Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define typical cloud service permissions. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see How IAM Is Different from Organizations for Access Control?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
For details about how to use these elements to edit a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by LTS, see Resources.
The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by LTS, see Conditions.
The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for LTS.

**Table 1** Actions supported by LTS
Action	Description	Access Level	Resource Type (*: required)	Condition Key	Alias
lts:logGroup:deleteLogGroup	Grants permission to delete log group.	Write	logGroup *	-	lts:groups:delete
lts:logGroup:listLogGroup	Grants permission to get log group list .	List	-	-	lts:groups:get lts:groups:list
lts:logGroup:createLogGroup	Grants permission to create log group.	Write	-	-	lts:groups:create
lts:logGroup:updateLogGroup	Grants permission to update log group.	Write	logGroup *	-	lts:groups:put
lts:logStream:listLogStream	Grants permission to get log stream list.	List	logGroup *	-	lts:topics:get lts:topics:list
lts:logStream:deleteLogStream	Grants permission to delete log stream.	Write	logStream *	-	lts:topics:delete
lts:logStream:createLogStream	Grants permission to create log stream.	Write	logGroup *	-	lts:topics:create
lts:logStream:searchLog	Grants permission to get logs list.	List	logStream *	-	lts:logs:list
lts:logStream:searchStructLog	Grants permission to get struct logs list.	List	logStream *	-	-
lts:logStream:searchLogHistogram	Grants permission to get logHistogram list.	List	logStream *	-	lts:sqlalarmrules:create
lts:transfer:createTransfer	Grants permission to create transfer.	Write	-	-	lts:transfers:create
lts:transfer:deleteTransfer	Grants permission to delete transfer.	Write	transfer *	-	lts:transfers:delete
lts:transfer:listTransfer	Grants permission to get transfers list.	List	-	-	lts:transfers:list
lts:transfer:updateTransfer	Grants permission to update transfer.	Write	transfer *	-	lts:transfers:put
lts:transfer:registerDmsKafkaInstance	Grants permission to register DmsKafka instance.	Write	-	-	-
lts:configCenter:updateOverCollectSwitch	Grants permission to update over collect switch.	Write	-	-	aom:quota:set
lts:structConfig:createStructConfig	Grants permission to create struct config.	Write	logStream *	-	lts:topics:create lts:structConfig:create
lts:structConfig:deleteStructConfig	Grants permission to delete struct config.	Write	logStream *	-	lts:structConfig:delete
lts:structConfig:getStructConfig	Grants permission to get struct config.	Read	logStream *	-	lts:topics:get lts:structConfig:get
lts:structConfig:listStructTemplate	Grants permission to get struct template list.	List	-	-	lts:topics:get
lts:structConfig:updateStructConfig	Grants permission to update struct config.	Write	logStream *	-	lts:topics:put lts:structConfig:put
lts:mappingRule:create	Grants permission to create mapping rule.	Write	-	-	lts:topics:create
lts:mappingRule:delete	Grants permission to delete mapping rule.	Write	-	-	lts:topics:delete
lts:mappingRule:get	Grants permission to get mapping rule detail.	Read	-	-	lts:topics:get
lts:mappingRule:list	Grants permission to get mapping rule list.	List	-	-	lts:topics:get
lts:mappingRule:update	Grants permission to update mapping rule.	Write	-	-	lts:topics:put
lts:logStream:getHistorySql	Grants permission to get log stream history sql.	Read	logStream *	-	lts:topics:get
lts:alarmRule:createSqlAlarmRule	Grants permission to create sql alarm rules.	Write	-	-	lts:sqlalarmrules:create
lts:alarmRule:deleteSqlAlarmRule	Grants permission to delete sql alarm rules.	Write	alarmRule *	-	lts:sqlalarmrules:delete
