This topic describes all system policies supported by Alibaba Cloud CDN and the corresponding permission descriptions for you to refer to when you grant permissions to RAM identities.
What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them. You can create, update, and delete custom policies based on your business requirements. During service iteration, Alibaba Cloud CDN adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud services in the management console, though they also enable the use of more advanced methods such as API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunCDNFullAccess
The AliyunCDNFullAccess policy grants RAM identities full access to Alibaba Cloud CDN.
AliyunCDNReadOnlyAccess
The AliyunCDNReadOnlyAccess policy grants RAM identities read-only permissions on Alibaba Cloud CDN.
Service role policies
AliyunCDNLoggingRolePolicy
AliyunCDNLoggingRolePolicy is the dedicated authorization policy of the AliyunCDNLoggingRole service role. Alibaba Cloud CDN uses this role to transfer logs to Object Storage Service (OSS). Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only required permissions to the RAM identities based on the principle of least privilege. For more information about how to grant the required permissions, see the following topics: