All Products
Search

This Product

    Simple Log Service:RAM access control configuration

    Document Center

    Simple Log Service:RAM access control configuration

    Last Updated:Nov 24, 2025

    When using Simple Log Service (SLS), you may need to configure different access permissions for users. The Alibaba Cloud account can manage access to SLS resources by setting permission policies in Resource Access Management (RAM). This topic outlines the required permissions for various SLS features.

    Note

    If you are a RAM user, request policies from the Alibaba Cloud account user as needed. For more information, see Grant permissions to a RAM user.

    System policies

    System policies are created by Alibaba Cloud. The policy versions are maintained by Alibaba Cloud. Users can only use these policies but cannot modify them. The system policies for SLS are as follows:

    • AliyunLogFullAccess: Grants permissions to manage SLS.

    • AliyunLogReadOnlyAccess: Grants read-only permissions on SLS.

    Custom policies

    Custom policies can be created, updated, and deleted as needed. When system policies cannot meet your requirements, implement fine-grained permission management by creating custom policies.

    For custom policy content, SLS provides a permission assistant feature to simplify the process of obtaining policy configurations.

    Procedure for obtaining policy configurations using the permission assistant

    1. Log on to theSimple Log Service console, and click the target project in the project list.

    2. In the left-side navigation pane, choose Other > Permission Assistant.

    3. On the Permission Assistant page, complete the following configurations and click Next.

      • Common Project: Includes configurations for permissions on all functional modules of SLS.

        Parameter

        Description

        Select Scenario

        Different scenarios are associated with different functional modules. After you select a scenario, SLS automatically selects the functional modules that are associated with the scenario. You can also create a custom scenario by selecting specific functional modules.

        The permissions on a functional module include management permissions and read-only permissions. Select them as needed.

        Resources

        After you configure permissions on functional modules, specify the resources on which you want to grant permissions. You can use an asterisk * for Project and Logstore names. For example:

        • RAM users or RAM roles that are granted the following permissions can manage all resources of SLS.

          "Action": "log:*",
"Resource": "*",

        • RAM users or RAM roles that are granted the following permissions can manage only the resources in project01.

          • acs:log:*:*:project/project01
          • acs:log:*:*:project/project01/*

        • RAM users or RAM roles that are granted the following permissions can manage only the resources in logstore01 of project01.

          • acs:log:*:*:project/project01/logstore/logstore01
          • acs:log:*:*:project/project01/logstore/logstore01/*

        Limits

        Specify conditions to grant the permissions based on your business requirements. For more information, see Policy elements.

      • APP: Includes permission configurations for Cost Manager, Log Audit Service, and K8s Event Center.

        Parameter

        Description

        Applications

        Select the applications on which you want to grant permissions. Grant the Allow or Deny permission on an application.

        Preset role selection

        When you select Allow for an application, the related feature modules are automatically selected. You can also customize your selection.

        The permissions on a functional module include Manage and Read-only permissions. Select them as needed.

        Resources

        After you select an application, SLS automatically specifies the associated resources. You cannot modify the associated resources.

        Limits

        Specify conditions to grant the permissions as needed. For more information, see Policy elements.

    4. Preview the policy to confirm the rule information, copy the authorization policy, and refer to Create a custom policy for configuration.

    You can also refer to the SLS operation list for configuration. The related operations are as follows:

