Permission Configuration
STAROps uses two types of permissions to control user operations and Digital Employee access. Use this guide to locate the appropriate permission configuration instructions for your scenario.
Applicable audience
If you use an Alibaba Cloud account (root account), you have full management permissions by default and do not need to configure any permissions. The following content applies only to RAM users.
Permission types
STAROps permissions are divided into two categories.
|
Permission type |
Authorized entity |
Scope of control |
Configuration guide |
|
User operation permissions (RAM user permissions) |
RAM users (operators) |
Controls whether users can create, view, modify, and delete Digital Employees and Long-Term Missions, start Intelligent Conversations, and manage conversation records. |
Digital Employee permission configuration, Mission permission configuration |
|
Digital Employee access permissions (RAM role permissions) |
RAM roles (assumed by Digital Employees) |
Controls which Workspace data, Log Service data, and cloud resources a Digital Employee can access when running Intelligent Conversations and Long-Term Missions. |
Digital Employee permission configuration |
User operation permission action reference
The following tables list all user operation permission actions in STAROps. Administrators specify these Action values in custom RAM policies to control the scope of operations available to RAM users.
Digital Employee management
|
Action |
Description |
|
|
Creates a Digital Employee. |
|
|
Queries the details of a Digital Employee. |
|
|
Queries the list of Digital Employees. |
|
|
Updates the configuration of a Digital Employee. |
|
|
Deletes a Digital Employee. |
Intelligent Conversation management
|
Action |
Description |
|
|
Starts a conversation. |
|
|
Creates a conversation session. |
|
|
Queries the details of a conversation session. |
|
|
Retrieves conversation session data. |
|
|
Queries the list of conversation sessions. |
|
|
Updates a conversation session, such as modifying the title. |
|
|
Deletes a conversation session. |
Skill management
|
Action |
Description |
|
|
Creates a Skill. |
|
|
Queries the details of a Skill. |
|
|
Queries the list of Skills. |
|
|
Updates a Skill. |
|
|
Deletes a Skill. |
|
|
Queries the version history of a Skill. |
Tool management
|
Action |
Description |
|
|
Queries the list of tools available to a Digital Employee. |
|
|
Updates the tool configuration of a Digital Employee. |
Mission management
|
Action |
Description |
|
|
Creates a Long-Term Mission. |
|
|
Queries the details of a specified Long-Term Mission. |
|
|
Queries the list of Long-Term Missions. |
|
|
Updates the configuration of a Long-Term Mission. |
|
|
Deletes a Long-Term Mission. |
Permission configuration workflow
Complete the following steps to configure permissions for your use case.
-
Identify the authorized entity: Determine which RAM users need to be granted permissions.
-
Select the permission scope: Based on the user's role and responsibilities, determine which actions to grant. For example, O&M engineers typically need full operational permissions for Digital Employees and Missions, while regular users may only need permissions to start Intelligent Conversations and view conversation records.
-
Create a custom permission policy: In the RAM console, create a custom policy and include the required actions in the policy document. For specific operations and RAM policy examples, see the Digital Employee permission configuration and Mission permission configuration topics.
-
Grant the policy: Attach the custom policy to the target RAM user.
-
Configure Digital Employee access permissions (optional): If a Digital Employee needs to access specific Workspace data or cloud resources, configure the corresponding access permissions for the RAM role associated with the Digital Employee. For details, see the Digital Employee access permissions section in the Digital Employee permission configuration topic.