本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 使用 IAM 策略允许访问组织视图
<a name="organizational-view-iam-policies"></a>

您可以使用以下 Amazon Identity and Access Management (IAM) 策略允许您账户中的用户或角色访问中的组织视图 Amazon Trusted Advisor。

**Example ：**对组织视图的完全访问权限****  
以下策略允许完全访问组织视图功能。具备这些权限的用户可以执行以下操作：  
+ 启用和禁用组织视图
+ 创建、查看和下载报告  
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ReadStatement",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccountsForParent",
                "organizations:ListAccounts",
                "organizations:ListRoots",
                "organizations:DescribeOrganization",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListAWSServiceAccessForOrganization",
                "trustedadvisor:DescribeAccount",
                "trustedadvisor:DescribeChecks",
                "trustedadvisor:DescribeCheckSummaries",
                "trustedadvisor:DescribeAccountAccess",
                "trustedadvisor:DescribeOrganization",
                "trustedadvisor:DescribeReports",
                "trustedadvisor:DescribeServiceMetadata",
                "trustedadvisor:DescribeOrganizationAccounts",
                "trustedadvisor:ListAccountsForParent",
                "trustedadvisor:ListRoots",
                "trustedadvisor:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateReportStatement",
            "Effect": "Allow",
            "Action": [
                "trustedadvisor:GenerateReport"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ManageOrganizationalViewStatement",
            "Effect": "Allow",
            "Action": [
                "organizations:EnableAWSServiceAccess",
                "organizations:DisableAWSServiceAccess",
                "trustedadvisor:SetOrganizationAccess"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateServiceLinkedRoleStatement",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting"
        }
    ]
}
```

**Example ：对组织视图的读取访问权限**  
以下策略允许对的组织视图进行只读访问 Trusted Advisor。具有这些权限的用户只能查看和下载现有报告。    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ReadStatement",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccountsForParent",
                "organizations:ListAccounts",
                "organizations:ListRoots",
                "organizations:DescribeOrganization",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListAWSServiceAccessForOrganization",
                "trustedadvisor:DescribeAccount",
                "trustedadvisor:DescribeChecks",
                "trustedadvisor:DescribeCheckSummaries",
                "trustedadvisor:DescribeAccountAccess",
                "trustedadvisor:DescribeOrganization",
                "trustedadvisor:DescribeReports",
                "trustedadvisor:ListAccountsForParent",
                "trustedadvisor:ListRoots",
                "trustedadvisor:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        }
    ]
}
```
您还可以创建自己的 IAM 策略。有关更多信息，请参阅 *IAM 用户指南* 中的[创建 IAM 策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.htmlorgs_integrate_services.html)。

**注意**  
如果您 Amazon CloudTrail 在账户中启用了以下角色，则日志条目中可能会显示以下角色：  
`AWSServiceRoleForTrustedAdvisorReporting`— Trusted Advisor 用于访问组织中账户的服务相关角色。
`AWSServiceRoleForTrustedAdvisor`— Trusted Advisor 用于访问组织中服务的服务相关角色。
有关服务关联角色的更多信息，请参阅[将服务相关角色用于 Trusted Advisor](using-service-linked-roles-ta.md)。