The AI Chat Assistant is an intelligent O&M assistant built on the digital employee platform. It answers questions using your custom knowledge bases. You can configure permissions, knowledge bases, and behavior rules for each agent to create a tailored O&M assistant for your specific business scenario.
Features
The AI Chat Assistant provides these core capabilities:
Knowledge-driven Q&A: Answers O&M questions based on SOP (Standard Operating Procedure) documents from your knowledge base.
Multiple knowledge base types: Supports OSS knowledge bases, Apsara Devops (Codeup) knowledge bases, and built-in SLS knowledge bases.
Flexible permission configuration: Supports both service roles and custom roles.
Custom rules: Define default rules to guide your digital employee’s behavior.
Note: The AI Chat Assistant is built on the digital employee platform. It relies entirely on SOP documents. Without an associated knowledge base, it cannot answer questions effectively.
Prerequisites
Before you use the AI Chat Assistant, confirm the following:
User type | Required permissions |
Alibaba Cloud account | You have all management permissions by default. You can start creating digital employees right away. |
RAM user | Contact your administrator to grant the required permissions. For details, see Grant permissions to RAM users. |
Create a digital employee
Log on to the Simple Log Service console.
Choose Log Applications > AI Chat Assistant, then click Digital Employees.
On the digital employees list page, click Create Digital Employee in the upper-right corner.
In the Create Digital Employee dialog box, configure the following parameters:
Parameter
Required
Description
ID
Yes
A unique identifier for the digital employee. You cannot change it after creation. Use letters and numbers only. For example,
order-system-expert.Display name
Yes
The name shown for the digital employee in the console. Use a business-specific name. For example, Order System Monitoring Expert or Big Data Cluster Inspector.
RAM role type
Yes
Select the RAM role type for the digital employee:
• Service role: Uses a system-provided service role (no setup needed). The digital employee gets read-only access to Simple Log Service and ARMS automatically.
• Custom role: Choose this option if you need access to a specific Model Studio knowledge base or want to limit access scope. Enter the ARN of an authorized RAM role. For details, see Create a RAM role and grant permissions.
RAM role ARN
Yes
The service role uses
ServiceRoleForCloudMonitorby default. This role has read-only access to Cloud Monitor 2.0 data, including Simple Log Service and ARMS.Built-in SLS knowledge base
No
Enable this option to let the digital employee answer SLS-related questions. Enabled by default.
Description
No
Describe the employee’s responsibilities and strengths. For example: Performs daily inspections of core applications in the Order Hub, analyzes anomaly alerts, identifies root causes, and supports MySQL slow-query analysis.
Default rule
No
A default rule that guides the digital employee’s work. Use Markdown syntax. Define the employee’s role, scope of capabilities, and code of conduct.
After configuration, click OK.
Associate a knowledge base
After you create a digital employee, you can associate a knowledge base with it. If you enabled the Built-in SLS knowledge base during creation, you can ask SLS-related questions right away. To associate a custom knowledge base, follow the steps below.
SOP knowledge base structure
SOP knowledge bases use a progressive folder structure. The core entry file is SOP.md. Organize files by module so the agent can retrieve the necessary knowledge from the structure.
We recommend this folder structure:
Root directory of the knowledge base/
├── SOP.md # Core entry file. Summarizes knowledge across domains.
├── accesslog/ # Access log domain
│ ├── overview.md # Domain overview
│ └── troubleshooting.md # Troubleshooting guide
├── monitoring/ # Monitoring domain
│ ├── overview.md
│ └── alert-handling.md
└── ...You can describe the knowledge summary for each domain in SOP.md. Then add detailed content in the corresponding files under each subfolder.
Associate the built-in SLS knowledge base
The built-in SLS knowledge base includes standard operating procedures and best practices for Simple Log Service. It helps answer SLS-related questions.
Method 1: Enable during creation
Keep the Built-in SLS knowledge base toggle enabled when you create the digital employee.
Method 2: Add after creation
In the digital employees list, click the target employee to open its details page.
Click the Knowledge Bases tab.
Click Add Knowledge Base and select Built-in Knowledge Base.
In Knowledge Base ID, enter
sls, then click OK.
Associate an OSS knowledge base
If your SOP documents are stored in OSS, follow these steps to associate an OSS knowledge base.
Prerequisites
You created an OSS bucket and uploaded your SOP documents.
You created and configured a custom RAM role. For more information, see Create a RAM role and grant permissions.
Procedure
You can change the digital employee’s RAM role type to Custom role and enter the ARN of the authorized RAM role.
In the digital employee’s details page, click the Knowledge Bases tab.
Click Add Knowledge Base and select OSS Knowledge Base.
Configure the following parameters:
Parameter
Description
OSS Region
The region where your OSS bucket resides.
OSS Bucket
The name of your OSS bucket.
Root path of the knowledge base
The directory path containing the
SOP.mdfile. IfSOP.mdis in the bucket root, enter/. If it is in a subdirectory, enter the full path. For example,/docs/sop/.Click OK.
Associate an Apsara Devops knowledge base
If you manage SOP documents in Apsara Devops (Codeup), follow these steps to associate an Apsara Devops knowledge base.
Prerequisites
You created a code repository and uploaded SOP documents in the Apsara Devops console.
Your Personal Access Token (PAT) has been created.