lts:alarmRule:updateSqlAlarmRule	Grants permission to update sql alarm rules.	Write	alarmRule *	-	lts:sqlalarmrules:put
lts:alarmRule:listSqlAlarmRule	Grants permission to get sql alarm rules.	List	-	-	lts:sqlalarmrules:get
lts:alarmRule:createWordAlarmRule	Grants permission to create word alarm rules.	Write	-	-	lts:sqlalarmrules:create
lts:alarmRule:deleteWordAlarmRule	Grants permission to delete word alarm rules.	Write	alarmRule *	-	lts:sqlalarmrules:delete
lts:alarmRule:updateWordAlarmRule	Grants permission to update word alarm rules.	Write	alarmRule *	-	lts:sqlalarmrules:put
lts:alarmRule:listWordAlarmRule	Grants permission to get word alarm rules.	List	-	-	-
lts:alarm:cleanAlarm	Grants permission to delete alarm.	Write	-	-	lts:sqlalarms:delete
lts:alarm:listAlarm	Grants permission to get alarm list.	List	-	-	lts:sqlalarms:get
lts:logStream:listChart	Grants permission to query the log stream chart.	List	-	-	-
lts:alarmNoticeTemplate:create	Grants permission to creating alarm notification template.	Write	-	-	lts:sqlalarmrules:create
lts:alarmNoticeTemplate:update	Grants permission to update alarm notification template.	Write	-	-	lts:sqlalarmrules:put
lts:alarmNoticeTemplate:delete	Grants permission to delete alarm notification template.	Write	-	-	lts:sqlalarmrules:delete
lts:alarmNoticeTemplate:list	Grants permission to query alarm notification template list.	List	-	-	lts:sqlalarmrules:get
lts:alarmNoticeTemplate:get	Grants permission to query alarm notification template details.	Read	-	-	lts:sqlalarmrules:get
lts:hostGroup:create	Grants permission to create host group.	Write	-	-	lts:topics:create
lts:hostGroup:delete	Grants permission to delete Host Group.	Write	hostGroup *	-	lts:topics:delete
lts:host:list	Grants permission to query host list.	List	-	-	-
lts:hostGroup:list	Grants permission to query host group list.	List	accessConfig *	-	-
lts:hostGroup:update	Grants permission to update host group list.	Write	hostGroup *	-	lts:topics:put
lts:accessConfig:create	Grants permission to create access config.	Write	logStream *	-	lts:topics:create
lts:accessConfig:delete	Grants permission to delete access config.	Write	accessConfig *	-	-
lts:accessConfig:list	Grants permission to get access config list.	List	-	-	-
lts:accessConfig:update	Grants permission to update access config.	Write	accessConfig *	-	-
lts:accessConfig:update	Grants permission to update access config.	Write	hostGroup	-	-
lts:tag:create	Grants permission to create tag.	Write	-	-	lts:resourceTags:put
lts:tag:delete	Grants permission to delete tag.	Write	-	-	lts:resourceTags:delete
lts:logStream:createQuickQuery	Grants permission to create quick query.	Write	logStream *	-	lts:searchcriterias:create
lts:logStream:deleteQuickQuery	Grants permission to delete quick query.	Write	logStream *	-	lts:searchcriterias:delete
lts:logStream:listQuickQuery	Grants permission to query quick query list.	List	logGroup *	-	lts:searchcriterias:list
lts:logFavorite:create	Grants permission to create log favorite.	Write	logStream *	-	lts:topics:create
lts:logFavorite:delete	Grants permission to delete log favorite.	Write	-	-	lts:topics:delete
lts:dashboardGroup:create	Grants permission to create dashboard group.	Write	-	-	lts:topics:create
lts:dashboard:create	Grants permission to create dashboard.	Write	-	-	lts:topics:create
lts:trafficStatistic:get	Grants permission to get trafficStatistic detail.	Read	-	-	lts:logs:list
lts:tokenizer:get	Grants permission to obtains the configured separator.	Read	-	-	lts:topic:get
lts:tokenizer:create	Grants permission to preview Word Breakers.	Write	-	-	lts:topic:put
lts:tokenizer:preview	Grants permission to preview Word Breakers.	Read	-	-	lts:topic:put
lts:usageAlarm:update	Grants permission to enables or disables usage warning.	Write	-	-	lts:topics:put
