This topic describes the management permissions on a Scheduled SQL task and the required permissions of a Scheduled SQL task.
Management permissions on a Scheduled SQL task
You can manage a Scheduled SQL task only if your account has the management permissions on the task. For example, you can create, delete, modify, and view the task.
To ensure the security of your cloud resources, we recommend that you use a Resource Access Management (RAM) user.
Alibaba Cloud account: An Alibaba Cloud account has the management permissions on Simple Log Service, which are specified by the AliyunLogFullAccess policy. If you use an Alibaba Cloud account to manage a Scheduled SQL task, you do not need to grant the management permissions on the task to the account.
RAM user: If you use a RAM user to manage a Scheduled SQL task, you must grant the management permissions on the task to the RAM user. For more information, see Grant a RAM user the required permissions to use the Scheduled SQL feature.
SQL analysis permissions required by a Scheduled SQL task
To perform SQL analysis in a source Logstore or Metricstore, a Scheduled SQL task must have SQL analysis permissions.
Default role: The AliyunLogETLRole default role has permissions to perform SQL analysis. You can authorize a Scheduled SQL task to assume the default role to perform SQL analysis. For more information, see Configure a default role.
Custom role: You can create a custom role, grant the SQL analysis permissions to the role, and then authorize a Scheduled SQL task to assume the role. For more information, see Step 1: Grant the RAM role the permissions to analyze log data in a source Logstore.
Data write permissions required by a Scheduled SQL task
To write SQL analysis results to a destination Logstore or Metricstore, a Scheduled SQL task must have data write permissions.
Default role: The AliyunLogETLRole default role has permissions to write SQL analysis results to a destination Logstore or Metricstore. You can authorize a Scheduled SQL task to assume the default role to write SQL analysis results. For more information, see Configure a default role.
Custom role: You can create a custom role, grant the role the permissions to write SQL analysis results to a destination Logstore or Metricstore, and then authorize a Scheduled SQL task to assume the role. For more information, see Step 2: Grant the RAM role the permissions to write data to a destination Logstore.