. Assign only minimum required permissions to reduce security risks.

    Use RAM to grant fine-grained access permissions to RAM users, service roles, and user roles for SLS resources.

    Related operations

    • Identity management

      Use RAM to create and manage user accounts, user groups, service roles for Alibaba Cloud services such as SLS, and user roles for cross-account operations.

      SLS collects log data from Alibaba Cloud services such as API Gateway and SLB. To enable this, create and authorize a service role on the Resource Access Authorization page.

      Role

      Default permission

      Description

      AliyunLogArchiveRole

      AliyunLogArchiveRolePolicy

      Default role for accessing and exporting SLB logs. To grant permissions, click Resource Access Authorization.

      AliyunLogImportOSSRole

      AliyunLogImportOSSRolePolicy

      Authorizes SLS to import data from OSS. To grant permissions, click Resource Access Authorization.

      AliyunLogDefaultRole

      AliyunLogRolePolicy

      Default SLS role policy with write permissions on OSS. To grant permissions, click Resource Access Authorization.

      AliyunLogETLRole

      AliyunLogETLRolePolicy

      Authorizes SLS to access resources in other Alibaba Cloud services for the extract, transform, and load (ETL) feature. To grant permissions, click Resource Access Authorization.

      AliyunMNSLoggingRole

      AliyunMNSLoggingRolePolicy

      Default role for accessing and exporting MNS logs, with write permissions on OSS. To grant permissions, click Resource Access Authorization.

    • Resource access control

      Grant authorization policies to user accounts, user groups, and roles within your Alibaba Cloud account.

      Create custom policies or use existing policies as templates for fine-grained access control. Authentication rules.

      SLS supports the following system authorization policies:

      Authorization policy

      Type

      Description

      AliyunLogFullAccess

      System policy

      Grants full management permissions on SLS.

      AliyunLogReadOnlyAccess

      System policy

      Grants read-only access permissions for SLS.

    • Authorize a RAM user to access Simple Log Service

      An Alibaba Cloud account holder can delegate SLS operations and maintenance (O&M) to RAM users by granting them access permissions. Grant only the minimum required permissions to RAM users. Create and authorize a RAM user.

    • Authorize a service role to read logs

      The SLS alert feature reads log content. To enable this, authorize the SLS service account to access log data. Create a RAM role for a trusted Alibaba Cloud service and grant permissions to the RAM role.

    • Authorize a user role to manage Simple Log Service

      A RAM role is a virtual identity without permanent authentication keys. A trusted entity — such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service — assumes the role and obtains a temporary security token to access authorized resources.