    Operation type

    Operation

    Description

    Read

    log:GetAlert

    Query an alert rule

    Read

    log:GetAppliedConfigs

    Query the list of applied Logtail configurations

    Read

    log:GetAppliedMachineGroups

    Query the machine groups that are associated with a Logtail configuration

    Read

    log:GetConfig

    Query a Logtail collection configuration

    Read

    log:GetCursorOrData

    Query a cursor by time

    Read

    log:GetDashboard

    Query a specified dashboard

    Read

    log:GetETL

    Query a data transformation task

    Read

    log:GetIndex

    Query an index

    Read

    log:GetLogging

    Query service log information

    Read

    log:GetLogStore

    View Logstore information

    Read

    log:GetLogStoreLogs

    View Logstore monitoring logs

    Read

    log:GetLogStoreMeteringMode

    Query the metering mode of a Logstore

    Read

    log:GetLogtailPipelineConfig

    Queries the details of a Logtail pipeline configuration

    Read

    log:GetMachineGroup

    Query the information about a machine group

    Read

    log:GetProject

    Query a specified project

    Read

    log:GetProjectPolicy

    Query the authorization policy of a project

    Read

    log:GetSavedSearch

    Query a saved search

    Read

    log:GetScheduledSQL

    Query a Scheduled SQL job

    Read

    log:GetStoreView

    Query a specified dataset

    Read

    log:GetStoreViewIndex

    Query the index configuration of a specified dataset

    Read

    log:ListConsumerGroup

    Query a consumer group

    Read

    log:ListDomains

    Query custom domain names

    Read

    log:ListLogStores

    List Logstores

    Read

    log:ListMachineGroup

    Query machine groups in a project

    Read

    log:ListMachines

    Query the list of machines in a machine group

    Read

    log:ListProject

    List project information

    Read

    log:ListSavedSearch

    Quick Query

    Read

    log:ListShards

    Query the list of shards

    Read

    log:ListTagResources

    List resource tags

    Read

    log:ListProjectsInRecycleBin

    Query the project recycle bin

    Write

    log::PutProjectTransferAcceleration

    Configure the transfer acceleration feature

    Write

    log:ChangeResourceGroup

    Change Resource Group

    Write

    log:ConsumerGroupHeartBeat

    Send a heartbeat from a consumer to the server

    Write

    log:ConsumerGroupUpdateCheckPoint

    Update the consumption checkpoint

    Write

    log:CreateConfig

    Create a Logtail collection configuration

    Write

    log:CreateConsumerGroup

    Create a consumer group

    Write

    log:CreateDashboard

    Create a dashboard

    Write

    log:CreateDomain

    Create a custom domain name

    Write

    log:CreateIndex

    Creates an index

    Write

    log:CreateLogging

    Create service logs

    Write

    log:CreateLogStore

    Create a Logstore

    Write

    log:CreateLogtailPipelineConfig

    Creates a Logtail pipeline configuration

    Write

    log:CreateMachineGroup

    Create a machine group

    Write

    log:CreateMetricStore

    Create a Metricstore

    Write

    log:CreateProject

    Create Project

    Write

    log:CreateSavedSearch

    Creates a saved search

    Write

    log:CreateScheduledSQL

    Create a Scheduled SQL job

    Write

    log:CreateSqlInstance

    Enables the Dedicated SQL feature

    Write

    log:CreateStoreView

    Create a dataset

    Write

    log:DeleteAlert

    Delete an alert rule

    Write

    log:DeleteConfig

    Delete a Logtail configuration

    Write

    log:DeleteConsumerGroup

    Delete a consumer group

    Write

    log:DeleteDashboard

    Delete a dashboard

    Write

    log:DeleteDomain

    Delete a custom domain name

    Write

    log:DeleteIndex

    Deletes an index

    Write

    log:DeleteLogStore

    Delete a Logstore

    Write

    log:DeleteMachineGroup

    Delete a machine group

    Write

    log:DeleteProject

    Delete a specified project

    Write

    log:DeleteProjectPolicy

    Delete the authorization policy of a project

    Write

    log:DeleteSavedSearch

    Delete a saved search

    Write

    log:DeleteScheduledSQL

    Delete the Scheduled SQL job

    Write

    log:DeleteStoreView

    Delete a dataset

    Write

    log:DisableAlert

    Disable an alert rule

    Write

    log:DisableScheduledSQL

    Disable Scheduled SQL

    Write

    log:EnableAlert

    Enable an alert rule

    Write

    log:EnableScheduledSQL

    Enable Scheduled SQL

    Write

    log:GetSqlInstance

    Query a Dedicated SQL instance

    Write

    log:ListScheduledSQLs

    List Scheduled SQL jobs

    Write

    log:MergeShard

    Merge shards

    Write

    log:PostLogStoreLogs

    Write logs

    Write

    log:PutProjectPolicy

    Create a project authorization policy

    Write

    log:SplitShard

    Split a shard

    Write

    log:TagResources

    Attach a tag

    Write

    log:UntagResources

    Remove a tag

    Write

    log:UpdateConfig

    Update a Logtail collection configuration

    Write

    log:UpdateConsumerGroup

    Update a consumer group

    Write

    log:UpdateDashboard

    Update a dashboard

    Write

    log:UpdateIndex

    Updates an index

    Write

    log:UpdateLogging

    Update service log configuration

    Write

    log:UpdateLogStore

    Update a Logstore

    Write

    log:UpdateLogStoreMeteringMode

    Update the metering mode of a Logstore

    Write

    log:UpdateLogtailPipelineConfig

    Updates a Logtail pipeline configuration

    Write

    log:UpdateMachineGroup

    Modify a machine group

    Write

    log:UpdateMachineGroupMachine

    Modify the machine list of a machine group

    Write

    log:UpdateProject

    Update a project

    Write

    log:UpdateSavedSearch

    Updates a saved search

    Write

    log:UpdateScheduledSQL

    Update a Scheduled SQL job

    Write

    log:UpdateSqlInstance

    Update a Dedicated SQL instance