Obtain configuration information
Organization ID: In the Apsara Devops console, click your code repository. You can copy the organization ID from the URL. The URL format is
https://codeup.aliyun.com/organization-ID/repository-name.Repository ID: On the repository page, go to Settings > Basic Information.
Personal access token:
In the Apsara Devops console, click your profile picture in the upper-right corner and choose Personal Settings.
Choose Personal Access Tokens, then click Create Access Token.
Enter a token name, set an expiration time and permissions, then click Create.
Copy and save the generated token. You can view it only once.
Procedure
In the digital employee’s details page, click the Knowledge Bases tab.
Click Add Knowledge Base and select Apsara Devops Knowledge Base.
Configure the following parameters:
Parameter
Description
Organization ID
Apsara DevOps organization ID
Repository ID
Your code repository ID.
Branch name
The branch to associate. For example,
masterormain.Personal access token
Your Apsara Devops personal access token.
Root path of the knowledge base
The directory path containing the
SOP.mdfile.Click OK.
Chat with a digital employee
After you create a digital employee and associate a knowledge base, you can start chatting with it.
In the AI Chat Assistant page, click New Chat in the navigation pane on the left.
In the chat input box, select the digital employee you want to talk to.
Enter your question and press Enter or click the send button.
The digital employee answers your question using the associated knowledge base.
Note: In the upper-right corner of the chat interface, you can set a time range to limit the data timestamp that the digital employee retrieves.
Appendix
Grant permissions to RAM users
If you use a RAM user to operate the AI Chat Assistant, your administrator must grant the required permissions.
Role assumption permission
This permission lets a RAM user pass a RAM role to Cloud Monitor. This permission is required to create a digital employee.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}
Note: To restrict the scope, set Resource to a specific role ARN.Chat permission
This permission allows a RAM user to chat with digital employees only.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads"
],
"Resource": "acs:cms:*:*:digitalEmployee/*"
}
]
}
Management permission
This permission allows a RAM user to manage digital employees. It includes chat permissions.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads",
"cms:CreateDigitalEmployee",
"cms:UpdateDigitalEmployee",
"cms:DeleteDigitalEmployee",
"cms:CreateThread",
"cms:UpdateThread",
"cms:DeleteThread"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
}
]
}
Create a RAM role and grant permissions
If you need a custom role—for example, to access an OSS knowledge base—follow these steps to create and authorize a RAM role.
Step 1: Create a RAM role
Log on to the Resource Access Management (RAM) console.
In the navigation pane on the left, choose Identity Management > Roles.
Click Create Role and select Alibaba Cloud Service as the trusted entity type.
Configure the following:
Role name: Enter a custom role name.
Trusted service: Select Cloud Monitor/Cms.
Click Complete.
Step 2: Grant permissions to the RAM role
You can create a custom policy. The following policy grants read-only access to OSS and Simple Log Service:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Resource": [
"acs:oss:*:*:<OSS_BUCKET_NAME>",
"acs:oss:*:*:<OSS_BUCKET_NAME>/*"
]
},
{
"Effect": "Allow",
"Action": [
"log:Get*",
"log:List*"
],
"Resource": "*"
}
]
}
Note: Replace <OSS_BUCKET_NAME> with your actual OSS bucket name.You can attach the custom policy to the RAM role.
FAQ
Q: Is the AI Chat Assistant free?
A: The AI Chat Assistant is in public preview. It is free during the public preview period. After general availability, you will be billed by usage. We will notify you of the billing rules in advance.
Q: What is the difference between the AI Chat Assistant and Cloud Monitor digital employees?
A: Both are built on the same digital employee platform. The AI Chat Assistant focuses on SOP-based Q&A. It relies entirely on knowledge bases. Cloud Monitor digital employees support broader monitoring and O&M tasks.
Q: Why can’t my digital employee answer my question?
A: Check the following:
You have associated a knowledge base, and it contains relevant content.
Your knowledge base structure is correct and the core entry file
SOP.mdexists.The digital employee has permission to access the knowledge base.
Appendix
List of SOP Agent tools
Tool name | Visible to agent by default | Description |
SopRead | Yes | Read SOP documents. |
LoadTool | Yes | Load tools. |
QuerySLSLogs | Yes | Run Simple Log Service query and analysis statements. |
TodoWrite | Yes | To-do List |
ParseTimeString | Yes | Parse time strings. |
FormatTimestamp | Yes | Format timestamp fields. |
EvaluateExpression | Yes | Evaluate arithmetic (+, -, *, /) and Boolean expressions. |
GetProductDataCollection | No | Get log location information for Alibaba Cloud services. |
ListSLSProjects | No | List Simple Log Service projects. |
GetProject | No | Get project details. |
ListSLSAlerts | No | List alerts. |
GetSLSAlert | No | Get alert information. |
ListSLSMachineGroups | No | List Logtail machine groups. |
GetSLSMachineGroup | No | Get Logtail machine group details. |
ListSLSLogStores | No | List LogStore instances. |
GetSLSLogStore | No | Get LogStore details. |
ListSLSDashboards | No | List dashboards. |
GetSLSDashboard | No | Get dashboard details. |
ListSLSLogtailPipelineConfigs | No | List Logtail collection configurations. |
GetSLSLogtailPipelineConfig | No | Get Logtail configuration details. |
To use tools marked No for default visibility, call them in your SOP document such as this:
Load and call tool ListSLSLogstores