Grant permissions to a RAM user - ActionTrail - Alibaba Cloud Documentation Center

After you attach system or custom policies to a Resource Access Management (RAM) user, the RAM user can use the defined permissions in the policies to access Alibaba Cloud resources. You can grant permissions to RAM users to access and manage ActionTrail. For example, RAM users can query events and manage trails and alerts. This topic describes how to grant RAM users the permissions to manage ActionTrail.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
The AliyunServiceRoleForActionTrail service-linked role is created. For more information, see Manage the service-linked role.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

In the Grant Permission panel, configure the Resource Scope parameter and select a policy.

Configure the Resource Scope parameter.
- Account: The authorization takes effect on the current Alibaba Cloud account.
- Resource Group: The authorization takes effect on a specific resource group.
  Important
  If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service and resource type support resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see CloudSSO-based identity and permission management in multi-account scenarios.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

Configure the Policy parameter.

A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

System policies: Select system policies.

Policy name	Description
AliyunActionTrailReadOnlyAccess	Grants read-only permissions on ActionTrail resources.
AliyunActionTrailFullAccess	Grants management permissions on ActionTrail resources.
AliyunOSSReadOnlyAccess	Grants read-only permissions on Object Storage Service (OSS) resources.
AliyunLogReadOnlyAccess	Grants read-only permissions on Simple Log Service resources.

Custom policies: Click All Types and select Custom Policy.

For more information about how to create a custom policy, see Create custom policies.

Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to query OSS buckets and Simple Log Service projects. This way, the RAM user can manage trails.
Sample code:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:*",
                "oss:GetService",
                "log:ListProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
                        
```
Permission description:
Action
Description
oss:GetService
Allows a RAM user to query OSS buckets.
log:ListProject
Allows a RAM user to query Simple Log Service projects.
actiontrail:*
Provides full permissions on ActionTrail.

Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the permissions to manage Logstores, indexes, dashboards, charts, and projects in Simple Log Service. This way, the RAM user can manage alerts.

Sample code:

{ 
    "Version": "1", 
    "Statement": [
      {
     "Effect": "Allow",
     "Action": [
       "actiontrail:DescribeTrails",
       "actiontrail:SetDefaultTrail",
       "actiontrail:GetDefaultTrail",
       "actiontrail:CreateTrail"
     ],
     "Resource": "*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateLogStore",
       "log:CreateIndex",
       "log:UpdateIndex"
     ],
     "Resource": [
       "acs:log:*:*:project/Project name/logstore/internal-alert-history",
       "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
     ]   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateDashboard",
       "log:CreateChart",
       "log:UpdateDashboard"
     ],
     "Resource": "acs:log:*:*:project/Project name/dashboard/*"
   },
   {
     "Effect": "Allow",
     "Action": [
       "log:*"
     ],
     "Resource": "acs:log:*:*:project/Project name/job/*"   
     },
   {
     "Effect": "Allow",
     "Action": [
       "log:CreateProject"
     ],
     "Resource": [
       "acs:log:*:*:project/sls-alert-*"
     ]
   }
 ]
}

Permission description:

Action	Description
actiontrail:DescribeTrails	Allows a RAM user to query trails.
actiontrail:SetDefaultTrail	Allows a RAM user to specify the default trail for alerting.
actiontrail:GetDefaultTrail	Allows a RAM user to query the default trail for alerting.
actiontrail:CreateTrail	Allows a RAM user to create a trail.
log:CreateLogstore	Allows a RAM user to create a Logstore.
log:CreateIndex	Allows a RAM user to create an index.
log:UpdateIndex	Allows a RAM user to update an index.
log:CreateDashboard	Allows a RAM user to create a dashboard.
log:CreateChart	Allows a RAM user to create a chart.
log:UpdateDashboard	Allows a RAM user to update a dashboard.
log:CreateProject	Allows a RAM user to create a Simple Log Service project.

Click Grant permissions.

Click Close.

References

For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
You can also call operations to grant permissions to a RAM user. For more information, see AttachPolicyToUser.

Action	Description
oss:GetService	Allows a RAM user to query OSS buckets.
log:ListProject	Allows a RAM user to query Simple Log Service projects.
actiontrail:*	Provides full permissions on ActionTrail.