lts:csvTable:list	Grants permission to obtaining the Associated Data Source Configuration Information Table.	List	-	-	lts:sqlalarmrules:list
lts:csvTable:upload	Grants permission to uploading a CSV File.	Write	-	-	lts:sqlalarmrules:create
lts:csvTable:get	Grants permission to preview associated data and view associated data source information.	Read	-	-	lts:sqlalarmrules:get
lts:csvTable:create	Grants permission to creating Associated Data Sources.	Write	-	-	lts:sqlalarmrules:create
lts:csvTable:update	Grants permission to updating Associated Data Sources.	Write	-	-	lts:sqlalarmrules:put
lts:csvTable:delete	Grants permission to deleting Associated Data Sources.	Write	-	-	lts:sqlalarmrules:delete
lts:scheduledSql:create	Grants permission to create a scheduled SQL statement.	Write	-	-	lts:sqlalarmrules:create
lts:scheduledSql:delete	Grants permission to delete the scheduled SQL statement.	Write	-	-	lts:sqlalarmrules:delete
lts:scheduledSql:update	Grants permission to modify the scheduled SQL statement.	Write	-	-	lts:sqlalarmrules:put
lts:scheduledSql:list	Grants permission to get this interface is used to obtain the scheduled SQL list.	List	-	-	lts:sqlalarmrules:list
lts:scheduledSql:get	Grants permission to get scheduled SQL details.	Read	-	-	lts:sqlalarmrules:get
lts:scheduledSql:retry	Grants permission to retry the execution instance.	Write	-	-	lts:sqlalarmrules:delete
lts:transfer:getDisList	Grants permission to obtaining the dis channel list.	List	-	-	lts:disStreams:list
lts:transfer:listKafkaInstance	Grants permission to obtaining the Kafka List.	List	-	-	lts:kafka:list
lts:transfer:updateKafkaInstance	Grants permission to updating kafka information.	Write	-	-	lts:kafka:update
lts:transfer:deleteKafkaInstance	Grants permission to deleting kafka information.	Write	-	-	lts:kafka:delete
lts:transfer:listKafkaAuthorization	Grants permission to querying the kafka authorization list of user configurations.	List	-	-	lts:kafka:list
lts:transfer:createKafkaAuthorization	Grants permission to adding a user configuration kafka authorization list.	Write	-	-	lts:kafka:create
lts:transfer:deleteKafkaAuthorization	Grants permission to deleting a user configuration kafka authorization list.	Write	-	-	lts:kafka:delete
lts:transfer:getTransfer	Grants permission to obtaining information about a dump task.	Read	transfer *	-	lts:transfers:list
lts:transfer:getDwsInfo	Grants permission to querying dws information of a tenant.	Read	-	-	lts:transfers:list
lts:transfer:registerDwsCluster	Grants permission to registering a dws cluster.	Write	-	-	lts:transfers:create
lts:hostGroup:getHost	Grants permission to obtains all hosts based on query conditions..	Read	-	-	lts:topics:list
lts:hostGroup:get	Grants permission to obtains all configurations of a single host group based on search criteria.	Read	-	-	lts:topics:list
lts:accessConfig:get	Grants permission to obtaining a single collection configuration.	Read	accessConfig *	-	lts:topics:get
lts:logFavorite:list	Grants permission to obtaining the favorites list.	List	-	-	lts:topics:get
lts:logFavorite:update	Grants permission to modify favorites.	Write	logStream *	-	lts:topics:put
lts:logGroup:getLogGroup	Grants permission to querying a log group.	Read	logGroup *	-	lts:groups:get
lts:IndexConfig:list	Grants permission to querying indexes.	List	logGroup *	-	lts:topics:get lts:groups:get
lts:IndexConfig:create	Grants permission to creating an Index.	Write	logGroup *	-	lts:topics:put lts:groups:create
lts:structConfig:listStructConfig	Grants permission to obtaining structured log stream information.	List	logStream *	-	lts:wordFreq:get
lts:logStream:updateLogStream	Grants permission to modifying a log stream.	Write	logStream *	-	lts:topics:put
lts:logStream:getRealtimeLog	Grants permission to obtaining real-time logs.	Read	logStream *	-	lts:logs:list