    Write

    log:UpdateStoreView

    Update dataset configuration

    List

    log:ListConfig

    Query the list of Logtail configurations

    List

    log:ListDashboard

    Query dashboards

    List

    log:ListDownloadJobs

    List log download tasks

    List

    log:ListETLs

    List data transformation tasks

    List

    log:ListOSSExports

    List OSS data shipping jobs

    List

    log:ListOSSHDFSExports

    List OSS-HDFS shipping tasks

    List

    log:ListOSSIngestions

    List OSS import tasks

    List

    log:ListStoreViews

    Query the dataset list

    Common custom policy scenarios and examples

    Permissions to view the project list

    Use an Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    Use the following policy: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": [
        "acs:log:*:*:project/*"
      ],
      "Effect": "Allow"
    }
  ]
}

    Read-only permissions on projects

    Use an Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on specific projects within the Alibaba Cloud account

    Note

    If you grant a RAM user the read-only permissions on a project, the RAM user cannot view the logs in the project. You must also grant the read-only permissions on Logstores in the project.

    The following code provides an example of a policy that grants the preceding permissions: 

    {
   "Version": "1",
   "Statement": [
     {
       "Action": ["log:ListProject"],
       "Resource": ["acs:log:*:*:project/*"],
       "Effect": "Allow"
      },
     {
       "Action": [
         "log:Get*",
         "log:List*"
       ],
       "Resource": "acs:log:*:*:project/<Project name>/*",
       "Effect": "Allow"
     }
   ]
 }

    Read-only permissions on a specified Logstore and permissions to create and use saved searches

    Use an Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on a specific Logstore and the permissions to create and manage saved searches

    The following code provides an example of a policy that grants the preceding permissions: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/dashboard",
        "acs:log:*:*:project/<Project name>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Create*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/savedsearch",
        "acs:log:*:*:project/<Project name>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}

    Read-only permissions on a specified Logstore and read-only permissions on saved searches and dashboards in a specified Project

    Use an Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in the project to which the Logstore belongs

    The following code provides an example of a policy that grants the preceding permissions: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/dashboard",
        "acs:log:*:*:project/<Project name>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/savedsearch",
        "acs:log:*:*:project/<Project name>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}

    Write permissions on a specified project

    To grant a RAM user only the permissions to write data to a specified project, use the following policy: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Post*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/*",
      "Effect": "Allow"
    }
  ]
}

    Write permissions on a specified Logstore

    To grant a RAM user only the permissions to write data to a specified Logstore, use the following policy: 

    {
  "Version":"1",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "log:PostLogStoreLogs"
      ],
      "Resource":[
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ]
    }
  ]
}

    Consumption permissions on a specified project

    To grant a RAM user only the permissions to consume data from a specified project, use the following policy: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/*",
      "Effect": "Allow"
    }
  ]
}

    Consumption permissions on a specified Logstore

    To grant a RAM user only the permissions to consume data from a specified Logstore, use the following policy: 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>/*"
      ],
      "Effect": "Allow"
    }
  ]
}

    Permissions to forcefully enable encryption configuration for a specified Logstore

    After you grant a RAM user the permissions to forcefully enable encryption configuration for a specific Logstore, the RAM user must enable encryption configuration when creating or modifying a Logstore. RAM users who are not granted these permissions do not need to enable encryption configuration when creating or modifying a Logstore.

    Note

    You can specify the exact project name and Logstore name or use an asterisk (*) to perform fuzzy matching.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:UpdateLogStore"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
        "acs:log:*:*:project/<Project name>/logstore/*"
      ],
      "Condition": {
        "Bool": {
          "log:Encrypted": "true"
        }
      }
    }
  ]
}

    Permissions required to use log applications

    To allow a RAM user to use the following log applications or features, you must grant the RAM user the required permissions:

    • Database Audit

    • Mobile O&M Monitoring

    • Flow Log Center

    • Log Analysis for AWS CloudTrail

    • SREWorks

    • General Host Audit

    • Intelligent Anomaly Analysis

    • Custom dashboards

    • Dashboard playlists

    The following permissions are required to use the log application.

    • Read-only permissions

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetResource",
                "log:ListResources",
                "log:GetResourceRecord",
                "log:ListResourceRecords"
            ],
            "Resource": [
                "acs:log:*:*:resource/*"
            ]
        }
    ]
}

    • Management permissions

      {
    "Version": "1",
    "Statement": [
          {
      "Effect": "Allow",
      "Action": [
        "log:*"
      ],
      "Resource": [
        "acs:log:*:*:resource/*"
      ]
    }
    ]
}