Each API operation in OpenSearch maps to a RAM action and a resource pattern. Use this reference when writing RAM policies to grant or restrict access to OpenSearch resources.
How to read these tables:
POP action — the API operation name used in code and API calls.
RAM action — the permission string to include in the
Actionelement of a RAM policy.Resource pattern — the resource scope for the action. In the management operations table, patterns use a short path format (for example,
apps/$appGroupName). Prependacs:opensearch:$regionId:$accountId:to construct the full ARN for your RAM policy.
Quick reference by scenario
Use this table to identify the RAM actions required for common tasks before consulting the full reference tables below.
| Scenario | Required RAM actions |
|---|---|
| Search documents | opensearch:SearchApp |
| Push documents | opensearch:PushDoc |
| Retrieve drop-down suggestions | opensearch:SearchSuggest |
| Create and manage applications | opensearch:CreateAppGroup, opensearch:ModifyAppGroup, opensearch:RemoveAppGroup |
| View application details and metrics | opensearch:DescribeAppGroup, opensearch:ListAppGroup, opensearch:ListAppGroupMetric |
| Manage A/B test groups and experiments | opensearch:CreateApp, opensearch:UpdateApp, opensearch:DeleteApp, opensearch:ListApp, opensearch:DescribeApp |
| Manage intervention dictionaries | opensearch:WriteInterventionDictionary, opensearch:DescribeInterventionDictionary, opensearch:ListInterventionDictionaries |
| Manage custom analyzers | opensearch:CreateUserAnalyzer, opensearch:DeleteUserAnalyzer, opensearch:WriteUserAnalyzer, opensearch:DescribeUserAnalyzer, opensearch:ListUserAnalyzers |
| Manage ranking expressions | opensearch:WriteFirstRank, opensearch:WriteSecondRank, opensearch:ListFirstRank, opensearch:ListSecondRank, opensearch:DescribeFirstRank, opensearch:DescribeSecondRank |
| Manage scheduled tasks | opensearch:CreateScheduledTask, opensearch:RemoveScheduledTask, opensearch:ModifyScheduledTask, opensearch:ListScheduledTask, opensearch:DescribeScheduledTask |
Authorization rules for management operations
Resource patterns in this table use the short path format. To use them in a RAM policy, prepend acs:opensearch:$regionId:$accountId: — for example, acs:opensearch:$regionId:$accountId:apps/$appGroupName.
| POP action | Action description | RAM action | Resource pattern |
|---|---|---|---|
| CreateABTestGroup | Creates an A/B test group. | opensearch:CreateApp | apps/$appGroupName |
| DeleteABTestGroup | Deletes an A/B test group. | opensearch:DeleteApp | apps/$appGroupName |
| ListABTestGroups | Lists A/B test groups. | opensearch:ListApp | apps/$appGroupName |
| ListABTestMetrics | Lists data reports for A/B tests. | opensearch:DescribeApp | apps/$appGroupName |
| DescribeABTestGroup | Gets the details of an A/B test group. | opensearch:DescribeApp | apps/$appGroupName |
| UpdateABTestGroup | Updates an A/B test group. | opensearch:UpdateApp | apps/$appGroupName |
| CreateABTestExperiment | Creates an A/B test experiment. | opensearch:CreateApp | apps/$appGroupName |
| DeleteABTestExperiment | Deletes an A/B test experiment. | opensearch:DeleteApp | apps/$appGroupName |
| ListABTestExperiments | Lists A/B test experiments. | opensearch:ListApp | apps/$appGroupName |
| DescribeABTestExperiment | Gets the details of an A/B test experiment. | opensearch:DescribeApp | apps/$appGroupName |
| UpdateABTestExperiment | Updates the parameters of an A/B test experiment. | opensearch:UpdateApp | apps/$appGroupName |
| CreateABTestScene | Creates an A/B test scenario. | opensearch:CreateApp | apps/$appGroupName |
| DeleteABTestScene | Deletes an A/B test scenario. | opensearch:DeleteApp | apps/$appGroupName |
| ListABTestScenes | Lists A/B test scenarios. | opensearch:ListApp | apps/$appGroupName |
| DescribeABTestScene | Gets the details of an A/B test scenario. | opensearch:DescribeApp | apps/$appGroupName |