lts:logStream:getLogStream	Grants permission to obtaining stream infos.	Read	logStream *	-	lts:topics:get
lts:logStream:createLogFilterRules	Grants permission to creating a log cleaning rule.	Write	logStream *	-	lts:topics:create
lts:logStream:updateLogFilterRules	Grants permission to modifying a log cleaning rule.	Write	logStream *	-	lts:topics:put
lts:logStream:deleteLogFilterRules	Grants permission to deleting a log cleaning rule.	Write	logStream *	-	lts:topics:delete
lts:logStream:listLogFilterRules	Grants permission to querying log cleaning rules.	List	logStream *	-	lts:topics:delete
lts:logStream:getQuickQuery	Grants permission to view quick queries.	List	logStream *	-	lts:searchcriterias:list
lts:logStream:updateQuickQuery	Grants permission to modify quick query.	Write	logStream *	-	lts:searchcriterias:put
lts:logStream:searchLogContext	Grants permission to querying the log context.	Read	logStream *	-	lts:logs:list
lts:structConfig:getCustomTemplate	Grants permission to querying a user-defined template.	Read	-	-	lts:topics:get
lts:structConfig:createCustomTemplate	Grants permission to creating a user-defined template.	Write	-	-	lts:topics:create
lts:structConfig:updateCustomTemplate	Grants permission to modifying a user-defined template.	Write	-	-	lts:topics:put
lts:structConfig:deleteCustomTemplate	Grants permission to deleting a user-defined template.	Write	-	-	lts:topics:delete
lts:structConfig:listCustomTemplate	Grants permission to querying the user-defined template list.	Read	-	-	lts:topics:get
lts:structConfig:smartExtra	Grants permission to intelligent extraction of structured fields.	Write	-	-	lts:topics:create
lts:logStream:getAggrResult	Grants permission to obtaining quick analysis results.	Read	logStream *	-	lts:topics:get
lts:logStream:getAggr	Grants permission to query quick analysis aggregator.	Read	-	-	lts:topics:get
lts:logStream:createAggr	Grants permission to creating a quick analysis aggregator.	Write	-	-	lts:topics:create
lts:logStream:deleteAggr	Grants permission to delete quick analysis aggregator.	Write	-	-	lts:topics:delete
lts:logStream:getQuickAnalysisAggValue	Grants permission to obtains the quick analysis result of the numeric type.	Read	logStream *	-	-
lts:logStream:getWordFreqConfig	Grants permission to querying quick analysis fields created by users.	Read	logStream *	-	lts:wordFreq:get
lts:logStream:refreshWordFreqConfig	Grants permission to modifying a quick analysis field.	Write	logStream *	-	lts:wordFreq:set
lts:logCrux:list	Grants permission to querying log clustering information.	List	-	-	lts:logreduce:list
lts:logCrux:get	Grants permission to obtains the log clustering switch information.	Read	-	-	lts:logreduce:get
lts:logCrux:enable	Grants permission to enabling Log Clustering.	Write	-	-	lts:logreduce:put
lts:logCrux:disable	Grants permission to disabling log clustering.	Write	-	-	lts:logreduce:put
lts:logStream:updateChart	Grants permission to updating the user log dashboard.	Write	-	-	lts:topics:put
lts:logStream:createChart	Grants permission to creating a user log dashboard.	Write	-	-	lts:topics:create
lts:logStream:deleteChart	Grants permission to deleting a user log dashboard.	Write	logStream *	-	lts:topics:delete
lts:logStream:getChart	Grants permission to obtaining the user log dashboard.	Read	logStream *	-	lts:topics:get
lts:dashboard:deleteChart	Grants permission to delete chart.	Write	dashboard *	-	lts:topics:delete
lts:dashboard:listCharts	Grants permission to displays charts at the dashboard level..	List	-	-	lts:topics:delete
lts:dashboard:updateChart	Grants permission to moving charts.	Write	dashboard *	-	lts:topics:put
lts:dashboard:getDashboard	Grants permission to querying user log dashboards.	Read	-	-	lts:topics:put
lts:dashboardGroup:getDashboardsGroup	Grants permission to querying user log dashboard groups.	Read	-	-	lts:topics:get
