No official read-only system policy exists for AI Guardrails — only AliyunYundunGreenWebFullAccess, which grants full administrative permissions. To restrict a RAM user to read-only access, create a custom policy and attach it to the user. After the policy is attached, the RAM user can view data and configurations but cannot perform write operations, such as configuring scan settings for Object Storage Service (OSS) violation detection or managing OSS violation detection results in the console.
This topic is for RAM administrators. If you are the RAM user being granted access, contact your administrator.
Prerequisites
Before you begin, ensure that:
AliyunYundunGreenWebFullAccessis revoked from the RAM user if it was directly attached. For more information, see Revoke permissions from a RAM user.If the RAM user inherits
AliyunYundunGreenWebFullAccessfrom a user group, the policy is revoked from the user group, or the RAM user is removed from the user group. For more information, see Revoke permissions from a RAM user group and Remove a RAM user from a RAM user group.
Create and attach a read-only policy
Log on to the RAM console as a RAM administrator.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following policy content and click OK. The policy grants all
List*,Get*,Describe*, andQuery*actions under theyundun-greenwebservice, covering all read operations on AI Guardrails.{ "Version": "1", "Statement": [{ "Action": [ "yundun-greenweb:List*", "yundun-greenweb:Get*", "yundun-greenweb:Describe*", "yundun-greenweb:Query*" ], "Resource": "*", "Effect": "Allow" }] }In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.
In the navigation pane, choose Identities > Users. Find the RAM user you want to grant permissions to and click Add Permissions in the Actions column.
In the Add Permissions panel, select the custom policy and click OK.