| UpdateABTestScene | Updates an A/B test scenario. | opensearch:UpdateApp | apps/$appGroupName |
| ListABTestFixedFlowDividers | Lists the flow_divider whitelist. | opensearch:ListApp | apps/$appGroupName |
| UpdateABTestFixedFlowDividers | Updates the flow_divider whitelist. | opensearch:UpdateApp | apps/$appGroupName |
| UpdateSuggestionDictionary | Updates multiple entries in the drop-down suggestion whitelist or blacklist at a time. | opensearch:WriteSuggest | suggestions/$suggestionIdentity |
| ListSuggestionModels | Lists models for a drop-down suggestion. | opensearch:DescribeSuggest | suggestions/$suggestionIdentity |
| ListDeployedAlgorithmModels | Lists deployed algorithm models. | opensearch:DescribeApp | apps/$appGroupName |
| ListApps | Lists all application versions. | opensearch:ListApp | apps/* |
| CreateAppGroup | Creates an application. | opensearch:CreateAppGroup | app-groups/* |
| DescribeAppGroupDataReport | Gets the data quality report of an application. | opensearch:DescribeApp | apps/$appGroupName |
| RemoveAppGroup | Deletes an application. | opensearch:RemoveAppGroup | app-groups/$appGroupName |
| ListAppGroupErrors | Lists the error logs of an application. | opensearch:ListAppGroupErrors | app-groups/$appGroupName |
| ListAppGroups | Lists applications. | opensearch:ListAppGroup | app-groups/* |
| ListAppGroupMetrics | Lists the data reports of an application. | opensearch:ListAppGroupMetric | app-groups/$appGroupName |
| RenewAppGroup | Renews an application. | opensearch:UpdateApp | apps/$appGroupName |
| DescribeAppGroup | Gets the details of an application. | opensearch:DescribeAppGroup | app-groups/$appGroupName |
| ReplaceAppGroupCommodityCode | Converts a service-based application to an instance-based application. | opensearch:UpdateApp | apps/$appGroupName |
| ModifyAppGroup | Modifies the attributes of an application or switches it to online. | opensearch:ModifyAppGroup | app-groups/$appGroupName |
| ModifyAppGroupQuota | Modifies the application quota. | opensearch:updateAppGroupQuota | app-groups/$appGroupName |
| CreateApp | Creates an application version. | opensearch:CreateApp | app-groups/$appGroupName |
| RemoveApp | Deletes an application version. | opensearch:RemoveApp | app-groups/$appGroupName |
| DescribeApps | Lists application versions. | opensearch:ListApp | app-groups/$appGroupName |
| DescribeApp | Gets the details of an application version. | opensearch:DescribeApp | app-groups/$appGroupName |
| DescribeAppStatistics | Gets statistical results for an application version. | opensearch:DescribeAppStatistics | app-groups/$appGroupName |
| UpdateFetchFields | Updates the default display fields of an application version. | opensearch:UpdateApp | apps/$appGroupName |
| CreateDataCollection | Enables data collection for an application. | opensearch:WriteDataCollection | apps/$appGroupName |
| RemoveDataCollection | Disables data collection for an application. | opensearch:WriteDataCollection | apps/$appGroupName |
| ListDataCollections | Lists the data collections of an application. | opensearch:ListDataCollections | apps/$appGroupName |
| DescribeDataCollection | Gets the data collection details of an application. | opensearch:DescribeDataCollection | apps/$appGroupName |
| CreateFirstRank | Creates a rough sort expression for an application version. | opensearch:WriteFirstRank | apps/$appGroupName |
| RemoveFirstRank | Deletes a rough sort expression of an application version. | opensearch:WriteFirstRank | apps/$appGroupName |
| ListFirstRanks | Lists the rough sort expressions of an application version. | opensearch:ListFirstRank | apps/$appGroupName |
| DescribeFirstRank | Gets the details of a rough sort expression of an application version. | opensearch:DescribeFirstRank | apps/$appGroupName |
| ModifyFirstRank | Modifies a rough sort expression of an application version. | opensearch:WriteFirstRank | apps/$appGroupName |