lts:dashboardGroup:updateDashboardsGroup	Grants permission to modifying a user log dashboard group.	Write	-	-	lts:topics:put
lts:dashboardGroup:deleteDashboardsGroup	Grants permission to updating user log dashboard groups.	Write	-	-	lts:topics:delete
lts:dashboard:CreateDashBoard	Grants permission to creating dashboards in batches based on the log dashboard template.	Write	-	-	lts:topics:create
lts:dashboard:CreateDashBoardTemplate	Grants permission to creating a user log dashboard template.	Write	-	-	lts:topics:create
lts:dashboard:getDashBoardTemplate	Grants permission to querying a user log dashboard template.	Read	-	-	lts:topics:get
lts:dashboard:updateDashBoardTemplate	Grants permission to modifying a user log dashboard template.	Write	-	-	lts:topics:put
lts:dashboard:deleteDashBoardTemplate	Grants permission to deleting a user log dashboard template.	Write	-	-	lts:topics:delete
lts:dashboardGroup:createLogDashboardTemplateGroup	Grants permission to creating a dashboard template group.	Write	-	-	lts:topics:create
lts:dashboardGroup:updateLogDashboardTemplateGroup	Grants permission to modifying a dashboard template group.	Write	-	-	lts:topics:put
lts:dashboardGroup:deleteLogDashboardTemplateGroup	Grants permission to deleting a user log dashboard template group.	Write	-	-	lts:topics:delete
lts:dashboard:listFilter	Grants permission to querying dashboard filters.	List	dashboard *	-	-
lts:dashboard:createFilter	Grants permission to Creating a Dashboard Filter.	Write	dashboard *	-	-
lts:dashboard:updateFilter	Grants permission to modifying a Dashboard Filter.	Write	dashboard *	-	-
lts:dashboard:deleteFilter	Grants permission to deleting a Dashboard Filter.	Write	dashboard *	-	-
lts:alarmRule:listAlarmRules	Grants permission to querying the alarm rule list.	List	-	-	lts:sqlalarmrules:get
lts:alarmRule:getKeywordsAlarmRule	Grants permission to querying keyword alarm rules.	Read	alarmRule *	-	lts:sqlalarmrules:get
lts:alarmRule:getSqlAlarmRule	Grants permission to querying sql alarm rules.	Read	alarmRule *	-	lts:sqlalarmrules:get
lts:alarm:listAlarmStatistic	Grants permission to querying sql alarm data.	List	-	-	lts:sqlalarmstatistics:get
lts:dashboard:update	Grants permission to modifying a user log dashboard.	Write	-	-	lts:topics:put
lts:dashboard:delete	Grants permission to deleting a user log dashboard.	Write	-	-	lts:topics:delete
lts:logSearch:list	Grants permission to obtains the cluster list, namespace, component, instance, log, node, and log file page component list and file list.	List	-	-	aom:log:list
lts:logSearch:getTime	Grants permission to obtains the current time of the backend node.	Read	-	-	aom:log:get
lts:logSearch:getLogContext	Grants permission to obtaining the log context.	Read	-	-	aom:log:get
lts:logSearch:exportLogs	Grants permission to download logs.	Write	-	-	aom:log:list
lts:ageingTime:get	Grants permission to obtaining quota management.	List	-	-	aom:log:list
lts:ageingTime:update	Grants permission to modify quota management.	Write	-	-	aom:quota:set
lts:logConfigPath:list	Grants permission to querying the vm log path configuration.	List	-	-	aom:log:list
lts:logConfigPath:create	Grants permission to configuring the log path of a new vm.	Write	-	-	aom:subscribe:set
lts:structRule:get	Grants permission to obtaining structured rules.	Read	-	-	aom:log:get
lts:structRule:create	Grants permission to creating a structured rule.	Write	-	-	aom:subscribe:set
lts:structRule:delete	Grants permission to deleting a structured rule.	Write	-	-	aom:subscribe:set
lts:structRule:regex	Grants permission to structured extraction.	Write	-	-	aom:subscribe:set
lts:logPail:list	Grants permission to querying a log bucket, logs in a bucket, and log bar chart.	List	-	-	aom:log:list
