# Set up permissions for event alarms in Amazon IoT SiteWise
When you use an Amazon IoT Events alarm model to monitor an Amazon IoT SiteWise asset property, you must have the following IAM permissions:
+ An Amazon IoT Events service role that allows Amazon IoT Events to send data to Amazon IoT SiteWise. For more information, see [Identity and access management for Amazon IoT Events](https://docs.amazonaws.cn/iotevents/latest/developerguide/security-iam.html) in the *Amazon IoT Events Developer Guide*.
+ You must have the following Amazon IoT SiteWise action permissions: `iotsitewise:DescribeAssetModel` and `iotsitewise:UpdateAssetModelPropertyRouting`. These permissions allow Amazon IoT SiteWise to send asset property values to Amazon IoT Events alarm models.
For more information, see [Resource-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#policies_resource-based) in the *IAM User Guide*.
## Required action permissions
Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy.
Before you define an Amazon IoT Events alarm model, you must grant the following permissions that allow Amazon IoT SiteWise to send asset property values to the alarm model.
+ `iotsitewise:DescribeAssetModel`, `iotsitewise:ListAssetModels` – Allows Amazon IoT Events to check if an asset property exists.
+ `iotsitewise:UpdateAssetModelPropertyRouting` – Allows Amazon IoT SiteWise to automatically create subscriptions that enable Amazon IoT SiteWise to send data to Amazon IoT Events.
For more information about Amazon IoT SiteWise supported actions, see [Actions defined by Amazon IoT SiteWise](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions) in the *Service Authorization Reference*.
**Example permissions policy 1**
The following policy allows Amazon IoT SiteWise to send asset property values to any Amazon IoT Events alarm models.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:UpdateAlarmModel"
],
"Resource": "arn:aws-cn:iotevents:us-east-1:123456789012:alarmModel/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:UpdateAssetModelPropertyRouting"
],
"Resource": "arn:aws-cn:iotsitewise:us-east-1:123456789012:asset-model/*"
}
]
}
```
**Example permissions policy 2**
The following policy allows Amazon IoT SiteWise to send values of a specified asset property to a specified Amazon IoT Events alarm model.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:UpdateAlarmModel"
],
"Resource": "arn:aws-cn:iotevents:us-east-1:123456789012:alarmModel/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels"
],
"Resource": "arn:aws-cn:iotsitewise:us-east-1:123456789012:asset-model/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:UpdateAssetModelPropertyRouting"
],
"Resource": [
"arn:aws-cn:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef"
],
"Condition": {
"StringLike": {
"iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890",
"aws:ResourceTag/AlarmModel": "arn:aws-cn:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel"
}
}
}
]
}
```
## (Optional) ListInputRoutings permission
When you update or delete an asset model, Amazon IoT SiteWise can check if an alarm model in Amazon IoT Events is monitoring an asset property associated with this asset model. This prevents you from deleting an asset property that an Amazon IoT Events alarm is currently using. To enable this feature in Amazon IoT SiteWise, you must have the `iotevents:ListInputRoutings` permission. This permission allows Amazon IoT SiteWise to make calls to the [ListInputRoutings](https://docs.amazonaws.cn/iotevents/latest/apireference/API_ListInputRoutings.html) API operation supported by Amazon IoT Events.
**Note**
We strongly recommend that you add the `ListInputRoutings` permission.
**Example permissions policy**
The following policy allows you to update and delete asset models, and use the `ListInputRoutings` API in Amazon IoT SiteWise.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:UpdateAssetModel",
"iotsitewise:DeleteAssetModel",
"iotevents:ListInputRoutings"
],
"Resource": "arn:aws-cn:iotsitewise:us-east-1:123456789012:asset-model/*"
}
]
}
```
------
## Required permissions for SiteWise Monitor
If you want to use the alarms feature in SiteWise Monitor portals, you must update the [SiteWise Monitor service role](monitor-service-role.md) with the following policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribePortal",
"iotsitewise:CreateProject",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:ListProjects",
"iotsitewise:BatchAssociateProjectAssets",
"iotsitewise:BatchDisassociateProjectAssets",
"iotsitewise:ListProjectAssets",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:CreateAccessPolicy",
"iotsitewise:DescribeAccessPolicy",
"iotsitewise:UpdateAccessPolicy",
"iotsitewise:DeleteAccessPolicy",
"iotsitewise:ListAccessPolicies",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:BatchPutAssetPropertyValue",
"iotsitewise:ListAssetRelationships",
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:UpdateAssetModel",
"iotsitewise:UpdateAssetModelPropertyRouting",
"sso-directory:DescribeUsers",
"sso-directory:DescribeUser",
"iotevents:DescribeAlarmModel",
"iotevents:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iotevents:BatchAcknowledgeAlarm",
"iotevents:BatchSnoozeAlarm",
"iotevents:BatchEnableAlarm",
"iotevents:BatchDisableAlarm"
],
"Resource": "*",
"Condition": {
"Null": {
"iotevents:keyValue": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:UpdateAlarmModel",
"iotevents:DeleteAlarmModel"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"iotevents.amazonaws.com"
]
}
}
}
]
}
```
------