| PushInterventionDictionaryEntries | Modifies entries in an intervention dictionary. | opensearch:WriteInterventionDictionary | intervention-dictionaries/$dictionaryName |
| ListInterventionDictionaryEntries | Lists entries in an intervention dictionary. | opensearch:DescribeInterventionDictionary | intervention-dictionaries/$dictionaryName |
| CreateInterventionDictionary | Creates an intervention dictionary. | opensearch:WriteInterventionDictionary | intervention-dictionaries/* |
| RemoveInterventionDictionary | Deletes an intervention dictionary. | opensearch:WriteInterventionDictionary | intervention-dictionaries/$dictionaryName |
| ListInterventionDictionaries | Lists the intervention dictionaries of a user. | opensearch:ListInterventionDictionaries | intervention-dictionaries/* |
| ListInterventionDictionaryNerResults | Lists the named entity recognition (NER) results of an intervention dictionary. | opensearch:DescribeInterventionDictionary | intervention-dictionaries/$dictionaryName |
| ListInterventionDictionaryRelatedEntities | Lists the resources associated with an intervention dictionary. | opensearch:DescribeInterventionDictionary | intervention-dictionaries/$dictionaryName |
| DescribeInterventionDictionary | Gets the details of an intervention dictionary. | opensearch:DescribeInterventionDictionary | intervention-dictionaries/$dictionaryName |
| ListSlowQueryCategories | Lists optimization suggestions for slow queries. | opensearch:ListOptimizerSlowQueryCategories | apps/$appGroupName |
| StartSlowQueryAnalyzer | Starts slow query analysis immediately. | opensearch:WriteOptimizerSlowQueryCategories | apps/$appGroupName |
| ListSlowQueryQueries | Lists slow queries. | opensearch:ListOptimizerSlowQueries | apps/$appGroupName |
| DisableSlowQuery | Disables slow query analysis. | opensearch:WriteOptimizerSlowQuery | apps/$appGroupName |
| EnableSlowQuery | Enables slow query analysis. | opensearch:WriteOptimizerSlowQuery | apps/$appGroupName |
| DescribeSlowQueryStatus | Gets the enabled or disabled status of slow query analysis. | opensearch:DescribeOptimizerSlowQuery | apps/$appGroupName |
| DeleteModel | Deletes a model. | opensearch:WriteAlgorithm | apps/$appGroupName |
| DescribeModel | Gets the details of a model. | opensearch:DescribeAlgorithm | apps/$appGroupName |
| ListModels | Lists models. | opensearch:DescribeAlgorithm | apps/$appGroupName |
| GetModelProgress | Gets the training progress of a model. | opensearch:DescribeAlgorithm | apps/$appGroupName |
| GetValidationError | Gets the details of data verification errors. | opensearch:DescribeAlgorithm | apps/$appGroupName |
| GetValidationReport | Gets data verification reports. | opensearch:DescribeAlgorithm | apps/$appGroupName |
| CreateModel | Creates a model. | opensearch:WriteAlgorithm | apps/$appGroupName |
| ModifyModel | Modifies model configurations. | opensearch:WriteAlgorithm | apps/$appGroupName |
| CreateQueryProcessor | Creates a query analysis rule. | opensearch:WriteQueryProcessor | apps/$appGroupName |
| RemoveQueryProcessor | Deletes a query analysis rule. | opensearch:WriteQueryProcessor | apps/$appGroupName |
| ListQueryProcessors | Lists query analysis rules. | opensearch:ListQueryProcessor | apps/$appGroupName |
| DescribeQueryProcessor | Gets the details of a query analysis rule. | opensearch:DescribeQueryProcessor | apps/$appGroupName |
| ModifyQueryProcessor | Modifies a query analysis rule. | opensearch:WriteQueryProcessor | apps/$appGroupName |
| RemoveQuotaReviewTask | Withdraws an application quota request ticket. | opensearch:UpdateApp | apps/$appGroupName |
| ListQuotaReviewTasks | Lists application quota request tickets. | opensearch:DescribeApp | apps/$appGroupName |
| CreateScheduledTask | Creates a scheduled task for an application. | opensearch:CreateScheduledTask | app-groups/$appGroupName |