lts:structSql:list	Grants permission to querying structured logs.	List	-	-	aom:log:list
lts:logPail:create	Grants permission to adding a log bucket.	Write	-	-	aom:subscribe:set
lts:logPail:update	Grants permission to modifying a log bucket.	List	-	-	aom:subscribe:set
lts:logPail:delete	Grants permission to deleting a log bucket.	Write	-	-	aom:subscribe:set
lts:storageRelation:list	Grants permission to querying the dump relationship of the current tenant.	List	-	-	aom:log:list
lts:storageRelation:delete	Grants permission to delete the dump relationship of the current tenant.	Write	-	-	aom:subscribe:set
lts:storage:batchAction	Grants permission to periodic batch start and stop.	Write	-	-	aom:subscribe:set
lts:logPailDump:create	Grants permission to add log dump.	Write	-	-	aom:subscribe:set
lts:statisticsRule:list	Grants permission to querying statistics rules.	List	-	-	aom:log:list
lts:statisticsRule:create	Grants permission to creating a statistics rule.	Write	-	-	aom:subscribe:set
lts:statisticsRule:update	Grants permission to modifying a statistics rule.	Write	-	-	aom:subscribe:set
lts:statisticsRule:delete	Grants permission to deleting a statistical rule.	Write	-	-	aom:subscribe:set
lts:transfer:listKafkaInstanceTopic	Grants permission to obtains all Kafka topics of a user.	List	-	-	lts:kafka:list
lts:logPackage:create	Grants permission to purchase a resource package.	Write	-	-	lts:topics:put
lts:consumerGroup:create	Grants permission to creating a consumer group.	Write	-	-	lts:topics:create
lts:consumerGroup:delete	Grants permission to deleting a consumer group.	Write	-	-	lts:topics:delete
lts:consumerGroup:list	Grants permission to querying the consumer group list.	List	-	-	lts:topics:list
lts:consumerGroup:get	Grants permission to querying consumer group details.	Read	-	-	lts:topics:get
lts:consumerGroup:update	Grants permission to modify consumer group.	Write	-	-	lts:topics:put
lts:logStream:get	Grants permission to obtaining log flow details.	Read	-	-	lts:topics:get
lts:agency:listGroupAndStream	Grants permission to obtains the log stream list of the log group of the delegator.	List	-	-	lts:topics:get
lts:agency:listEps	Grants permission to obtain the eps list of the entrusting party.	List	-	-	lts:topics:get
lts:agency:listStructConfig	Grants permission to obtaining the structured configuration of the delegator.	List	-	-	lts:topics:get
lts:logConverge:get	Grants permission to obtaining Multi-Account log aggregation configuration.	Read	-	-	lts:logConverge:get
lts:logConverge:update	Grants permission to update Multi-Account log aggregation configuration.	Write	-	-	lts:logConverge:update
lts:logManager:createAggr	Grants permission to create a quick analysis aggregator.	Write	logStream *	-	lts:topics:create
lts:logManager:createAggrs	Grants permission to create some quick analysis aggregators.	Write	logStream *	-	lts:topics:create
lts:logManager:deleteAggr	Grants permission to delete the Quick Analysis Aggregator.	Write	logStream *	-	lts:topics:delete
lts:logManager:deleteAggrs	Grants permission to bulk delete Quick Analysis Aggregators.	Write	logStream *	-	lts:topics:delete
lts:logmanager:createLogFilter	Grants permission to create log cleaning rules.	Write	logStream *	-	lts:filters:create
lts:logmanager:listLogFilters	Grants permission to view log cleaning rules.	Read	logStream *	-	lts:filters:list
lts:logmanager:updateLogFilters	Grants permission to modify log cleaning rules.	Write	logStream *	-	lts:filters:put lts:filtersAction:put
lts:logmanager:deleteLogFilters	Grants permission to delete log cleaning rules.	Write	logStream *	-	lts:filters:delete
lts:structConfig:regex	Grants permission to regularize structuring sample logs.	Write	-	-	lts:regex:create

Each API of LTS usually supports one or more actions. Table 2 lists the supported actions and dependencies.

