All Products
Search
Document Center

Simple Log Service:Configure the permission assistant feature

Last Updated:Oct 26, 2023

Log Service provides the permission assistant feature. This feature allows you to grant permissions on Log Service resources to a RAM user or a RAM role in a simplified manner. This topic describes how to configure the permission assistant feature in the Log Service console.

Procedure

  1. Log on to the Log Service console.

  2. In the Projects section, click the project that you want to manage.

  3. In the left-side navigation pane, choose Other > Permission Assistant.
  4. On the Permission Assistant page, configure the following parameters in the Configure Policy step and click Next.
    In the Select Mode section, you can select Project or APP.
    • Project

      If you select Project for Select Mode, you can grant permissions on all functional modules of Log Service.

      ParameterDescription
      Select ScenarioDifferent scenarios are associated with different functional modules. You can select a scenario based on your business requirements. After you select a scenario, Log Service automatically selects the functional modules that are associated with the scenario. You can also create a custom scenario by selecting specific functional modules.

      The permissions on a functional module include management permissions and read-only permissions. You can select permissions based on your business requirements.

      Important The functional modules have the following relationships:
      • You must grant the read-only permissions or the management permissions on the Project module before you can use other functional modules.
      • The Data Import module is based on the Logstore module. If you select a submodule of the Data Import module, Log Service automatically selects the Logstore module.
      • The Visualization submodule is based on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules are based on the Visualization submodule. If you select the Alerts and Subscribe submodules, Log Service automatically grants the management permissions on the Visualization submodule.
      ResourcesAfter you configure permissions on functional modules, you can specify the resources on which you want to grant permissions. You can use asterisks (*) to match one or more projects or Logstores. Examples:
      • RAM users or RAM roles that are granted the following permissions can manage all resources of Log Service.
        "Action": "log:*",
        "Resource": "*",
      • RAM users or RAM roles that are granted the following permissions can manage only the resources in project01.
        • acs:log:*:*:project/project01
        • acs:log:*:*:project/project01/*
      • RAM users or RAM roles that are granted the following permissions can manage only the resources in logstore01 of project01.
        • acs:log:*:*:project/project01/logstore/logstore01
        • acs:log:*:*:project/project01/logstore/logstore01/*
      ConditionsYou can specify conditions to grant the permissions based on your business requirements. For more information, see Policy elements.
    • APP

      If you select APP for Select Mode, you can grant only the permissions on the Cost Manager, Log Audit Service, and K8s Event Center applications.

      ParameterDescription
      APPsSelect the applications on which you want to grant permissions. You can grant the Allow or Deny permission on an application.
      Select ScenarioIf you grant the Allow permission on an application and select a scenario, Log Service automatically selects the functional modules that are associated with the scenario. You can also create a custom scenario by selecting specific functional modules.

      The permissions on a functional module include management permissions and read-only permissions. You can select permissions based on your business requirements.

      Important The functional modules have the following relationships:
      • You must grant the read-only permissions or the management permissions on the Project module before you can use other functional modules.
      • The Data Import module is based on the Logstore module. If you select a submodule of the Data Import module, Log Service automatically selects the Logstore module.
      • The Visualization submodule is based on the Data Query submodule.
      • The Alerts, Subscribe, and Data Imported by Cloud Products submodules are based on the Visualization submodule. If you select the Alerts and Subscribe submodules, Log Service automatically grants the management permissions on the Visualization submodule.
      ResourcesAfter you select an application, Log Service automatically specifies the associated resources. You cannot modify the associated resources.
      ConditionsYou can specify conditions to grant the permissions based on your business requirements. For more information, see Policy elements.
  5. In the Preview Policy step, preview and edit the policy. The following table describes the operations that you can perform. After you confirm or edit the policy, click Next.
    OperationDescription
    FormatFormat the JSON policy after you edit the policy.
    CompressThe number of lines in a permission policy cannot exceed the specified number. You can click Compress to delete redundant spaces and line feeds.
    ResetReset the policy content.
    Copy to ClipboardCopy the policy content to the clipboard for further use.
    Add to Custom TemplateAdd the policy as a custom policy template for further use.
    Note Custom policy templates are stored only in the local storage of the current browser. If you use another browser, you cannot access the templates.
  6. Create a custom policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.
    4. On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the policy document that is obtained in Step 5, and then click Next to edit policy information.
    5. Configure the Name parameter and click OK.
  7. Grant the required permissions to the principal. The principal can be a RAM user or RAM role.
    1. In the left-side navigation pane, choose Permissions > Grants.
    2. On the page that appears, click Grant Permission.
    3. In the Grant Permission panel, configure the Authorized Scope and Principal parameters. In the Select Policy section, click Custom Policy, select the policy that is created in Step 6, and then click OK.
    4. Verify that the policy is attached to the RAM user and click Complete.

    After the principal is granted the required permissions, you can use the principal.

What to do next

  • Apply common policy templates

    On the Permission Assistant page, you can select a common policy template based on your business requirements.

  • Apply custom policy templates
    On the Permission Assistant page, you can add a custom policy as a custom policy template in the Preview Policy step for further use.
    Note Custom policy templates are stored in the local storage of the current browser. If you use another browser, you cannot access the templates.