| RemoveScheduledTask | Deletes a scheduled task of an application. | opensearch:RemoveScheduledTask | app-groups/$appGroupName |
| ListScheduledTasks | Lists the scheduled tasks of an application. | opensearch:ListScheduledTask | app-groups/$appGroupName |
| DescribeScheduledTask | Gets the details of a scheduled task of an application. | opensearch:DescribeScheduledTask | app-groups/$appGroupName |
| ModifyScheduledTask | Modifies a scheduled task of an application. | opensearch:ModifyScheduledTask | app-groups/$appGroupName |
| CreateSecondRank | Creates a fine sort expression for an application version. | opensearch:WriteSecondRank | apps/$appGroupName |
| RemoveSecondRank | Deletes a fine sort expression of an application version. | opensearch:WriteSecondRank | apps/$appGroupName |
| ListSecondRanks | Lists the fine sort expressions of an application version. | opensearch:ListSecondRank | apps/$appGroupName |
| DescribeSecondRank | Gets the details of a fine sort expression of an application version. | opensearch:DescribeSecondRank | apps/$appGroupName |
| ModifySecondRank | Modifies a fine sort expression of an application version. | opensearch:WriteSecondRank | apps/$appGroupName |
| ListSortExpressions | Lists the sort expressions of an application version. | opensearch:ListSortExpression | apps/$appGroupName |
| CreateSuggestion | Creates a drop-down suggestion. | opensearch:WriteSuggest | suggestions/$suggestionIdentity |
| DeleteSuggestion | Deletes a drop-down suggestion. | opensearch:WriteSuggest | suggestions/$suggestionIdentity |
| ListSuggestions | Lists drop-down suggestions. | opensearch:ListSuggest | suggestions/$suggestionIdentity |
| ListSuggestionMetrics | Lists drop-down suggestion reports. | opensearch:DescribeSuggest | suggestions/$suggestionIdentity |
| StartSuggestionTrainer | Starts model training for drop-down suggestions immediately. | opensearch:WriteSuggest | suggestions/$suggestionIdentity |
| DescribeSuggestion | Gets the details of a drop-down suggestion. | opensearch:DescribeSuggest | suggestions/$suggestionIdentity |
| UpdateSuggestionCurrentModel | Switches to the online drop-down suggestion model. | opensearch:WriteSuggest | suggestions/$suggestionIdentity |
| UpdateSummaries | Modifies the summary of an application version. | opensearch:WriteSummary | apps/$appGroupName |
| PushUserAnalyzerEntries | Modifies entries in a custom analyzer. | opensearch:WriteUserAnalyzer | user-analyzers/$analyzerName |
| ListUserAnalyzerEntries | Lists entries in a custom analyzer. | opensearch:DescribeUserAnalyzer | user-analyzers/$analyzerName |
| CreateUserAnalyzer | Creates a custom analyzer. | opensearch:CreateUserAnalyzer | user-analyzers/$analyzerName |
| DeleteUserAnalyzer | Deletes a custom analyzer. | opensearch:DeleteUserAnalyzer | user-analyzers/$analyzerName |
| ListUserAnalyzers | Lists the custom analyzers of a user. | opensearch:ListUserAnalyzers | user-analyzers/* |
| DescribeUserAnalyzer | Gets the details of a custom analyzer. | opensearch:DescribeUserAnalyzer | user-analyzers/$analyzerName |
| SearchHint | Retrieves hints. | opensearch:SearchHint | acs:opensearch:$regionld:$accountld:apps/$appGroupName |
Authorization rules for traffic operations
| POP action | Action description | RAM action | Resource pattern |
|---|---|---|---|
| PushDoc | Pushes documents. | opensearch:PushDoc | acs:opensearch:$regionId:$accountId:apps/$appGroupName |
| SearchApp | Retrieves documents. | opensearch:SearchApp | acs:opensearch:$regionId:$accountId:apps/$appGroupName |
| SearchSuggest | Retrieves drop-down suggestions. | opensearch:SearchSuggest | acs:opensearch:$regionId:$accountId:suggestions/$suggestionIdentity |
| SearchHot | Retrieves hotwords. | opensearch:SearchHot | acs:opensearch:$regionld:$accountld:apps/$appGroupName |
| SearchHint | Retrieves hints. | opensearch:SearchHint | acs:opensearch:$regionld:$accountld:apps/$appGroupName |
该文章对您有帮助吗?