**Table 2** Actions and dependencies supported by LTS APIs
API	Action	Dependencies
POST /v2/{project_id}/groups	lts:logGroup:createLogGroup	-
DELETE /v2/{project_id}/groups/{log_group_id}	lts:logGroup:deleteLogGroup	-
GET /v2/{project_id}/groups	lts:logGroup:listLogGroup	-
POST /v2/{project_id}/groups/{log_group_id}	lts:logGroup:updateLogGroup	-
POST /v2/{project_id}/groups/{log_group_id}/streams	lts:logStream:createLogStream	-
PUT /v2/{project_id}/groups/{log_group_id}/streams-ttl/{log_stream_id}	lts:logStream:updateLogStream	-
DELETE /v2/{project_id}/groups/{log_group_id}/streams/{log_stream_id}	lts:logStream:deleteLogStream	-
GET /v2/{project_id}/groups/{log_group_id}/streams	lts:logStream:listLogStream	-
GET /v2/{project_id}/log-streams	lts:logStream:listLogStream	-
POST /v2/{project_id}/lts/keyword-count	lts:logStream:searchLogHistogram	-
POST /v2/{project_id}/groups/{log_group_id}/streams/{log_stream_id}/content/query	lts:logStream:searchLog	-
POST /v2/{project_id}/groups/{log_group_id}/streams/{log_stream_id}/struct-content/query	lts:logStream:searchStructLog	-
POST /v2/{project_id}/streams/{log_stream_id}/struct-content/query	lts:logStream:searchStructLog	-
POST /v2/{project_id}/transfers	lts:transfer:createTransfer	obs:bucket:PutBucketAcl obs:bucket:GetBucketAcl obs:bucket:GetEncryptionConfiguration obs:bucket:HeadBucket dis:streams:list dis:streamPolicies:list
DELETE /v2/{project_id}/transfers	lts:transfer:deleteTransfer	-
GET /v2/{project_id}/transfers	lts:transfer:listTransfer	-
POST /v2/{project_id}/lts/dms/kafka-instance	lts:transfer:registerDmsKafkaInstance	dms:instance:list
PUT /v2/{project_id}/transfers	lts:transfer:updateTransfer	obs:bucket:PutBucketAcl obs:bucket:GetBucketAcl obs:bucket:GetEncryptionConfiguration obs:bucket:HeadBucket dis:streams:list dis:streamPolicies:list
POST /v2/{project_id}/collection/disable	lts:configCenter:updateOverCollectSwitch	-
POST /v2/{project_id}/collection/enable	lts:configCenter:updateOverCollectSwitch	-
POST /v3/{project_id}/lts/struct/template	lts:structConfig:createStructConfig	-
DELETE /v2/{project_id}/lts/struct/template	lts:structConfig:deleteStructConfig	-
GET /v3/{project_id}/lts/struct/customtemplate/list	lts:structConfig:listStructTemplate	-
GET /v3/{project_id}/lts/struct/customtemplate	lts:structConfig:listStructTemplate	-
GET /v2/{project_id}/lts/struct/template	lts:structConfig:getStructConfig	-
PUT /v3/{project_id}/lts/struct/template	lts:structConfig:updateStructConfig	-
POST /v2/{project_id}/lts/aom-mapping	lts:mappingRule:create	-
DELETE /v2/{project_id}/lts/aom-mapping	lts:mappingRule:delete	-
GET /v2/{project_id}/lts/aom-mapping/{rule_id}	lts:mappingRule:get	-
GET /v2/{project_id}/lts/aom-mapping	lts:mappingRule:list	-
PUT /v2/{project_id}/lts/aom-mapping	lts:mappingRule:update	-
GET /v2/{project_id}/lts/notifications/topics	lts:alarmNoticeTemplate:list	smn:topic:list
POST /v2/{project_id}/lts/alarms/sql-alarm-rule	lts:alarmRule:createSqlAlarmRule	-
DELETE /v2/{project_id}/lts/alarms/sql-alarm-rule/{sql_alarm_rule_id}	lts:alarmRule:deleteSqlAlarmRule	-
GET /v2/{project_id}/lts/alarms/sql-alarm-rule	lts:alarmRule:listSqlAlarmRule	-
PUT /v2/{project_id}/lts/alarms/status	lts:alarmRule:updateSqlAlarmRule	-
PUT /v2/{project_id}/lts/alarms/sql-alarm-rule	lts:alarmRule:updateSqlAlarmRule	-
POST /v2/{project_id}/lts/alarms/keywords-alarm-rule	lts:alarmRule:createWordAlarmRule	-
DELETE /v2/{project_id}/lts/alarms/keywords-alarm-rule/{keywords_alarm_rule_id}	lts:alarmRule:deleteWordAlarmRule	-
