This topic describes how to manage ActionTrail permissions of Resource Access Management (RAM) users. You can create custom policies and attach them to the RAM users. Then, the RAM users can log on to the ActionTrail console and perform related operations.
Background information
- Before you manage ActionTrail permissions of RAM users, take note of the following
system policies:
- AliyunActionTrailFullAccess: grants a RAM user the permissions to manage ActionTrail resources.
- AliyunActionTrailReadOnlyAccess: grants read-only permissions on ActionTrail resources.
If the system policies cannot meet your business requirements, you can create custom policies.
- Before you manage ActionTrail permissions of RAM users, take note of the ActionTrail permissions. For more information, see RAM account authentication.
Procedure
Policy example
Grant read-only permissions on ActionTrail resources to a RAM user and allow the RAM user to access ActionTrail only from the IP address 42.120.XX.X/24.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"actiontrail:Lookup*",
"actiontrail:Describe*",
"actiontrail:Get*",
"actiontrail:Check*",
"actiontrail:List*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": "42.120.XX.X/24"
}
}
}
]
}