Mission permission configuration
Configure management permissions for Long-Term Missions in STAROps. RAM policy examples for common scenarios are included.
If you use an Alibaba Cloud account (root account), you already have full management permissions for Missions. No additional configuration is required. The following content applies only to RAM users.
Prerequisites
-
You have obtained access to the Alibaba Cloud account or an administrator RAM user with RAM management permissions.
-
You understand the STAROps permission model. For an overview, see Permission Configuration.
Permission action reference
Long-Term Missions are first-class resource objects in CloudMonitor (CMS). Access to Mission operations is controlled through RAM policy actions.
|
Action |
Description |
Console operation |
|
|
Create a Mission. |
Click + New Mission on the Mission list page. |
|
|
Query Mission details. |
View the Mission details page. |
|
|
List all Missions. |
View the Mission list page. |
|
|
Update Mission configuration. |
Modify the Blueprint through conversation, or enable/disable a Mission. |
|
|
Delete a Mission. |
Click Delete on the Mission settings page. |
RAM policy examples
Full management permissions
Grant a RAM user full management permissions for Missions (create, view, modify, and delete), including access to tasks and artifacts.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployee",
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees",
"starops:UpdateDigitalEmployee",
"starops:DeleteDigitalEmployee"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads",
"starops:UpdateThread",
"starops:DeleteThread"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployeeSkill",
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:UpdateDigitalEmployeeSkill",
"starops:DeleteDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMission",
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks",
"starops:UpdateMission",
"starops:DeleteMission"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMcpService",
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:UpdateMcpService",
"starops:DeleteMcpService",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota",
"starops:SetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployee",
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees",
"cms:UpdateDigitalEmployee",
"cms:DeleteDigitalEmployee"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads",
"cms:UpdateThread",
"cms:DeleteThread"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployeeSkill",
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:UpdateDigitalEmployeeSkill",
"cms:DeleteDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMission",
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks",
"cms:UpdateMission",
"cms:DeleteMission"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMcpService",
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:UpdateMcpService",
"cms:DeleteMcpService",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}Read-only permissions
Grant a RAM user read-only access to Missions. The user can view lists, details, tasks, and artifacts, but cannot create, modify, or delete Missions.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}Digital Employee + Mission combined permissions
Grant a RAM user full management access to both Digital Employees and Missions. This policy is suitable for operations administrators who manage both resources.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployee",
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees",
"starops:UpdateDigitalEmployee",
"starops:DeleteDigitalEmployee"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads",
"starops:UpdateThread",
"starops:DeleteThread"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployeeSkill",
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:UpdateDigitalEmployeeSkill",
"starops:DeleteDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMission",
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks",
"starops:UpdateMission",
"starops:DeleteMission"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMcpService",
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:UpdateMcpService",
"starops:DeleteMcpService",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota",
"starops:SetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployee",
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees",
"cms:UpdateDigitalEmployee",
"cms:DeleteDigitalEmployee"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads",
"cms:UpdateThread",
"cms:DeleteThread"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployeeSkill",
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:UpdateDigitalEmployeeSkill",
"cms:DeleteDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMission",
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks",
"cms:UpdateMission",
"cms:DeleteMission"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMcpService",
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:UpdateMcpService",
"cms:DeleteMcpService",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}Configuration steps
The following example uses the full management permissions policy to show how to grant Mission permissions to a RAM user.
-
Log on to the RAM console using the Alibaba Cloud account or a RAM administrator account.
-
In the left-side navigation pane, choose Permission Management > Permission Policies.
-
Click Create Permission Policy.
-
Select Script editing mode, and paste the policy content from the RAM policy example above into the editor.
-
Enter a policy name (for example,
STAROps-Mission-FullAccess), and click OK. -
In the left-side navigation pane, choose Identities > Users. Find the target RAM user and click Grant Permission.
-
In the Custom Policy list, search for and select the policy you just created, and click OK to complete the authorization.
FAQ
A RAM user cannot create Missions
Verify that the RAM user has the cms:CreateMission permission. If the user has a read-only policy, switch to the full management permissions policy.
A Mission reports "insufficient permissions" during execution
Missions are executed by Digital Employees, which use the RAM role permissions associated with the Digital Employee, not the user's own permissions. Verify that the Digital Employee's RAM role has the required resource access permissions. For details, see the "Digital Employee access permissions" section in Digital Employee permission configuration.