本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 在中设置事件警报的权限 Amazon IoT SiteWise 为警报设置权限 使用 Amazon IoT Events 警报模型监控 Amazon IoT SiteWise 资产时,您必须拥有以下 IAM 权限: + 允许 Amazon IoT Events 向发送数据的 Amazon IoT Events 服务角色 Amazon IoT SiteWise。有关更多信息,请参阅 *Amazon IoT Events 开发人员指南*中的适用于 Amazon IoT Events的 [身份和访问管理](https://docs.amazonaws.cn/iotevents/latest/developerguide/security-iam.html)。 + 您必须拥有以下 Amazon IoT SiteWise 操作权限:`iotsitewise:DescribeAssetModel`和`iotsitewise:UpdateAssetModelPropertyRouting`。这些权限允许 Amazon IoT SiteWise 向 Amazon IoT Events 警报模型发送资产属性值。 有关更多信息,请参阅 *IAM 用户指南*[的基于资源的策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#policies_resource-based)。 ## 所需的操作权限 管理员可以使用 Amazon JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。JSON 策略的 `Action` 元素描述可用于在策略中允许或拒绝访问的操作。 在定义 Amazon IoT Events 警报模型之前,必须授予以下权限,允许 Amazon IoT SiteWise 向警报模型发送资产属性值。 + `iotsitewise:DescribeAssetModel`,`iotsitewise:ListAssetModels`— Amazon IoT Events 允许检查资产属性是否存在。 + `iotsitewise:UpdateAssetModelPropertyRouting`— Amazon IoT SiteWise 允许自动创建允许 Amazon IoT SiteWise 向其发送数据的订阅 Amazon IoT Events。 有关 Amazon IoT SiteWise 支持的操作的更多信息,请参阅《*服务授权参考*》 Amazon IoT SiteWise中[定义的操作](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions)。 **Example 权限策略示例 1** 以下策略允许 Amazon IoT SiteWise 向任何 Amazon IoT Events 警报模型发送资产属性值。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] } ``` **Example 权限策略示例 2** 以下策略 Amazon IoT SiteWise 允许将指定资产属性的值发送到指定的 Amazon IoT Events 警报模型。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "aws:ResourceTag/AlarmModel": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] } ``` ## (可选) ListInputRoutings 权限 更新或删除资产模型时, Amazon IoT SiteWise 可以检查中的警报模型是否 Amazon IoT Events 正在监视与该资产模型关联的资产属性。这可以防止您删除 Amazon IoT Events 警报当前正在使用的资产属性。要在中启用此功能 Amazon IoT SiteWise,您必须拥有`iotevents:ListInputRoutings`权限。此权限 Amazon IoT SiteWise 允许调用所支持[ListInputRoutings](https://docs.amazonaws.cn/iotevents/latest/apireference/API_ListInputRoutings.html)的 API 操作 Amazon IoT Events。 **注意** 强烈建议您添加 `ListInputRoutings` 权限。 **Example 权限策略示例** 以下政策允许您更新和删除资产模型,并使用中的 `ListInputRoutings` API Amazon IoT SiteWise。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] } ``` ------ ## SiteWise 监控器所需的权限 如果要在 SiteWise 监控门户中使用警报功能,则必须使用以下策略更新[SiteWise 监控服务角色](monitor-service-role.md): ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] } ``` ------