Resource Access Management:AliyunServiceCatalogEndUserReadOnlyAccess

AliyunServiceCatalogEndUserReadOnlyAccess is a service system policy that is managed by Alibaba Cloud. You can attach the AliyunServiceCatalogEndUserReadOnlyAccess policy to a Resource Access Management (RAM) identity, such as a RAM user, RAM user group, and RAM role. The AliyunServiceCatalogEndUserReadOnlyAccess policy: Provides read-only access to Service Catalog for end-user via Management Console.

Policy details

• Type: service system policy

• Creation time: 06:09:21 on February 10, 2022

• Update time: 03:19:34 on March 14, 2023

• Current version: v6

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ros:GetTemplate",
        "ros:ValidateTemplate",
        "ros:GetStack",
        "ros:ListStacks",
        "ros:ListStackEvents",
        "ros:ListStackResources",
        "ros:ListChangeSets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:GetUser",
        "ram:ListUsers",
        "ram:GetRole",
        "ram:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "servicecatalog:ListUserTypes",
        "servicecatalog:GetAccountInfo",
        "servicecatalog:GetProductAsEndUser",
        "servicecatalog:ListProductsAsEndUser",
        "servicecatalog:ListLaunchOptions",
        "servicecatalog:GetProductVersion",
        "servicecatalog:ListProductVersions",
        "servicecatalog:GetTemplateDefinition",
        "servicecatalog:GetGeneratedTemplate",
        "servicecatalog:GetTemplate",
        "servicecatalog:GetEnhancedTemplate",
        "servicecatalog:GetProvisioningParameters"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "servicecatalog:GetProvisionedProduct",
        "servicecatalog:GetProvisionedProductParameters",
        "servicecatalog:ListProvisionedProducts",
        "servicecatalog:GetProvisionedProductForResourceSpec",
        "servicecatalog:GetTask",
        "servicecatalog:ListTasks",
        "servicecatalog:GetProvisionedProductPlan",
        "servicecatalog:ListProvisionedProductPlanApprovers",
        "servicecatalog:ListProvisionedProductPlans"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "servicecatalog:UserLevel": "self"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "servicecatalog:GetProvisionedProduct",
        "servicecatalog:GetProvisionedProductParameters",
        "servicecatalog:GetProvisionedProductForResourceSpec",
        "servicecatalog:GetTask",
        "servicecatalog:ListTasks",
        "servicecatalog:GetProvisionedProductPlan",
        "servicecatalog:ListProvisionedProductPlans"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "servicecatalog:ApprovalActor": "approver"
        }
      }
    }
  ]
}

References

• Policy elements

• Grant permissions to a RAM user

• Grant permissions to a RAM user group

• Grant permissions to a RAM role