长期任务权限配置
更新时间:
复制为 MD 格式
本文介绍长期任务(Mission)的管理权限配置方法和 RAM Policy 示例。
适用对象
说明
如果使用的是阿里云主账号,已默认具备长期任务的所有管理权限,无需进行任何配置。以下内容仅适用于 RAM 用户。
前提条件
已获取主账号或 RAM 管理员的访问权限。
已了解 STAROps 的权限体系。如需了解全貌,请参见权限配置。
权限 Action 列表
长期任务(Mission)作为云监控(CMS)的一级资源对象,其管理操作通过 RAM Policy 中的 Action 进行访问控制。
Action | 说明 | 对应操作 |
| 创建长期任务。 | 在控制台单击+ 新建长期任务。 |
| 查询指定长期任务详情。 | 查看 Mission 详情页。 |
| 查询长期任务列表。 | 查看 Mission 列表页。 |
| 更新长期任务配置。 | 通过对话修改蓝图、禁用或激活 Mission。 |
| 删除长期任务。 | 在 Mission 设置页单击删除。 |
RAM Policy 示例
完整管理权限
授予 RAM 用户长期任务的全部管理权限(创建、查看、修改、删除),包括查看事项和产物。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployee",
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees",
"starops:UpdateDigitalEmployee",
"starops:DeleteDigitalEmployee"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads",
"starops:UpdateThread",
"starops:DeleteThread"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployeeSkill",
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:UpdateDigitalEmployeeSkill",
"starops:DeleteDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMission",
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks",
"starops:UpdateMission",
"starops:DeleteMission"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMcpService",
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:UpdateMcpService",
"starops:DeleteMcpService",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota",
"starops:SetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployee",
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees",
"cms:UpdateDigitalEmployee",
"cms:DeleteDigitalEmployee"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads",
"cms:UpdateThread",
"cms:DeleteThread"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployeeSkill",
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:UpdateDigitalEmployeeSkill",
"cms:DeleteDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMission",
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks",
"cms:UpdateMission",
"cms:DeleteMission"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMcpService",
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:UpdateMcpService",
"cms:DeleteMcpService",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}只读权限
授予 RAM 用户长期任务的只读权限(仅允许查看列表和详情、事项和产物,不允许创建、修改、删除)。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}数字员工 + 长期任务组合权限
授予 RAM 用户数字员工和长期任务的完整操作权限。适用于需要同时管理数字员工和长期任务的运维管理员。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployee",
"starops:GetDigitalEmployee",
"starops:ListDigitalEmployees",
"starops:UpdateDigitalEmployee",
"starops:DeleteDigitalEmployee"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateChat",
"starops:CreateThread",
"starops:GetThread",
"starops:GetThreadData",
"starops:ListThreads",
"starops:UpdateThread",
"starops:DeleteThread"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*",
"acs:starops:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateDigitalEmployeeSkill",
"starops:GetDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkills",
"starops:UpdateDigitalEmployeeSkill",
"starops:DeleteDigitalEmployeeSkill",
"starops:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMission",
"starops:GetMission",
"starops:ListMissions",
"starops:ListTasks",
"starops:UpdateMission",
"starops:DeleteMission"
],
"Resource": [
"acs:starops:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:CreateMcpService",
"starops:GetMcpService",
"starops:ListMcpServices",
"starops:UpdateMcpService",
"starops:DeleteMcpService",
"starops:FetchRemoteMcpTools"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetArtifact",
"starops:ListArtifacts"
],
"Resource": [
"acs:starops:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"starops:GetCreditQuota",
"starops:SetCreditQuota"
],
"Resource": [
"acs:starops:*:*:quota/credit"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployee",
"cms:GetDigitalEmployee",
"cms:ListDigitalEmployees",
"cms:UpdateDigitalEmployee",
"cms:DeleteDigitalEmployee"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateChat",
"cms:CreateThread",
"cms:GetThread",
"cms:GetThreadData",
"cms:ListThreads",
"cms:UpdateThread",
"cms:DeleteThread"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*",
"acs:cms:*:*:digitalemployee/*/thread/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDigitalEmployeeSkill",
"cms:GetDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkills",
"cms:UpdateDigitalEmployeeSkill",
"cms:DeleteDigitalEmployeeSkill",
"cms:ListDigitalEmployeeSkillVersions"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/skill/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMission",
"cms:GetMission",
"cms:ListMissions",
"cms:ListTasks",
"cms:UpdateMission",
"cms:DeleteMission"
],
"Resource": [
"acs:cms:*:*:mission/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMcpService",
"cms:GetMcpService",
"cms:ListMcpServices",
"cms:UpdateMcpService",
"cms:DeleteMcpService",
"cms:FetchRemoteMcpTools"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/mcpservice/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetArtifact",
"cms:ListArtifacts"
],
"Resource": [
"acs:cms:*:*:digitalemployee/*/artifact/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces",
"cms:GetWorkspace",
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:*:*:workspace/*",
"acs:cms:*:*:entitystore/*",
"acs:cms:*:*:entitystoredata/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetCloudResourceData"
],
"Resource": [
"acs:cms:*:*:cloudresource"
]
},
{
"Action": [
"log:Get*",
"log:List*",
"log:Query*"
],
"Resource": "acs:log:*:*:*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "operation-platform.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": "cloudmonitor.aliyuncs.com"
}
}
}
]
}配置步骤
以下以"完整管理权限"为例,介绍为 RAM 用户授予长期任务权限的操作步骤。
使用主账号或 RAM 管理员账号登录 RAM 控制台。
在左侧导航栏,选择权限管理 > 权限策略。
单击创建权限策略。
选择脚本编辑模式,将上方 RAM Policy 示例中的策略内容粘贴到编辑框中。
填写策略名称(例如
STAROps-Mission-FullAccess),单击确认。在左侧导航栏选择身份管理 > 用户,找到目标 RAM 用户,单击新增授权。
在自定义策略列表中搜索并选择刚创建的策略,单击确定完成授权。
常见问题
RAM 用户无法创建长期任务
请确认该 RAM 用户已被授予 cms:CreateMission 权限。如果使用的是只读策略,需要更换为完整管理权限策略。
长期任务执行时报"权限不足"
长期任务由数字员工执行,执行时使用的是数字员工关联的 RAM 角色权限(而非用户操作权限)。请检查数字员工的 RAM 角色是否已授予所需的资源访问权限。详情请参见数字员工权限配置中的"数字员工访问权限"部分。
该文章对您有帮助吗?