GET /v2/{project_id}/lts/alarms/keywords-alarm-rule	lts:alarmRule:listWordAlarmRule	-
PUT /v2/{project_id}/lts/alarms/keywords-alarm-rule	lts:alarmRule:updateWordAlarmRule	-
POST /v2/{project_id}/{domain_id}/lts/alarms/sql-alarm/clear	lts:alarm:cleanAlarm	-
POST /v2/{project_id}/{domain_id}/lts/alarms/sql-alarm/query	lts:alarm:listAlarm	-
GET /v2/{project_id}/groups/{log_group_id}/streams/{log_stream_id}/charts	lts:logStream:listChart	-
POST /v2/{project_id}/{domain_id}/lts/events/notification/templates	lts:alarmNoticeTemplate:create	-
DELETE /v2/{project_id}/{domain_id}/lts/events/notification/templates	lts:alarmNoticeTemplate:delete	-
POST /v2/{project_id}/{domain_id}/lts/events/notification/templates/view	lts:alarmNoticeTemplate:list	-
GET /v2/{project_id}/{domain_id}/lts/events/notification/templates	lts:alarmNoticeTemplate:list	-
GET /v2/{project_id}/{domain_id}/lts/events/notification/template/{template_name}	lts:alarmNoticeTemplate:get	-
PUT /v2/{project_id}/{domain_id}/lts/events/notification/templates	lts:alarmNoticeTemplate:update	-
POST /v3/{project_id}/lts/host-group	lts:hostGroup:create	-
DELETE /v3/{project_id}/lts/host-group	lts:hostGroup:delete	-
POST /v3/{project_id}/lts/host-list	lts:host:list	aom:icmgr:get aom:icmgr:list
POST /v3/{project_id}/lts/host-group-list	lts:hostGroup:list	-
PUT /v3/{project_id}/lts/host-group	lts:hostGroup:update	-
POST /v3/{project_id}/lts/access-config	lts:accessConfig:create	-
DELETE /v3/{project_id}/lts/access-config	lts:accessConfig:delete	-
POST /v3/{project_id}/lts/access-config-list	lts:accessConfig:list	-
PUT /v3/{project_id}/lts/access-config	lts:accessConfig:update	-
POST /v1/{project_id}/{resource_type}/{resource_id}/tags/action	lts:tag:create	-
POST /v1.0/{project_id}/groups/{group_id}/topics/{topic_id}/search-criterias	lts:logStream:createQuickQuery	-
DELETE /v1.0/{project_id}/groups/{group_id}/topics/{topic_id}/search-criterias	lts:logStream:deleteQuickQuery	-
GET /v1.0/{project_id}/groups/{group_id}/topics/{topic_id}/search-criterias	lts:logStream:listQuickQuery	-
GET /v2/{project_id}/lts/history-sql	lts:logStream:getHistorySql	-
GET /v1.0/{project_id}/lts/groups/{group_id}/search-criterias	lts:logStream:listQuickQuery	-
POST /v1.0/{project_id}/lts/favorite	lts:logFavorite:create	-
DELETE /v1.0/{project_id}/lts/favorite/{fav_res_id}	lts:logFavorite:delete	-
POST /v2/{project_id}/dashboard	lts:dashboard:create	-
POST /v2/{project_id}/lts/dashboard-group	lts:dashboardGroup:create	-
POST /v2/{project_id}/lts/timeline-traffic-statistics	lts:trafficStatistic:get	-
POST /v2/{project_id}/lts/topn-traffic-statistics	lts:trafficStatistic:get	-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for LTS.

**Table 3** Resource types supported by LTS
Resource Type	URN
logStream	lts:<region>:<account-id>:logStream:<group_id>/<stream_id>
logGroup	lts:<region>:<account-id>:logGroup:<group_id>
dashboard	lts:<region>:<account-id>:dashboard:<dashboard_id>
accessConfig	lts:<region>:<account-id>:accessConfig:<config_id>
alarmRule	lts:<region>:<account-id>:alarmRule:<alarm_rule_id>
transfer	lts:<region>:<account-id>:transfer:<transfer_id>
hostGroup	lts:<region>:<account-id>:hostGroup:<host_group_id>

Conditions

LTS does not support service-specific condition keys in identity policies.It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent Topic: Permissions and Supported Actions

Previous topic: Actions Supported by Policy-based Authorization

Next topic: Appendix